RFC: Maven to raise a notification if downloading vulnerable content

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

RFC: Maven to raise a notification if downloading vulnerable content

Peter Muryshkin
Hi, all,

currently you can run OWASP dependency check plugin against your projects.

Though, this seems to make security more or less optional: unaware either
lightheaded teams could miss this.

What if a package repository would integrate with this dependency checking
and issue a warning, say a special HTTP response code or a header?

Then, Maven would raise the warning in the console log, like "this
component is known to have CVE-XYZ! consider upgrading"

What do you think?
Reply | Threaded
Open this post in threaded view
|

Re: RFC: Maven to raise a notification if downloading vulnerable content

Chas Honton
If you want the package repository to add the header, you will need to make your request to Sonatype (Nexus) and JFrog (Artifactory)

Chas

> On Mar 6, 2018, at 4:12 AM, Peter Muryshkin <[hidden email]> wrote:
>
> Hi, all,
>
> currently you can run OWASP dependency check plugin against your projects.
>
> Though, this seems to make security more or less optional: unaware either
> lightheaded teams could miss this.
>
> What if a package repository would integrate with this dependency checking
> and issue a warning, say a special HTTP response code or a header?
>
> Then, Maven would raise the warning in the console log, like "this
> component is known to have CVE-XYZ! consider upgrading"
>
> What do you think?

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]