-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an owasp-check profile #30179
Add an owasp-check profile #30179
Conversation
This comment has been minimized.
This comment has been minimized.
Hi @sberyozkin if I understand it correctly, this add the dependency check plugin in the Quarkus build itself. |
Hi @loicmathieu
Not yet, the initial motivation was to make it easier for anyone building Quarkus to check, now and then someone reports an OWASP issue so it could be handy to have an option to run a quick test inside a specific extension, without having to go to some demo, update the pom there, etc. Adding an action can be the next step, I can experiment with setting up the one in my fork.
I think it makes sense |
Hmm, I can't invoke it as |
Plugin management is not easy with maven (I think they plan to improve it in Maven 4), maybe ask one of our Maven expert ;) Please add a section in the CONTRIBUTING guide on how to launch it then I'll approve the PR. |
Hi Loic @loicmathieu Just about to ping Alexey on dev, I wanted to add a shorter line to the contributions doc :-) |
23fbaed
to
4451d49
Compare
@loicmathieu, have a look please, that should look better now with thanks to @aloubyansky. I'll investigate how to add an action and have a complete report aggregated as well, soon enough after I get from PTO in one week's time |
4451d49
to
bc68a80
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Having a plugin config in the pluginManagement should already allow mvn dependency-check:check
in submodules. The profile could help with the defaultGoal
.
df92baf
to
cc2abf2
Compare
Thanks Alexey and Loic for the ideas how to improve/simplify. |
Lets also wait for Guillaume to check it |
cc2abf2
to
192cb86
Compare
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lgtm
192cb86
to
6486359
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I force pushed some formatting and documentation fixes.
But running mvn -Dowasp-check
at the root doesn't work (because it's declared in the build-parent
). Not sure if you wanted it to work but if so there's more work needed. If not, you should probably precise in the documentation that the command needs to be run in the extension directory.
Also I tried to run it in
|
This comment has been minimized.
This comment has been minimized.
@gsmet Thanks for the updates,
Sure. Will also try 7.4.4 with |
Hi @gsmet Not sure if it is 7.4.4 which fixed the error you reported or not, but it works OK,
|
6486359
to
04d5965
Compare
Latest updates:
We can further tune it as necessary |
This comment has been minimized.
This comment has been minimized.
9a30d63
to
23ccc4d
Compare
This comment has been minimized.
This comment has been minimized.
I triggered another CI run as apparently something went wrong on the GitHub side. |
This comment has been minimized.
This comment has been minimized.
Thanks, looks like it failed yesterday again, so I've triggered it once more |
Failing Jobs - Building 23ccc4d
Full information is available in the Build summary check run. Failures⚙️ Devtools Tests - JDK 11 #- Failing: integration-tests/devtools
📦 integration-tests/devtools✖
✖
⚙️ Devtools Tests - JDK 17 #- Failing: integration-tests/devtools
📦 integration-tests/devtools✖
✖
|
Guillaume, not sure it is worth mentioning it in the release notes but please add a label if you think it can be of interest |
This MR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [flow-bin](https://github.com/flowtype/flow-bin) ([changelog](https://github.com/facebook/flow/blob/master/Changelog.md)) | devDependencies | minor | [`^0.198.0` -> `^0.199.0`](https://renovatebot.com/diffs/npm/flow-bin/0.198.0/0.199.0) | | [org.postgresql:postgresql](https://jdbc.postgresql.org) ([source](https://github.com/pgjdbc/pgjdbc)) | build | patch | `42.5.1` -> `42.5.2` | | [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | patch | `2.16.0.Final` -> `2.16.1.Final` | | [io.quarkus:quarkus-universe-bom](https://github.com/quarkusio/quarkus-platform) | import | patch | `2.16.0.Final` -> `2.16.1.Final` | | [org.apache.maven.plugins:maven-enforcer-plugin](https://maven.apache.org/enforcer/) | build | minor | `3.1.0` -> `3.2.1` | --- ### Release Notes <details> <summary>flowtype/flow-bin</summary> ### [`v0.199.0`](flow/flow-bin@0568b6e...05bb4e3) [Compare Source](flow/flow-bin@0568b6e...05bb4e3) ### [`v0.198.2`](flow/flow-bin@0d01841...0568b6e) [Compare Source](flow/flow-bin@0d01841...0568b6e) ### [`v0.198.1`](flow/flow-bin@2b180bb...0d01841) [Compare Source](flow/flow-bin@2b180bb...0d01841) </details> <details> <summary>pgjdbc/pgjdbc</summary> ### [`v42.5.2`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#​4252-2023-01-31-143046--0500) ##### Changed