[ https://issues.apache.org/jira/browse/SLING-11057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Munteanu updated SLING-11057: ------------------------------------ Fix Version/s: Starter 13 Starter 13 (was: Starter 12) > Security scanning for the Sling Starter during CI checks > -------------------------------------------------------- > > Key: SLING-11057 > URL: https://issues.apache.org/jira/browse/SLING-11057 > Project: Sling > Issue Type: Improvement > Components: Starter > Reporter: Robert Munteanu > Priority: Major > Fix For: Starter 13 > > > I think we should consider security scanning the Starter, as a packaged > application, during CI checks. This will help us not ship with vulnerable > dependencies. > I have found two potential candidates: > - the [OSS index Maven > Plugin|https://sonatype.github.io/ossindex-maven/maven-plugin/] which uses > the [Sonatype OSS index|https://ossindex.sonatype.org/] and scans the Maven > dependencies > - [Trivy|https://github.com/aquasecurity/trivy] which uses the Snyk Database > for Java and various other sources .Trivy scans container images (or local > directories ). > We should probably do both, once we start producing Docker images in the > starter project ( SLING-9638 ). > One thing which I'm not certain about is failing the build on such checks. A > working build can be broken because a CVE was published for an existing > component. But the alternative is probably not finding about it. Maybe we can > separate these checks in a separate Jenkins step that comes at the end, so > it's clear that the main build passes but the Starter can't be shipped with > vulnerable dependencies. -- This message was sent by Atlassian Jira (v8.20.1#820001)