Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Vulnerabilities Checking into the build (pom, build.gradle) #6329

Closed
donsez opened this issue Sep 8, 2017 · 5 comments

Comments

@donsez
Copy link

commented Sep 8, 2017

Overview of the issue

Dependencies (Maven, NPM) may have security vulnerabilities.

Motivation for or Use Case

Improve the security quality of the JHipster application (backend and frontend).

Suggest a Fix

You may add the OWASP reporting plugin into the pom.xml (https://www.owasp.org)

<dependency-check-maven-plugin-version>2.1.1</dependency-check-maven-plugin-version>

<reporting>
	<plugins>
		<plugin>
			<groupId>org.owasp</groupId>
			<artifactId>dependency-check-maven</artifactId>
			<version>${dependency-check-maven-plugin-version}</version>
		</plugin>
	</plugins>
</reporting>

The report (mvn clean site) is in target/site/dependency-check-report.html

You may add also the Node Security Platform command (https://nodesecurity.io/opensource) for checking the package.json dependencies.

npm install nsp --global
nsp check

@jdubois

This comment has been minimized.

Copy link
Member

commented Sep 8, 2017

FYI:

  • I recently did a full OWASP scan of a generated application, and didn't find much trouble. It's much more advanced than just checking the Maven dependency, but very hard to automate -> so your solution is simpler, I need to check this
  • For NPM there are 2 checks to do: one for the generated app (like the pom.xml), but also one for the generator itself (as it is also a Node application).

Then, I often have "vulnerability reports" for the generator, saying that it has the permissions to write on your filesystem. I agree it can be worrying that the generator can read/write on your filesystem, and that's why we provide the Devbox, the Docker image, and JHipster Online... Then, if you install it locally, it perfectly normal that it writes on your filesystem, as it's the whole point of the generator in the first place. Sometimes I wonder what security researchers think...

@gmarziou

This comment has been minimized.

Copy link
Contributor

commented Sep 8, 2017

I have used the owasp dependency checker and I don't think we should add it to JHipster because in order to get a no-error report after project generation, we should add some exclusions for false positives. Real life example: excluding groovy because by transitivity it is included for test only not production. As a result if one of our users then decide to use groovy in production, it may not get any vulnerability warning.

So it seems to me that a code generator cannot take decisions about security without knowing business context, it's the responsibility of the generated project owner.

Add to this that this is a trivial change and so should be against our policy #2

@jdubois

This comment has been minimized.

Copy link
Member

commented Sep 8, 2017

+1 for your arguments @gmarziou

@gmarziou

This comment has been minimized.

Copy link
Contributor

commented Sep 8, 2017

Also a good answer from Spring Boot team spring-projects/spring-boot#9997

@jdubois

This comment has been minimized.

Copy link
Member

commented Sep 8, 2017

OK let's close this, indeed. Thanks @donsez for the idea!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.