I previously provided feedback to the [email protected] list about use of known vulnerable dependencies in Accumulo.
I'd like to recommend the project experiment with and then adopt use of one of the free for open source commercial tools. I've been using these two: - https://snyk.io/test - Free forever for open source - https://www.sourceclear.com - 30 day trial only - unfortunately Sonatype is working on a free for open source capability, but it is still under development. There is of course OWASP Dependency Check, which I understand the project is using already, but Snyk in my experience is WAY better. GitHub itself has tools for doing this per: https://help.github.com/articles/viewing-and-updating-vulnerable-dependencies-in-your-repository/. But apparently it only supports Ruby GEMS and Node.js as you can see here: https://github.com/apache/accumulo/network/dependencies. As such, this won't help Accumulo until they add Java support. So, for now, unless someone finds something else (or better), I'd recommend Snyk. I'd also recommend trying out: https://dependabot.com/ - This free tool can automatically generate pull requests for your project each time it identifies when an upgrade to any component your project uses becomes available. It supports TONS of languages, including Java. I'd like to work with you on this and/or get your feedback on what works/doesn't work, how to make their use easier/etc. -Dave
