New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WFLY-18073] Add the OWASP dependency-check plugin to the WildFly build. #17686
Conversation
… only used for tests.
… a vulnerability.
…tEasy so don't associate with the RestEasy CPE.
…y associating the CallbackHandler with a ThreadLocal.
…as this applies to the top level jgroups project. This is not a CPE supression as CVEs raised against this artefact could use a similar CPE.
…a ApacheDS for testing.
…press is a test dependency via testcontainer.
…nts such as Python and Go.
…3.1:*:*:*:*:*:*:* as this is a bad match for Elytron.
…self not these separate projects.
… so add supressions.
…h cpe redhat:wildfly.
1. It is not matched against the correct components. 2. It was decided this is not a CVE and is the user's responsibility.
the affected functionality has also been removed from RestEasy already.
@bstansberry as this is an independent build profile I have set as ready to review. |
<notes><![CDATA[ | ||
file name: commons-compress-1.24.0.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.apache\.commons/commons\-compress@.*$</packageUrl> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this have a comment?
Perhaps "Not used in a WildFly installation"
<notes><![CDATA[ | ||
file name: mina-core-2.1.3.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.apache\.mina/mina\-core@.*$</packageUrl> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this have a comment?
file name: jakarta.security.enterprise-3.0.3.jar | ||
]]></notes> | ||
<packageUrl regex="true">^pkg:maven/org\.glassfish\.soteria/jakarta\.security\.enterprise@.*$</packageUrl> | ||
<vulnerabilityName>CVE-2020-1732</vulnerabilityName> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this have a comment?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@darranl This LGTM except some of the suppressions could use a comment, if possible.
I ignored some that don't have a comment where the CVE is before 2020
@bstansberry before you add too many "Should this have a comment?" comments - this is why you see in the PR quite a few commits - git annotated can be used on this file to identify why each block was added. But can add comments as well if you prefer. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think further comments can be added later.
Thanks @darranl |
I am raising this as a draft whilst I put together some documentation but in the meantime it should be possible to experiment with the plugin.
https://issues.redhat.com/browse/WFLY-18073
The plugin does not run by default, also at the moment it is not possible to run in CI due to rate limiting of the vulnerability database APIs but after the first run subsequent local runs are very fast to generate a report on-demand.
Before running you will need a personal API key from NVD, this can be obtained by submitting the following form:
https://nvd.nist.gov/developers/request-an-api-key
This API key will need adding to your Maven settings.xml:
Run a
mvn install
build of WildFly as normal so that any dependencies are downloaded and the artefacts of the build installed to your local maven repo.The following command can be used to generate a report:
mvn -Ddependency-check dependency-check:aggregate
The report will be found in
wildfly/target/dependency-check-report.html
which you can open in your local browser.To suppress false positives entries are added to the new
sca-overrides/owasp-suppressions.xml
file. There are two approaches which we can use to suppress a report, we can suppress the exact CVE against or a component or we can suppress how the component was matched.Although vulnerabilities are suppressed it is possible in the report to see these to double check.
A further challenge will be mapping of false negatives, if we identify vulnerabilities in components which are not picked up we will need to triage.
<--- THIS SECTION IS AUTOMATICALLY GENERATED BY WILDFLY GITHUB BOT. ANY MANUAL CHANGES WILL BE LOST. --->
<--- END OF WILDFLY GITHUB BOT REPORT --->
More information about the wildfly-bot[bot]