Albert Baker created DIRMINA-1091:
-------------------------------------

             Summary: Please add OWASP Dependency Check to the core build 
(pom.xml) and all MINA sub-componet builds
                 Key: DIRMINA-1091
                 URL: https://issues.apache.org/jira/browse/DIRMINA-1091
             Project: MINA
          Issue Type: New Feature
          Components: Core, Filter, Handler, Integration, Protocol - HTTP, 
Protocol - XMPP, SSL, Statemachine, Transport
    Affects Versions: 3.0.0-M3, 3.0.0-trunk, 2.1.0
            Reporter: Albert Baker


Please add OWASP Dependency Check to the build (pom.xml). OWASP DC makes an 
outbound REST call to MITRE Common Vulnerabilities & Exposures (CVE) to perform 
a lookup for each dependant .jar to list any/all known vulnerabilities for each 
jar. This step is needed because a manual MITRE CVE lookup/check on the main 
component does not include checking for vulnerabilities in components or in 
dependant libraries.

OWASP Dependency check : https://www.owasp.org/index.php/OWASP_Dependency_Check 
has plug-ins for most Java build/make types (ant, maven, ivy, gradle).

Also, add the appropriate command to the nightly build to generate a report of 
all known vulnerabilities in any/all third party libraries/dependencies that 
get pulled in. example : mvn -Powasp -Dtest=false -DfailIfNoTests=false clean 
aggregate

Generating this report nightly/weekly will help inform the project's 
development team if any dependant libraries have a reported known 
vulnerailities. Project teams that keep up with removing vulnerabilities on a 
weekly basis will help protect businesses that rely on these open source 
componets.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to