Please add OWASP Dependency Check to the build (pom.xml)

[annubiz]

Please add OWASP Dependency Check to the build (pom.xml). OWASP DC makes an outbound REST call to MITRE Common Vulnerabilities & Exposures (CVE) to perform a lookup for each dependant .jar to list any/all known vulnerabilities for each jar. This step is needed because a manual MITRE CVE lookup/check on the main component does not include checking for vulnerabilities in components or in dependant libraries.

OWASP Dependency check : https://www.owasp.org/index.php/OWASP_Dependency_Check has plug-ins for most Java build/make types (ant, maven, ivy, gradle).

Also, add the appropriate command to the nightly build to generate a report of all known vulnerabilities in any/all third party libraries/dependencies that get pulled in. example : mvn -Powasp -Dtest=false -DfailIfNoTests=false clean aggregate

Generating this report nightly/weekly will help inform the project's development team if any dependant libraries have a newly discovered & reported known vulnerailities. Project teams that keep up with removing vulnerabilities on a weekly basis will help protect businesses that rely on these open source componets

[ctubbsii]

This has been on my personal TODO list for some time, and is a good idea for informational purposes. However, be aware that Fluo does not (generally) bundle dependencies in the project, so the CVEs that affect any given individual and their dependency set depends not on what Fluo has declared in its POM, but on what the user decides to install on their system during their own dependency-integration and packaging phases of their particular Fluo deployment. CVE analysis on the dependencies in Fluo's POMs only tells you what is vulnerable in the versions we're developing against, not necessarily what is vulnerable the versions in their configured Maven repository, class path, or deployment environment. Users should be aware of that limitation and should always be responsible for their own deployed software environments.

[keith-turner]

We could possibly add a comment to the user script that fetches dependencies about checking deps for CVEs

[ctubbsii]

Hmm, I'm not sure there's much to do here. I looked into it, and the OWASP plugin can be executed with a simple: mvn org.owasp:dependency-check-maven:3.3.1:check or mvn org.owasp:dependency-check-maven:3.3.1:aggregate

The only way to add it to the POM would be to create a profile which executed it by default, but activating the profile isn't much different than calling the plugin directly... and you have to keep the plugin up-to-date, which I'm not sure is any cleaner than just calling the plugin directly.

We wouldn't want it running by default in the POM, because it's expensive to run and only needs to be run periodically. What do others think? What's the best way to "add" it to the POM?

[ctubbsii]

Unfortunately, owasp doesn't follow maven naming conventions to make the call shorter by adding anything to the POM. If it were named owasp-maven-plugin, it could be executed with mvn owasp:check.