[
https://issues.apache.org/jira/browse/SLING-11057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Munteanu updated SLING-11057:
------------------------------------
Fix Version/s: Starter 13
Starter 13
(was: Starter 12)
> Security scanning for the Sling Starter during CI checks
> --------------------------------------------------------
>
> Key: SLING-11057
> URL: https://issues.apache.org/jira/browse/SLING-11057
> Project: Sling
> Issue Type: Improvement
> Components: Starter
> Reporter: Robert Munteanu
> Priority: Major
> Fix For: Starter 13
>
>
> I think we should consider security scanning the Starter, as a packaged
> application, during CI checks. This will help us not ship with vulnerable
> dependencies.
> I have found two potential candidates:
> - the [OSS index Maven
> Plugin|https://sonatype.github.io/ossindex-maven/maven-plugin/] which uses
> the [Sonatype OSS index|https://ossindex.sonatype.org/] and scans the Maven
> dependencies
> - [Trivy|https://github.com/aquasecurity/trivy] which uses the Snyk Database
> for Java and various other sources .Trivy scans container images (or local
> directories ).
> We should probably do both, once we start producing Docker images in the
> starter project ( SLING-9638 ).
> One thing which I'm not certain about is failing the build on such checks. A
> working build can be broken because a CVE was published for an existing
> component. But the alternative is probably not finding about it. Maybe we can
> separate these checks in a separate Jenkins step that comes at the end, so
> it's clear that the main build passes but the Starter can't be shipped with
> vulnerable dependencies.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
