| [iot-pmc] Consider using OWASP Dependency-Check to scan vulnerabilities in Eclipse IoT projects? |
Hi, In the recent past, we’ve discussed how we could do better at 1/ identifying vulnerabilities in Eclipse IoT projects and 2/ report & track them better. On the former, I think it would be interesting to investigate whether OWASP Dependency-Check [1] could be a useful tool to find known, publicly disclosed, vulnerabilities in the dependencies of our projects. I ran their command line tool against several projects this morning, and it is really easy to use. The command line tool is very handy since you don’t need to instrument the existing code base, but the tool also comes in the form of a Maven plugin that should be pretty straightforward to setup. It has a Jenkins plugin as well. What do you guys think? FWIW, and thinking out loud here, but I am wondering if these things would make sense, on the longer run: · We could have the reports produced by OWASP (or any similar tool) consolidated somehow so as to make it easy for people to glance at the current state of things, security wise. This could be a link to the Security report of each project (maybe directly served by Hudson/Jenkins) in the PMI? · Would having a common parent POM for Eclipse IoT projects be helpful to make sure things like having the OWASP plugin pre-configured would be inherited “for free” by all Eclipse IoT projects? I guess this is more of a topic for the CBI, though. Cheers, Benjamin - [1] https://www.owasp.org/index.php/OWASP_Dependency_Check [2] https://wiki.eclipse.org/CBI |