[Bug 226206] [New port] security/owasp-dependency-check: Detects publicly disclosed vulnerabilities in project dependencies
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sun Feb 25 19:22:17 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226206
Bug ID: 226206
Summary: [New port] security/owasp-dependency-check: Detects
publicly disclosed vulnerabilities in project
dependencies
Product: Ports & Packages
Version: Latest
Hardware: Any
URL: https://github.com/jeremylong/DependencyCheck
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: Individual Port(s)
Assignee: freebsd-ports-bugs at FreeBSD.org
Reporter: andreas.sommer87 at googlemail.com
Created attachment 191000
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=191000&action=edit
owasp-dependency-check-3.1.1
Dependency-Check is a utility that attempts to detect publicly disclosed
vulnerabilities contained within project dependencies. It does this by
determining if there is a Common Platform Enumeration (CPE) identifier for a
given dependency. If found, it will generate a report linking to the associated
CVE entries.
My use case is audit of NPM/NodeJS module dependencies, but many more analyzers
are supported[0].
See also my proposal to solve NPM module audit on ports level[1]. Even though
there was no interest, this tool is helpful by itself without a complex FreeBSD
infrastructure around it. It can easily be added to any CI since it's a
command-line tool.
Since the build requires a maven repository, it must be provided in distfiles
when committing. It works like in archivers/snappy-java. I could provide help
or a script to easily create the repository from scratch, if wanted by the
committer.
[0] https://jeremylong.github.io/DependencyCheck/analyzers/index.html
[1] https://lists.freebsd.org/pipermail/freebsd-ports/2018-February/112425.html
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list