Adding CVE Checks to your build process

Equifax managed to get itself into the headlines for all the wrong reasons by leaving known critical vulnerabilities unpatched.

It’s now one more step you need to add to the build pipeline:

Build, Test, Check for vulnerabilities, Deploy, smoke Test

Gradle managed to add a simple task to do this: https://github.com/jeremylong/DependencyCheck

This is very well designed. It creates a detailed report on your dependencies (including transitive ones) and matches these to listed CVE reports. The report can be used to generate the ignore statements needed to mark false positives (typically if you have a private library thats name is close to a know CVE entry).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s