layout | title | permalink | sitemap | ||||
---|---|---|---|---|---|---|---|
default |
Dependency Vulnerabilities Check |
/dependency-vulnerabities-check/ |
|
JHipster uses many technologies, and the project is very careful at selecting them. But maybe the project missed one vulnerability in those many dependencies, or maybe you added or updated one dependency that triggered a new vulnerability.
According to OWASP Top 10 Most Critical Web Application Security Risks, using Components (ie. dependencies) with known vulnerabilities is ranked 9th, and there are many known stories of security breaches provided by (malicious or not) third-party dependencies.
Proposing a dependency check by default in JHipster build has been discussed a couple of times (#6329, #8191). To summarise, it is complicated to have a realistic report (removing false-positive) and context dependent (security is always a trade off between the actual risk/criticity and the effort to prevent it).
However we highly recommend using a dependency analysis tool such as Dependabot or Snyk if you are using JHipster in production.
If you found a vulnerability in one of JHipster's dependencies, please check if there is not an existing issue already opened on that vulnerability.
If nothing is mentioned, please send us a security vulnerability report privately. Please read our security policy on how to send one. Include steps to reproduce the exploit, security report, blog post, etc.
Be sure that the JHipster team is committed to provide a high-quality, enterprise-ready and secure development stack and that this issue will be a top priority for us.
To check if a Java dependency has a known Common Vulnerabilities and Exposures (aka. CVE), visit the NIST National Vulnerability Database which maintains an up-to-date list.
The OWASP project provides Maven and Gradle plugins to check the whole dependency chain automatically, generate a report and even block a build (not recommended, it can be very aggressive when doing continuous integration).
Here is the documentation explaining how to read the dependency check report.
See the OWASP Maven Dependency Check plugin documentation
Add the owasp dependency-check plugin:
<build>
...
<plugins>
...
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>5.2.4</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
..
</plugins>
...
</build>
Running ./mvnw verify
will generate a dependency check report under the target
directory.
See the OWASP Gradle Dependency Check plugin documentation
Update the build.gradle
file to apply the OWASP dependency-check-gradle plugin.
plugins {
// Add the plugin in the existing plugins block
id "org.owasp.dependencycheck" version "5.2.4"
}
if(project.hasProperty('strict-security')) {
check.dependsOn dependencyCheckAnalyze
}
Running ./gradlew dependencyCheckAnalyze
generates a dependency check report inside the build/report
directory.
Updating continuous integration builds with a dependency check is done by running ./gradlew check -Pstrict-security
Since version 6, NPM includes a security audit by default for each dependency installation. Check the About security audits page for more information.