oodt-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lewis john mcgibbney <lewi...@apache.org>
Subject Re: CVEs etc
Date Fri, 15 Sep 2017 09:22:16 GMT
More on this Tom and folks...
Some of you may have seen on the news lately security 101 e.g. patch (and
version) upgrades, are critical...
@Tom, can we possibly have the checks reflected on dev@?
Another option which has been thrown out there is the following
https://www.owasp.org/index.php/OWASP_Dependency_Check
I am by no means stating that any one is more appropriate, I do however
think that a notification mechanism would be very approbate.
Lewis


On Sat, Sep 9, 2017 at 6:03 AM, Tom Barber <tom@spicule.co.uk> wrote:

> Hi folks
>
> This isn't supposed to be an alarmist email, but quite enlightening all the
> same.
>
> I saw a link to a plugin on the Drill mailing list called Dependency Check
> Report so I wired it into  my OODT repo amongst others to see what was
> flagged up since the Struts fallout.
>
> Anyway, of course its unlikely but not out of the question to run OODT
> fronting on to the interwebs so I think this is decent food for thought as
> to why its useful to keep dependencies up to date as much as possible.
>
> Here's a selection of the output:
>
> https://www.dropbox.com/s/2ida8dk54yleedo/curator-webapp.html?dl=0
> https://www.dropbox.com/s/wgt1facgjhqiqkq/fmbrowser.html?dl=0
> https://www.dropbox.com/s/o8kqcaktplzjy4y/metadata.html?dl=0
> https://www.dropbox.com/s/cli4pj4jc564f16/pge.html?dl=0
>
> Of course there is a bunch of repetition in there and plenty that aren't
> over the top severe, some may also be false positives, but as we work
> through to OODT 2.0 with the new stuff and chopping out the old stuff,
> reducing these as much as possible I would posture.
>
> Tom
>



-- 
http://home.apache.org/~lewismc/
@hectorMcSpector
http://www.linkedin.com/in/lmcgibbney

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message