Project

General

Profile

Actions

Architecture #21142

closed

Detect vulnerabilities in maven using osv/osv.dev

Added by Alexis Mousset about 2 years ago. Updated over 1 year ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
Security
Effort required:
Name check:
To do
Fix check:
To do
Regression:
No

Description

Currently we rely on dependency-check-maven which uses the CVE databse and tries to match maven packages based on CPEs which is not realiable.

We often get false positives (e.g. a chrome extension with the same name as a maven package).

The proper way to track vulnerabilities is to use a proper detection process, which is the goal of OSV (the format) / osv.dev (the database, synced from different sources includes Github advisories, which announces main vulnerabilities in the maven ecosystem).

We can try to use https://github.com/G-Rath/osv-detector to check pom.xml file for known vulnerabilities in osv.dev.

Actions #1

Updated by Vincent MEMBRÉ about 2 years ago

  • Target version changed from 6.1.20 to 6.1.21
Actions #2

Updated by Vincent MEMBRÉ almost 2 years ago

  • Target version changed from 6.1.21 to old 6.1 issues to relocate
Actions #3

Updated by Alexis Mousset over 1 year ago

  • Status changed from New to Rejected
  • Regression set to No

Tooling not ready for our pom.xml, we'll check again later.

Actions #4

Updated by Alexis Mousset over 1 year ago

  • Target version changed from old 6.1 issues to relocate to old 6.2 issues to relocate
Actions

Also available in: Atom PDF