RE: Maven, Dependencies and Vulnerabilities

2014-10-13 Thread David Dillard
en Users List Subject: Re: Maven, Dependencies and Vulnerabilities Hello, instead of requiring everybody to come up with a CPE and add it to the POM, I would prefer if Maven Central publishes an approved (and registered) naming scheme to form CPEs which point to well known maven artifacts. cpe:/a:

Re: Maven, Dependencies and Vulnerabilities

2014-10-13 Thread Bernd
Hello, instead of requiring everybody to come up with a CPE and add it to the POM, I would prefer if Maven Central publishes an approved (and registered) naming scheme to form CPEs which point to well known maven artifacts. cpe:/a:org.maven.central:groupid,artifactid[,classifier]:version (or simi

RE: Maven, Dependencies and Vulnerabilities

2014-10-01 Thread David Dillard
ember 30, 2014 3:53 PM To: Maven Users List Subject: Re: Maven, Dependencies and Vulnerabilities There are commercial solutions (sonatype, contrast, blackduck, palamida, etc.) and FOSS solutions (dependency-check, victims, retire.js, etc.) to identify and report on known vulnerabilities. I

RE: Maven, Dependencies and Vulnerabilities

2014-10-01 Thread David Dillard
Thanks! This looks like it covers the most important part of what I'm looking for. -Original Message- From: Mark Derricutt [mailto:m...@talios.com] Sent: Tuesday, September 30, 2014 5:04 PM To: Maven Users List Subject: Re: Maven, Dependencies and Vulnerabilities On 1 Oct 2014,

Re: Maven, Dependencies and Vulnerabilities

2014-09-30 Thread Mark Derricutt
On 1 Oct 2014, at 7:44, David Dillard wrote: Hi, I've been working on an internal presentation on how letting Maven's dependency mediation feature select versions of transitive dependencies can introduce vulnerabilities into a product and how to deal with that problem. Unfortunately, it's a

Re: Maven, Dependencies and Vulnerabilities

2014-09-30 Thread Ron Wheeler
A side note: you can specify version ranges if you want to leave it up to Maven to select the latest version. It makes it harder to have a repeatable build or to determine what version was used to build your artifact. I generally like to pick the versions of dependencies and Eclipse/STS's Mave

Re: Maven, Dependencies and Vulnerabilities

2014-09-30 Thread Jeremy Long
There are commercial solutions (sonatype, contrast, blackduck, palamida, etc.) and FOSS solutions (dependency-check, victims, retire.js, etc.) to identify and report on known vulnerabilities. I would recommend looking at these solutions (note, I am the main contributed to dependency-check). A bett

Re: Maven, Dependencies and Vulnerabilities

2014-09-30 Thread Paul Benedict
There is a Maven Changes Plugin which projects can use to list out changes to their project. http://maven.apache.org/plugins/maven-changes-plugin/ Regarding CVE, Redhat has a Maven plugin to find "victim" dependencies: https://securityblog.redhat.com/2013/01/02/detecting-vulnerable-java-dependenci