add OWASP dependencyCheck
This commit is contained in:
parent
d9ee0017dd
commit
80b1e0ff25
20
README.md
20
README.md
@ -266,6 +266,7 @@ Underneath of rbac and hs, the structure is business oriented, NOT technical / l
|
||||
|
||||
Some of these rules are checked with *ArchUnit* unit tests.
|
||||
|
||||
|
||||
### Spotless Code Formatting
|
||||
|
||||
Code formatting for Java is checked via *spotless*.
|
||||
@ -275,7 +276,7 @@ The formatting style can be checked with this command:
|
||||
gw spotlessCheck
|
||||
```
|
||||
|
||||
This task is also included in `gw build`.
|
||||
This task is also included in `gw build` and `gw check`.
|
||||
|
||||
To apply formatting rules, use:
|
||||
|
||||
@ -283,6 +284,23 @@ To apply formatting rules, use:
|
||||
gw spotlessApply
|
||||
```
|
||||
|
||||
### OWASP Security Vulnerability Check
|
||||
|
||||
An OWASP security vulnerability is configured and can be utilized by running:
|
||||
|
||||
```shell
|
||||
gw dependencyCheckAnalyze
|
||||
```
|
||||
|
||||
This task is also included in `gw build` and `gw check`.
|
||||
It is configured in [build.gradle](build.gradle).
|
||||
|
||||
Often vulnerability reports don't apply to our use cases.
|
||||
Therefore, reports can be [suppressed](./etc/owasp-dependency-check-suppression.xml).
|
||||
In case of suppression, a note must be added to explain why it does not apply to us.
|
||||
|
||||
See also: https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/index.html.
|
||||
|
||||
|
||||
## How To
|
||||
|
||||
|
10
build.gradle
10
build.gradle
@ -72,3 +72,13 @@ spotless {
|
||||
toggleOffOn()
|
||||
}
|
||||
}
|
||||
project.tasks.check.dependsOn(spotlessCheck)
|
||||
|
||||
dependencyCheck {
|
||||
cveValidForHours=4
|
||||
format = 'ALL'
|
||||
suppressionFile = 'etc/owasp-dependency-check-suppression.xml'
|
||||
failOnError = true
|
||||
failBuildOnCVSS = 7
|
||||
}
|
||||
project.tasks.check.dependsOn(dependencyCheckAnalyze)
|
||||
|
10
etc/owasp-dependency-check-suppression.xml
Normal file
10
etc/owasp-dependency-check-suppression.xml
Normal file
@ -0,0 +1,10 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
|
||||
<suppress>
|
||||
<notes><![CDATA[
|
||||
We don't use the Spring HTTP invoker which causes this vulnerability due to Java deserialization.
|
||||
]]></notes>
|
||||
<packageUrl regex="true">^pkg:maven/org\.springframework/spring-web@.*$</packageUrl>
|
||||
<cve>CVE-2016-1000027</cve>
|
||||
</suppress>
|
||||
</suppressions>
|
Loading…
Reference in New Issue
Block a user