kgoedert
Posted on October 31, 2019
A lot of developers I talk to, seem to think that security is someone else responsibility. The network guy, the security guy, someone that is not him or her.
I am no expert in security, but when I work on project, I like to believe that security is my responsibility too. And one small thing I can do, is to check the libraries I am using on my project against known vulnerabilities. I one is found, I try to upgrade it right away. If it is not possible for some reason, I am at least aware of the problem.
In a java project, you can add an owasp plugin, to your maven pom.xml:
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>4.0.2</version>
<configuration>
<cveValidForHours>12</cveValidForHours>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
That will show you an output like this:
One or more dependencies were identified with known vulnerabilities in test-project:
microprofile-rest-client-api-1.0.jar (org.eclipse.microprofile.rest.client:microprofile-rest-client-api:1.0, cpe:/a:rest-client_project:rest-client:1.0) : CVE-2015-1820, CVE-2015-3448
deltaspike-core-api-1.8.0.jar (cpe:/a:apache:deltaspike:1.8.0, org.apache.deltaspike.core:deltaspike-core-api:1.8.0) : CVE-2017-17837
libthrift-0.9.2.jar (cpe:/a:apache:thrift:0.9.2, org.apache.thrift:libthrift:0.9.2) : CVE-2015-3254
stagemonitor-tracing-elasticsearch-0.87.6.jar (org.stagemonitor:stagemonitor-tracing-elasticsearch:0.87.6, cpe:/a:elasticsearch:elasticsearch:0.87.6) : CVE-2014-3120, CVE-2015-1427, CVE-2015-5531, CVE-2014-6439, CVE-2015-3337
jaeger-core-0.22.0-RC1-okhttp381.jar/META-INF/maven/org.apache.httpcomponents/httpclient/pom.xml (cpe:/a:apache:httpclient:4.2.5, org.apache.httpcomponents:httpclient:4.2.5) : CVE-2015-5262, CVE-2014-3577
And that’s it.
Posted on October 31, 2019
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
November 27, 2024
