Adding CVE Checks to your build process

Equifax managed to get itself into the headlines for all the wrong reasons by leaving known critical vulnerabilities unpatched.

It’s now one more step you need to add to the build pipeline:

Build, Test, Check for vulnerabilities, Deploy, smoke Test

Gradle managed to add a simple task to do this:

This is very well designed. It creates a detailed report on your dependencies (including transitive ones) and matches these to listed CVE reports. The report can be used to generate the ignore statements needed to mark false positives (typically if you have a private library thats name is close to a know CVE entry).