Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hardening #589

Merged
merged 1 commit into from Oct 9, 2016

Conversation

@pierre-ernst
Copy link

pierre-ernst commented Oct 6, 2016

  • Prevented XXE security vulnerabilities when parsing malicious XML
  • Prevented MITM attacks by enforcing https

This is useful to protect security engineers against developers who want to play tricks against them by giving their security engineers malicious jar files to scan.
I call this scenario "Revenge P0wn"
:-)

pernst
Copy link
Owner

jeremylong left a comment

Thank you for the PR! I truly appreciate the assist!

@@ -62,7 +62,7 @@ cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
cve.cpe.startswith.filter=cpe:/a:

cpe.validfordays=30
cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
cpe.url=https://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz

This comment has been minimized.

Copy link
@jeremylong

jeremylong Oct 9, 2016

Owner

While the update is fine - this is not currently used.

@@ -4,7 +4,7 @@ autoupdate=true
max.download.threads=3

# the url to obtain the current engine version from
engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt
engine.version.url=https://jeremylong.github.io/DependencyCheck/current.txt

This comment has been minimized.

Copy link
@jeremylong

jeremylong Oct 9, 2016

Owner

Thanks for pointing this one out - when I originally wrote this I don't think gh-pages supported HTTPS. Thanks!

@jeremylong jeremylong merged commit 26a4e74 into jeremylong:master Oct 9, 2016
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.