3

MavenCentral contains a lot of artifacts. Some of them should not be used because they have severe bugs, that e.g. threaten security.

I know that Nexus Firewall offers an expensive service to analyse these artifacts. Are there other methods that offer (at least a bit of) protection against such vulnerabilities?

J Fabian Meier
  • 33,516
  • 10
  • 64
  • 142
  • Well, your best bet is probably to know the components you're using yourself. After all it's you who knows which are getting used and how you use them. I'd assume that the more vulnerable/exposed components provide some means to publish known vulnerabilities and fixes, at least that's what we're monitoring alongside more general security boards. – Thomas Mar 28 '17 at 07:16
  • @Thomas Thank you, I should be clearer: There are 1000+ external jars that are used in our company. Most of them come from MavenCentral. I want to write an automatic check that looks through these 1000+ jars (and all that will be added in the future) to give me a hint whether these should be used or not. Licensing can be grabbed through Maven but other information (like security) should be considered as well. – J Fabian Meier Mar 28 '17 at 07:20

1 Answers1

5

OWASP dependency check checks dependencies against publicly disclosed vulnerabilities, and is free.

henry
  • 5,923
  • 29
  • 46
  • It sounds nice, but I am still struggling with the company proxy. I accept the answer as soon as I find a way to make dependency-check run. – J Fabian Meier Mar 28 '17 at 12:39
  • Also some smaller project: http://www.victi.ms/client.html. The OWASP mentions it. It's for Java only. The about page states `The victims database is primarily maintained by the Red Hat Security Response Team,...` - http://www.victi.ms/about.html – zloster Mar 28 '17 at 18:47