docs: specify that timeouts are in seconds and there is a maximum. Housekeeping on some tests fixes [#Issue 2671](pgjdbc/pgjdbc#2671) [MR #​2686](pgjdbc/pgjdbc#2686) docs: clarify binaryTransfer and add it to README [MR# 2698](pgjdbc/pgjdbc#2698) docs: Document the need to encode reserved characters in the connection URL [MR #​2700](pgjdbc/pgjdbc#2700) feat: Define binary transfer for custom types dynamically/automatically fixes [Issue #​2554](pgjdbc/pgjdbc#2554) [MR #​2556](pgjdbc/pgjdbc#2556) ##### Added fix: added gssResponseTimeout as part of [MR #​2687](pgjdbc/pgjdbc#2687) to make sure we don't wait forever on a GSS RESPONSE ##### Fixed fix: Ensure case of XML tags in Maven snippet is correct [MR #​2682](pgjdbc/pgjdbc#2682) fix: Make sure socket is closed if an exception is thrown in createSocket fixes [Issue #​2684](pgjdbc/pgjdbc#2684) [MR #​2685](pgjdbc/pgjdbc#2685) fix: Apply patch from [Issue #​2683](pgjdbc/pgjdbc#2683) to fix hanging ssl connections [MR #​2687](pgjdbc/pgjdbc#2687) fix - binary conversion of (very) long numeric values (longer than 4 \* 2^15 digits) [MR #​2697](pgjdbc/pgjdbc#2697) fixes [Issue #​2695](pgjdbc/pgjdbc#2695) minor: enhance readability connection of startup params [MR #​2705](pgjdbc/pgjdbc#2785) </details> <details> <summary>quarkusio/quarkus</summary> ### [`v2.16.1.Final`](https://github.com/quarkusio/quarkus/releases/tag/2.16.1.Final) [Compare Source](quarkusio/quarkus@2.16.0.Final...2.16.1.Final) ##### Complete changelog - [#​30729](quarkusio/quarkus#30729) - Bump mariadb-java-client from 3.1.1 to 3.1.2 - [#​30724](quarkusio/quarkus#30724) - Upgrade to Mutiny 1.9.0 - [#​30722](quarkusio/quarkus#30722) - Set SameSite Strict only on OIDC session cookie - [#​30720](quarkusio/quarkus#30720) - Bump picocli.version from 4.7.0 to 4.7.1 - [#​30719](quarkusio/quarkus#30719) - Bump jackson-bom from 2.14.1 to 2.14.2 - [#​30715](quarkusio/quarkus#30715) - PanacheRepositoryResource should implement ReactiveRestDataResource - [#​30713](quarkusio/quarkus#30713) - Use MapProperty instead of Map - [#​30694](quarkusio/quarkus#30694) - Use newer API for creating tmp files in RESTEasy Reactive - [#​30692](quarkusio/quarkus#30692) - Bump htmlunit version to 2.70.0 - [#​30686](quarkusio/quarkus#30686) - Don't fail send when a sse sink has been closed - [#​30681](quarkusio/quarkus#30681) - RESTEasy Reactive: SSE broadcaster fails if a sink has been closed - [#​30680](quarkusio/quarkus#30680) - Mark methods generatred by ASM transformations as synthetic - [#​30659](quarkusio/quarkus#30659) - Drop unused class GradleLogger - [#​30653](quarkusio/quarkus#30653) - Fix opening in IDE when more than IDE is running - [#​30652](quarkusio/quarkus#30652) - Match prometheus export metrics format - [#​30651](quarkusio/quarkus#30651) - ArC - use reflection fallback for PreDestroy callbacks if needed - [#​30649](quarkusio/quarkus#30649) - Document redirect options in RESTEasy Reactive - [#​30644](quarkusio/quarkus#30644) - Adjust source language absent in documentation code blocks - [#​30636](quarkusio/quarkus#30636) - PreDestroy hooks fail depending on method modifiers - [#​30635](quarkusio/quarkus#30635) - Introduce a `minimum-java-version` in the extension descriptor metadata - [#​30625](quarkusio/quarkus#30625) - OIDC authentication loop if Cookie Policy sameSite=strict - [#​30624](quarkusio/quarkus#30624) - Fix NPE obtaining a project map from Maven session - [#​30622](quarkusio/quarkus#30622) - Update invalid package in guide - [#​30612](quarkusio/quarkus#30612) - Fix import file name in redis-reference.adoc - [#​30609](quarkusio/quarkus#30609) - Qute generated resolvers - getters should take precedence over fields - [#​30593](quarkusio/quarkus#30593) - Qute validation - improve hierarchy indexing to fix assignability issues - [#​30591](quarkusio/quarkus#30591) - Resolve correct version when application version is unset - [#​30589](quarkusio/quarkus#30589) - Bump junit-bom from 5.9.1 to 5.9.2 - [#​30585](quarkusio/quarkus#30585) - Bump Microsoft SQL Server JDBC driver to 11.2.3 - [#​30584](quarkusio/quarkus#30584) - Update MS SQL JDBC driver to version 11.2.3 - [#​30576](quarkusio/quarkus#30576) - Use accept header to choose metrics export format - [#​30574](quarkusio/quarkus#30574) - Handle empty source directory for included builds - [#​30569](quarkusio/quarkus#30569) - Add default implementation for REST Data interfaces - [#​30564](quarkusio/quarkus#30564) - Update security-openid-connect-client.adoc - [#​30559](quarkusio/quarkus#30559) - container-image extension running with kubernetes extension - [#​30557](quarkusio/quarkus#30557) - AWT: JniRuntimeAccess: freetypeScaler.c calls sun.font.FontUtilities - [#​30548](quarkusio/quarkus#30548) - Add a blurb about not supporting validation.xml in Quarkus - [#​30526](quarkusio/quarkus#30526) - RESTEasy classic servlets - add RoutingContext to active request context - [#​30515](quarkusio/quarkus#30515) - Native build fails with hibernate-orm-rest-data-panache + elytron-security-properties-file - [#​30513](quarkusio/quarkus#30513) - Limit application.properties lookup to main source set - [#​30510](quarkusio/quarkus#30510) - Simplify logic in create-app.adoc and allow to define stream - [#​30501](quarkusio/quarkus#30501) - Fix HibernateOrmCodestart - [#​30500](quarkusio/quarkus#30500) - Place extension with an unknown category in the uncategorized category - [#​30496](quarkusio/quarkus#30496) - Update documentation - [#​30490](quarkusio/quarkus#30490) - Avoid adding the exception itself as a suppressed exception - [#​30488](quarkusio/quarkus#30488) - Updates to Infinispan 14.0.6.Final - [#​30485](quarkusio/quarkus#30485) - Verify code flow access token first if no UserInfo precondition exists - [#​30479](quarkusio/quarkus#30479) - Define defaultValueDocumentation for builderImage - [#​30474](quarkusio/quarkus#30474) - Docs - default value of `quarkus.native.builder-image` is not shown - [#​30470](quarkusio/quarkus#30470) - Revert --enable-monitoring with no arguments support - [#​30460](quarkusio/quarkus#30460) - Bump kafka3.version from 3.3.1 to 3.3.2 - [#​30453](quarkusio/quarkus#30453) - Gradle build failing w/ Quarkus 2.16.0 - [#​30430](quarkusio/quarkus#30430) - Bump gizmo from 1.5.0.Final to 1.6.0.Final - [#​30429](quarkusio/quarkus#30429) - Bump Keycloak version to 20.0.3 - [#​30426](quarkusio/quarkus#30426) - Fix redundant push when using buildx - [#​30424](quarkusio/quarkus#30424) - Building of container images with buildx causes build failures - [#​30423](quarkusio/quarkus#30423) - 2.15+ - Services dependent on libraries without classes no longer build - [#​30418](quarkusio/quarkus#30418) - Disable -D argument propagation in DevMojo - [#​30415](quarkusio/quarkus#30415) - Arc - Change Types#getTypeClosure so that superclasses and interfaces of producer types no longer throw on finding wildcards - [#​30412](quarkusio/quarkus#30412) - Arc - wildcard detection for producer methods/fields is too aggressive - [#​30410](quarkusio/quarkus#30410) - Introduce support for GraalVM `--enable-monitoring` - [#​30408](quarkusio/quarkus#30408) - Warning: Option 'AllowVMInspection' is deprecated and might be removed from future versions: Please use --enable-monitoring - [#​30405](quarkusio/quarkus#30405) - Quarkus Undertow doesn't work with blocking SecurityIdentityAugmentor - [#​30399](quarkusio/quarkus#30399) - Fix ElasticSearch Dev Services container restart - [#​30384](quarkusio/quarkus#30384) - Elasticsearch Dev Services restarts container on every auto-compile - [#​30368](quarkusio/quarkus#30368) - Allow Environment variables to populate property Maps in build time Config - [#​30354](quarkusio/quarkus#30354) - AWT `io.quarkus.awt.it.ImageGeometryFontsIT` native integration test failing with "GraalVM for Java 20" dev builds - [#​30347](quarkusio/quarkus#30347) - Bump junit-jupiter from 5.9.1 to 5.9.2 - [#​30343](quarkusio/quarkus#30343) - Trailing comma is lost from prometheus metrics - [#​30335](quarkusio/quarkus#30335) - Add native compilation section to Hibernate Validator guide - [#​30332](quarkusio/quarkus#30332) - NPE in toString method for Processor Parameters in kafka-streams 3.3.1 version - [#​30275](quarkusio/quarkus#30275) - Inline Log category property doesn't work - [#​30208](quarkusio/quarkus#30208) - OIDC: 401 when access-token needs to be refreshed and user-info-required=true - [#​30179](quarkusio/quarkus#30179) - Add an owasp-check profile - [#​28781](quarkusio/quarkus#28781) - RESTEasy Reactive: document redirects - [#​24027](quarkusio/quarkus#24027) - Hibernate Validator does not use META-INF/validation.xml, it should work or be stated in the documentation. - [#​23002](quarkusio/quarkus#23002) - if more than two running IDE while launching 'x' gives error </details> <details> <summary>quarkusio/quarkus-platform</summary> ### [`v2.16.1.Final`](quarkusio/quarkus-platform@2.16.0.Final...2.16.1.Final) [Compare Source](quarkusio/quarkus-platform@2.16.0.Final...2.16.1.Final) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This MR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yNC4wIiwidXBkYXRlZEluVmVyIjoiMzQuMjQuMCJ9-->
Make it easier to run OWASP checks on the whole project or individual extensions