Dávid Paksy created HBASE-29201:
-----------------------------------
Summary: Add OWASP Dependency Check to check 3rd party
dependencies for known vulnerabilities
Key: HBASE-29201
URL: https://issues.apache.org/jira/browse/HBASE-29201
Project: HBase
Issue Type: Improvement
Components: build
Reporter: Dávid Paksy
h1. OWASP Dependency-Check
{quote}Dependency-Check is a Software Composition Analysis (SCA) tool that
attempts to detect publicly disclosed vulnerabilities contained within a
project’s dependencies. It does this by determining if there is a Common
Platform Enumeration (CPE) identifier for a given dependency. If found, it will
generate a report linking to the associated CVE entries.
{quote}
[https://owasp.org/www-project-dependency-check/]
It provides a Maven plugin which we could integrate into the build:
* [https://jeremylong.github.io/DependencyCheck/dependency-check-maven/]
* [https://mvnrepository.com/artifact/org.owasp/dependency-check-maven]
Questions / open points:
* How frequently should this be run? Would probably not make sense to run it
more frequently than weekly.
* Without an API key the scan will be a bit slow but.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
