[BUILD-373] Implement OWASP Dependency Check for selected webapps Created: 05/Sep/19  Updated: 01/Nov/21  Resolved: 24/Mar/20

Status: Closed
Project: Build
Component/s: Poms
Affects Version/s: None
Fix Version/s: Build Resources 1.6.8, POMs 38

Type: Task Priority: Major
Reporter: Mikaël Geljić Assignee: Dai Ha
Resolution: Fixed Votes: 0
Labels: None
Σ Remaining Estimate: 0d Remaining Estimate: 0d
Σ Time Spent: 5.75d Time Spent: 5d
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Issue Links:
Cloners
is cloned by MGNLEE-603 DXCore - Implement OWASP Dependency C... Closed
Relates
relates to MGNLEE-600 Align jBPM version in magnolia dx cor... Closed
dependency
duplicate
Sub-Tasks:
Key
Summary
Type
Status
Assignee
BUILD-377 Manage three last libraries in dx-cor... Sub-task Closed Dai Ha  
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Epic Link: Security
Sprint: 6.2 Ramp-up 19, 6.2 Ramp-up 20
Story Points: 8

 Description   
  1. implement suppressions (false-positives), likely through plugin configuration in parent POMs
  2. provide a default suppressionFile in build-resources module
  3. also configure a project-specific location, so that projects can add more suppressions, without requiring parent pom re-release
  4. let's not bind the check goal to any phase yet
  5. for local run: mvn dependency-check:check, typically mostly relevant in webapps
  6. for CI runs: add a separate pipeline step to magnoliaPacksPipeline I believe, invoking the mvn command above
  7. add a report configuration for site-generation, using the aggregate goal on module parent (nice to have)
  8. estimate load on CI from vulnerability database updates

Initial research goal (fulfilled): estimate initial effort to discard false positives such as the one mentioned on the CVE scans research log.
=> suppressions may not be that hard, and upon second look amount of false-positives seems manageable.



 Comments   
Comment by Mikaël Geljić [ 14/Feb/20 ]

attached a sample report to the wiki page

Generated at Sun Feb 11 23:41:20 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.