Versions Compared

Old Version 24

changes.mady.by.user Jacques Le Roux

Saved on

compared with

New Version 25

changes.mady.by.user Jacques Le Roux

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: KISS and YAGNI gods refer to history
Info
titleHistory

Please refer to history for information on released and older trunk versions

 

OWASP Dependency Check is a tool for checking the Java libraries you use have no security issues. We use it through the a Gradle plugin.
Once the CVEs references the Gradle dependencies are up to date, as of 2016/09/05, it takes 3,5 minutes on a standard machine to check the dependencies (it was 2+ minutes before Gradle)

Since it often reports false positives or issues not really needing attention, you need to maintain a suppression file.

I must say, it's a very tedious work to use OWASP Dependency Check to identify and possibly fix dependencies vulnerabilities. Not only there are many false positives or issues not really needing our attention, but some issues are also hidding others. So you need to check issues one by one and put the possible suppress information in the suppression file and run again the check, etc. Unfortunately it's the best solution we have so far. Because it's not enough to blindly update libraries we use by using the last version.

Here is the last suppress file.  It's commented inside to help having a clearer vision of the situation (which fortunately is not bad (wink))

The idea is that you can use it as a basis on your project and (if possible) help to keep it up to date. This can be done by sharing your experience here as a comment, or by updating this page as a Confluence contributor (as explained in the top banner you can ask on the OFBiz user ML else).

Here is the Gradle command line to use to start the check:

gradlew -PenableOwasp dependencyCheck

 

This is the old way and I have still to check how to use suppress with the Gradle plugin

dependency-check -project OFBiz -scan C:\Users\Jacques\.gradle\caches --suppression C:\projectsASF\ofbiz\tools\security\dependency-check\suppress.xml --out C:\projectsASF\ofbiz\tools\security\dependency-check\

You can remove the "--suppression C:\tools\dependency-check\suppress.xml" part if you want to see the initial state

There is also the tools\security folder with some information in OFBiz trunk repo...

Since OFBiz uses Gradle, all dependent libraries (ie also dependencie from the libraries OFBiz uses and recursively) are loaded by Gradle and analysed by the OWASP Dependency Check plugin. So it's materially impossible to check all the possible vulnerabilities. I decided to only check the higher ones.

Trunk reports

Here is the last report file for the trunk

Here is the previous report file for the trunk (for now before Gradle insertion)

Stable reports

Here is the last report file for our last stable branche

Here is the previous report file for our last stable branches