| Author |
can maven verify patch level of third party jar files
|
Tim McGuire
Ranch Hand
Joined: Apr 30, 2003
Posts: 819
|
|
Hi,
I'm looking for a way to verify that the jar files in a web application have had the latest securty patches applied.
For example, Struts 2 versions before Struts 2.3.1.1 have a security hole (https://websec.wordpress.com/2012/01/04/multiple-vulnerabilities-in-apache-struts2-and-property-oriented-programming-with-java/)
I'm looking for an automated way to scan an existing, deployed war file for this and other outdated jar versions.
Eventually the goal is to integrate this scan into our build sequence.
|
 |
Tim Holloway
Saloon Keeper
Joined: Jun 25, 2001
Posts: 14491
|
|
"Patch levels" for Maven-controlled projects are somewhat of a contradiction. Maven is based on the idea of discrete versions of artefacts, not on versions+patches. Patches in the old-fashioned where you could just do a brute-force binary zap are virtually unheard of any more (in part because in modern-day systems, the compilers optimize intensely on every source change).
If you wanted to scan a produced artefact for component versions, I suppose you could create a mojo for that, but it seems like it would probably be simpler to merely change the dependency versions in the POM to their required levels and do a maven clean/rebuild.
|
Customer surveys are for companies who didn't pay proper attention to begin with.
|
|
 |
|
|
subject: can maven verify patch level of third party jar files
|
|
|
0
