Adding CVE Checks to your build process

Equifax managed to get itself into the headlines for all the wrong reasons by leaving known critical vulnerabilities unpatched.

It’s now one more step you need to add to the build pipeline:

Build, Test, Check for vulnerabilities, Deploy, smoke Test

Gradle managed to add a simple task to do this:

This is very well designed. It creates a detailed report on your dependencies (including transitive ones) and matches these to listed CVE reports. The report can be used to generate the ignore statements needed to mark false positives (typically if you have a private library thats name is close to a know CVE entry).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s