A lot of developers I talk to, seem to think that security is someone else responsibility. The network guy, the security guy, someone that is not him or her.
I am no expert in security, but when I work on project, I like to believe that security is my responsibility too. And one small thing I can do, is to check the libraries I am using on my project against known vulnerabilities. I one is found, I try to upgrade it right away. If it is not possible for some reason, I am at least aware of the problem.
In a java project, you can add an owasp plugin, to your maven pom.xml:
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>4.0.2</version>
<configuration>
<cveValidForHours>12</cveValidForHours>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
That will show you an output like this:
One or more dependencies were identified with known vulnerabilities in test-project:
microprofile-rest-client-api-1.0.jar (org.eclipse.microprofile.rest.client:microprofile-rest-client-api:1.0, cpe:/a:rest-client_project:rest-client:1.0) : CVE-2015-1820, CVE-2015-3448
deltaspike-core-api-1.8.0.jar (cpe:/a:apache:deltaspike:1.8.0, org.apache.deltaspike.core:deltaspike-core-api:1.8.0) : CVE-2017-17837
libthrift-0.9.2.jar (cpe:/a:apache:thrift:0.9.2, org.apache.thrift:libthrift:0.9.2) : CVE-2015-3254
stagemonitor-tracing-elasticsearch-0.87.6.jar (org.stagemonitor:stagemonitor-tracing-elasticsearch:0.87.6, cpe:/a:elasticsearch:elasticsearch:0.87.6) : CVE-2014-3120, CVE-2015-1427, CVE-2015-5531, CVE-2014-6439, CVE-2015-3337
jaeger-core-0.22.0-RC1-okhttp381.jar/META-INF/maven/org.apache.httpcomponents/httpclient/pom.xml (cpe:/a:apache:httpclient:4.2.5, org.apache.httpcomponents:httpclient:4.2.5) : CVE-2015-5262, CVE-2014-3577
And that’s it.
Top comments (0)