On the owasp (Open Web Application Security Project) site there's a
-> Maven plugin <- https://owasp.org/www-project-dependency-check/ https://github.com/jeremylong/DependencyCheck https://jeremylong.github.io/DependencyCheck/dependency-check-maven/ that performs checks at build time against a CVE db. And, in fact, some dependency could go directly from some hacked repository to the heart of some "big customer" IT structure. And the phone calls of security managers must be handled ... ... BEFORE they call. It happens also for costly and branded products : I've seen key components built with "beta" releases not available anymore in any repository on the world ... happy digging, thank-you for the references, and share the results Davide Grandi On 15/05/2021 23:55, Eric Bresie wrote:
While reading an article (1) (2) on openjfx mailing list, I notice they are starting to implement dependency verification oat build time. They also provide a few additional links (3) and I found another on the value of it (4). Does Netbeans plan to do something like this? (1) https://mail.openjdk.java.net/pipermail/openjfx-dev/2021-May/030138.html (2) https://mail.openjdk.java.net/pipermail/openjfx-dev/2021-May/030142.html (3) https://wwws.nightwatchcybersecurity.com/2021/04/25/supply-chain-attacks-via-github-com-releases/ (4) “Dependency verification: checksum vs PGP” by Vladimir Sitnikov https://link.medium.com/sor9gXcZhgb Eric
-- ing. Davide Grandi email : davide.gra...@email.it linkedin : http://linkedin.com/in/davidegrandi --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org For additional commands, e-mail: dev-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
