Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add an owasp-check profile #30179

Merged
merged 1 commit into from
Jan 20, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ fixes, documentation, examples... But first, read this page (including the small
* [Extensions](#extensions)
+ [Descriptions](#descriptions)
+ [Update dependencies to extensions](#update-dependencies-to-extensions)
+ [Check security vulnerabilities](#check-security-vulnerabilities)
* [The small print](#the-small-print)
* [Frequently Asked Questions](#frequently-asked-questions)

Expand Down Expand Up @@ -694,6 +695,12 @@ were changed by the script.
When removing an extension make sure to also remove all dependencies to it from all `pom.xml`. It's easy to miss this as
long as the extension artifact is still present in your local Maven repository.

### Check security vulnerabilities

When adding a new extension or updating the dependencies of an existing one,
it is recommended to run in the extension directory the [OWASP Dependency Check](https://jeremylong.github.io/DependencyCheck) with `mvn -Dowasp-check`
so that known security vulnerabilities in the extension dependencies can be detected early.

## The small print

This project is an open source project, please act responsibly, be nice, polite and enjoy!
Expand Down
24 changes: 23 additions & 1 deletion build-parent/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,7 @@

<!-- google cloud functions invoker-->
<gcf-invoker.version>1.1.1</gcf-invoker.version>
<owasp-dependency-check-plugin.version>7.4.4</owasp-dependency-check-plugin.version>
</properties>

<dependencyManagement>
Expand Down Expand Up @@ -719,6 +720,17 @@
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${owasp-dependency-check-plugin.version}</version>
<configuration>
<!-- Disable Net Analyzer -->
<assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
<nugetconfAnalyzerEnabled>false</nugetconfAnalyzerEnabled>
<nuspecAnalyzerEnabled>false</nuspecAnalyzerEnabled>
</configuration>
</plugin>
</plugins>
</pluginManagement>
</build>
Expand Down Expand Up @@ -1235,7 +1247,17 @@
</plugins>
</build>
</profile>

<profile>
<id>owasp-check</id>
<activation>
<property>
<name>owasp-check</name>
</property>
</activation>
<build>
<defaultGoal>dependency-check:check</defaultGoal>
</build>
</profile>
<profile>
<id>Windows</id>
<activation>
Expand Down
2 changes: 1 addition & 1 deletion docs/src/main/asciidoc/security-overview-concept.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -344,7 +344,7 @@ To add the OWASP Dependency check plugin to your Quarkus Maven project, add the

[IMPORTANT]
====
Set the `owasp-dependency-check-plugin.version` value to `7.1.1` or later.
Set the `owasp-dependency-check-plugin.version` value to `7.4.4` or later.
====

Next, configure the plugin as follows:
Expand Down