[
https://issues.apache.org/jira/browse/BEAM-5075?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17547356#comment-17547356
]
Albert Baker commented on BEAM-5075:
------------------------------------
Suresh :
Yes sir, this is still an issue in this and /every/ apache project, git hub
project, everywhere on the planet, that doesn't already have this implemented.
Every software project pulls in third party libray dependencies. Many of
them currently have, or /soon/ will have recently discovered vulnerabilities in
the libraies. Running OWASP dependency check prior to every release,
highlights which libraies to update prior to release.
I cant tell you how many times I performed security assessmsnts on
servers/services and used OWASP Dependency check as a key to tell me where the
vulnerabilities were in a system. Researchers who discover the flaws, write a
proof-of-concept "test" to deomonstrate the flaw. Often times after the flaw
is fixed, the researcher publishes the proof-of-concept on the internet. If
you find the PoC, you have a slam dunk missle body of an exploit, all you have
to do is package in a warhead/payload. Most "defender type" security
analysts wont go to this level of trouble, but hackers and spies will.
Customers who have apache servers/services/components running in production,
might not know of the currently security vulnerabilities within the libraies so
they wont get upgraded Most do keep up on version releases...and note the
reasons why the new version was released. Security issues in the component
/and the libraries/ gets their attention. Apache should IMHO, be a good
example/steward of the processing infrastructure of the world and keep thier
components up2date, and note in the update read.me if there were security
imporovements including third party library upgrades.
Thank you for your time.
> Please add OWASP Dependency Check to the build
> ----------------------------------------------
>
> Key: BEAM-5075
> URL: https://issues.apache.org/jira/browse/BEAM-5075
> Project: Beam
> Issue Type: New Feature
> Components: build-system
> Affects Versions: 3.0.0, 2.6.0, 2.7.0
> Environment: All development, build, test, environments.
> Reporter: Albert Baker
> Priority: P3
> Labels: build, easy-fix, security
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> Please add OWASP Dependency Check to the build (pom.xml). OWASP DC makes an
> outbound REST call to MITRE Common Vulnerabilities & Exposures (CVE) to
> perform a lookup for each dependant .jar to list any/all known
> vulnerabilities for each jar. This step is needed because a manual MITRE CVE
> lookup/check on the main component does not include checking for
> vulnerabilities in components or in dependant libraries.
> OWASP Dependency check :
> https://www.owasp.org/index.php/OWASP_Dependency_Check has plug-ins for most
> Java build/make types (ant, maven, ivy, gradle).
> Also, add the appropriate command to the nightly build to generate a report
> of all known vulnerabilities in any/all third party libraries/dependencies
> that get pulled in. example : mvn -Powasp -Dtest=false -DfailIfNoTests=false
> clean aggregate
> Generating this report nightly/weekly will help inform the project's
> development team if any dependant libraries have a reported known
> vulnerailities. Project teams that keep up with removing vulnerabilities on
> a weekly basis will help protect businesses that rely on these open source
> componets.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
