From owner-freebsd-ports@freebsd.org Fri Mar 30 18:28:45 2018 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B238FF547FE for ; Fri, 30 Mar 2018 18:28:45 +0000 (UTC) (envelope-from andreas.sommer87@googlemail.com) Received: from mail-wr0-x22b.google.com (mail-wr0-x22b.google.com [IPv6:2a00:1450:400c:c0c::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4238475377 for ; Fri, 30 Mar 2018 18:28:45 +0000 (UTC) (envelope-from andreas.sommer87@googlemail.com) Received: by mail-wr0-x22b.google.com with SMTP id n2so5326795wrj.7 for ; Fri, 30 Mar 2018 11:28:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=tW9X/lllDbL+GXXAqEWYa7su9m4lYEVYwUjLLp/VGwA=; b=lrbwkZ4pofnh16b1IHJDAtF4Fzdluo/GdazHEy6WlKFSUmi7fDNSfN6YVFvRwpgvhV G0Rzy4TN3mqmDhN1CcETgPXVW++bv5byhB+peiDgTs6T0NMvXV0FvE6fDd0+vLDAMbjh zBvu4L/dMM8rUsJMUst9zMkFiQgjFTasfA2/vXVnc5TefehD9eyapNccqTggPKK+NsIP OpxUycNNv9oKTMbSeIvKQtnkTmrneli82kTpX9aI1Vv89W51kvVoVsWoYurQ25Cc4+hq ggeXqo3wB+abhc3Iv4OOPsh1XZm6pdJy9+NJaZuLHEYML0ZjG3HDO2FdqsdaY0+TY4Xg ikog== X-Gm-Message-State: AElRT7GAYzBZ734idsgKdJ8ohY9PWXV4dOFZ7cDfnPwpM22vri5MN0mC CspS/DF6gOcNnVmQkUAYMJ20CA== X-Google-Smtp-Source: AIpwx4+BJPs68EiayX0fpaMDb2qg66YgN/tfkt4n+iRXV0tVQwvXbqmNBYXDCm+bhHYhnQBMR5Ps6A== X-Received: by 10.223.220.70 with SMTP id m6mr38841wrj.244.1522434523547; Fri, 30 Mar 2018 11:28:43 -0700 (PDT) Received: from asommer-mac.local ([2001:4c50:28e:fe00:311a:ac4b:c142:4427]) by smtp.googlemail.com with ESMTPSA id k18sm7755978wmd.4.2018.03.30.11.28.42 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 30 Mar 2018 11:28:42 -0700 (PDT) From: Andreas Sommer Subject: Committer needed for security/owasp-dependency-check To: freebsd-ports@freebsd.org Message-ID: <27f7911e-ca35-7b8c-13da-710e0a79e280@googlemail.com> Date: Fri, 30 Mar 2018 20:28:41 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Mar 2018 18:28:46 -0000 Hi all, [New port] security/owasp-dependency-check: Detects publicly disclosed vulnerabilities in project dependencies https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226206 Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It searches several databases for CVEs and other issues and creates a report based on the dependencies found for a project (example: package.json for a nodejs/npm/yarn-based project). With machine-readable output options, it is easy to integrate with CI and can be used to audit software vulnerabilities automatically. The tool is also under constant development under the patronage of OWASP. The committer would benefit from familiarity with Java/Maven, but it's not too hard... I'm a ports beginner and could figure it out: for the fetch phase, a maven repository (incl. all dependencies) is created (would have to be uploaded to distfiles for each update of the port; simple script can be provided) and the application and all its dependencies are bundled into a JAR for packaging it standalone. I took the idea from archivers/snappy-java. Thank you, Andreas