[WFLY-18073] Add the OWASP dependency-check plugin to the WildFly build. #17686
Conversation
… only used for tests.
… a vulnerability.
…tEasy so don't associate with the RestEasy CPE.
…y associating the CallbackHandler with a ThreadLocal.
…as this applies to the top level jgroups project. This is not a CPE supression as CVEs raised against this artefact could use a similar CPE.
…a ApacheDS for testing.
…press is a test dependency via testcontainer.
…nts such as Python and Go.
…3.1:*:*:*:*:*:*:* as this is a bad match for Elytron.
…self not these separate projects.
… so add supressions.
…h cpe redhat:wildfly.
github-actions
bot
added
the
deps-ok
1. It is not matched against the correct components. 2. It was decided this is not a CVE and is the user's responsibility.
the affected functionality has also been removed from RestEasy already.
|
@bstansberry as this is an independent build profile I have set as ready to review. |
| <notes><![CDATA[ | ||
| file name: commons-compress-1.24.0.jar | ||
| ]]></notes> | ||
| <packageUrl regex="true">^pkg:maven/org\.apache\.commons/commons\-compress@.*$</packageUrl> |
There was a problem hiding this comment.
Should this have a comment?
Perhaps "Not used in a WildFly installation"
| <notes><![CDATA[ | ||
| file name: mina-core-2.1.3.jar | ||
| ]]></notes> | ||
| <packageUrl regex="true">^pkg:maven/org\.apache\.mina/mina\-core@.*$</packageUrl> |
There was a problem hiding this comment.
Should this have a comment?
| file name: jakarta.security.enterprise-3.0.3.jar | ||
| ]]></notes> | ||
| <packageUrl regex="true">^pkg:maven/org\.glassfish\.soteria/jakarta\.security\.enterprise@.*$</packageUrl> | ||
| <vulnerabilityName>CVE-2020-1732</vulnerabilityName> |
There was a problem hiding this comment.
Should this have a comment?
There was a problem hiding this comment.
@darranl This LGTM except some of the suppressions could use a comment, if possible.
I ignored some that don't have a comment where the CVE is before 2020
|
@bstansberry before you add too many "Should this have a comment?" comments - this is why you see in the PR quite a few commits - git annotated can be used on this file to identify why each block was added. But can add comments as well if you prefer. |
|
Thanks @darranl |
I am raising this as a draft whilst I put together some documentation but in the meantime it should be possible to experiment with the plugin.
https://issues.redhat.com/browse/WFLY-18073
The plugin does not run by default, also at the moment it is not possible to run in CI due to rate limiting of the vulnerability database APIs but after the first run subsequent local runs are very fast to generate a report on-demand.
Before running you will need a personal API key from NVD, this can be obtained by submitting the following form:
https://nvd.nist.gov/developers/request-an-api-key
This API key will need adding to your Maven settings.xml:
Run a
mvn installbuild of WildFly as normal so that any dependencies are downloaded and the artefacts of the build installed to your local maven repo.The following command can be used to generate a report:
mvn -Ddependency-check dependency-check:aggregateThe report will be found in
wildfly/target/dependency-check-report.htmlwhich you can open in your local browser.To suppress false positives entries are added to the new
sca-overrides/owasp-suppressions.xmlfile. There are two approaches which we can use to suppress a report, we can suppress the exact CVE against or a component or we can suppress how the component was matched.Although vulnerabilities are suppressed it is possible in the report to see these to double check.
A further challenge will be mapping of false negatives, if we identify vulnerabilities in components which are not picked up we will need to triage.
<--- THIS SECTION IS AUTOMATICALLY GENERATED BY WILDFLY GITHUB BOT. ANY MANUAL CHANGES WILL BE LOST. --->
<--- END OF WILDFLY GITHUB BOT REPORT --->
More information about the wildfly-bot[bot]