Announcing OSSIndex plugins for Apache Maven: Scan your dependencies for known vulnerabilities

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Announcing OSSIndex plugins for Apache Maven: Scan your dependencies for known vulnerabilities

Brian Fox
You probably know Sonatype for our work in the Maven community, Nexus
Repository Manager, and for hosting Central. You may not know that for
the last 7 years we've also been leading the way in solutions that
allow developers to innovate faster and be able to improve security,
license compliance and architecture at the same time.

For years the primary domain for these concerns have been large
enterprises and/or governance teams. We're seeing a new trend along
with the #devsecops movement that brings concerns like the security
posture of a 3rd party component into the forefront of concerns for
developers. To further empower that trend, we've updated and
relaunched OSS Index with the mission to provide information and APIs
to the community -for free- to use in raising the security bar for
everyone.

Out of the box you can find a plugin to assess and optionally fail
your build if components contain known vulnerabilities. If you're a
fan of the Maven Enforcer Plugin, there's a rule for you too. I
encourage you to check it out and if you're so inclined, grab the REST
API and integrate it into your favorite tool.

https://ossindex.sonatype.org

Find the Maven Plugin docs here:
https://sonatype.github.io/ossindex-maven/maven-plugin/

Find the Enforcer Plugin usage here:
https://sonatype.github.io/ossindex-maven/enforcer-rules/

Report issues or ideas here:
https://github.com/sonatype/ossindex-maven/issues

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Announcing OSSIndex plugins for Apache Maven: Scan your dependencies for known vulnerabilities

Mark Derricutt

On 26 Jul 2018, at 12:55, Brian Fox wrote:

Find the Maven Plugin docs here:
https://sonatype.github.io/ossindex-maven/maven-plugin/

This looks awesome! One nit pick tho - the XML plugin definition has a bad </verify> on the <phase> line.

Will be interesting to see how the results compare to the OWASP dependency checker.

Cheers
Mark


"The ease with which a change can be implemented has no relevance at all to whether it is the right change for the (Java) Platform for all time." — Mark Reinhold.

Mark Derricutt
http://www.theoryinpractice.net
http://www.chaliceofblood.net
http://plus.google.com/+MarkDerricutt
http://twitter.com/talios
http://facebook.com/mderricutt


signature.asc (546 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Announcing OSSIndex plugins for Apache Maven: Scan your dependencies for known vulnerabilities

Brian Fox-2


--mobile

> On Jul 25, 2018, at 9:24 PM, Mark Derricutt <[hidden email]> wrote:
>
> On 26 Jul 2018, at 12:55, Brian Fox wrote:
>
> Find the Maven Plugin docs here:
> https://sonatype.github.io/ossindex-maven/maven-plugin/
>
> This looks awesome! One nit pick tho - the XML plugin definition has a bad </verify> on the <phase> line.
>

Will fix thanks!
> Will be interesting to see how the results compare to the OWASP dependency checker.
>

The techniques are different but an integration is pending to add the data to dependency check for even wider coverage.

> Cheers
> Mark
>
> "The ease with which a change can be implemented has no relevance at all to whether it is the right change for the (Java) Platform for all time." — Mark Reinhold.
>
> Mark Derricutt
> http://www.theoryinpractice.net
> http://www.chaliceofblood.net
> http://plus.google.com/+MarkDerricutt
> http://twitter.com/talios
> http://facebook.com/mderricutt
Reply | Threaded
Open this post in threaded view
|

Re: Announcing OSSIndex plugins for Apache Maven: Scan your dependencies for known vulnerabilities

Matthieu BROUILLARD-3
In reply to this post by Brian Fox
Excellent enhancement ; thank you Brian & Sonatype.

>  Report issues or ideas here:
> https://github.com/sonatype/ossindex-maven/issues

As requested I submitted my feedback as an RFE (
https://github.com/sonatype/ossindex-maven/issues/10) to report possible
fixes on the vulnerabilities.

Regards,
Matthieu

On Thu, Jul 26, 2018 at 2:55 AM Brian Fox <[hidden email]> wrote:

> You probably know Sonatype for our work in the Maven community, Nexus
> Repository Manager, and for hosting Central. You may not know that for
> the last 7 years we've also been leading the way in solutions that
> allow developers to innovate faster and be able to improve security,
> license compliance and architecture at the same time.
>
> For years the primary domain for these concerns have been large
> enterprises and/or governance teams. We're seeing a new trend along
> with the #devsecops movement that brings concerns like the security
> posture of a 3rd party component into the forefront of concerns for
> developers. To further empower that trend, we've updated and
> relaunched OSS Index with the mission to provide information and APIs
> to the community -for free- to use in raising the security bar for
> everyone.
>
> Out of the box you can find a plugin to assess and optionally fail
> your build if components contain known vulnerabilities. If you're a
> fan of the Maven Enforcer Plugin, there's a rule for you too. I
> encourage you to check it out and if you're so inclined, grab the REST
> API and integrate it into your favorite tool.
>
> https://ossindex.sonatype.org
>
> Find the Maven Plugin docs here:
> https://sonatype.github.io/ossindex-maven/maven-plugin/
>
> Find the Enforcer Plugin usage here:
> https://sonatype.github.io/ossindex-maven/enforcer-rules/
>
> Report issues or ideas here:
> https://github.com/sonatype/ossindex-maven/issues
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>