[MGNLEE-603] DXCore - Implement OWASP Dependency Check for selected webapps Created: 19/Mar/20  Updated: 02/Apr/20  Resolved: 24/Mar/20

Status: Closed
Project: Magnolia DX Core
Component/s: build / bundling
Affects Version/s: None
Fix Version/s: 6.2

Type: Task Priority: Major
Reporter: Dai Ha Assignee: Dai Ha
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: 1h
Time Spent: 3h
Original Estimate: Not Specified

Issue Links:
Cloners
clones BUILD-373 Implement OWASP Dependency Check for ... Closed
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Epic Link: Security
Story Points: 2

 Description   
  1. implement suppressions (false-positives), likely through plugin configuration in parent POMs
  2. provide a default suppressionFile in build-resources module
  3. also configure a project-specific location, so that projects can add more suppressions, without requiring parent pom re-release
  4. let's not bind the check goal to any phase yet
  5. for local run: mvn dependency-check:check, typically mostly relevant in webapps
  6. for CI runs: add a separate pipeline step to magnoliaPacksPipeline I believe, invoking the mvn command above
  7. add a report configuration for site-generation, using the aggregate goal on module parent (nice to have)
  8. estimate load on CI from vulnerability database updates

Initial research goal (fulfilled): estimate initial effort to discard false positives such as the one mentioned on the CVE scans research log.
=> suppressions may not be that hard, and upon second look amount of false-positives seems manageable.


Generated at Mon Feb 12 05:31:34 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.