Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 25 Feb 2018 19:22:15 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   [Bug 226206] [New port] security/owasp-dependency-check: Detects publicly disclosed vulnerabilities in project dependencies
Message-ID:  <bug-226206-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D226206

            Bug ID: 226206
           Summary: [New port] security/owasp-dependency-check: Detects
                    publicly disclosed vulnerabilities in project
                    dependencies
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: https://github.com/jeremylong/DependencyCheck
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs@FreeBSD.org
          Reporter: andreas.sommer87@googlemail.com

Created attachment 191000
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D191000&action=
=3Dedit
owasp-dependency-check-3.1.1

Dependency-Check is a utility that attempts to detect publicly disclosed
vulnerabilities contained within project dependencies. It does this by
determining if there is a Common Platform Enumeration (CPE) identifier for a
given dependency. If found, it will generate a report linking to the associ=
ated
CVE entries.

My use case is audit of NPM/NodeJS module dependencies, but many more analy=
zers
are supported[0].

See also my proposal to solve NPM module audit on ports level[1]. Even thou=
gh
there was no interest, this tool is helpful by itself without a complex Fre=
eBSD
infrastructure around it. It can easily be added to any CI since it's a
command-line tool.

Since the build requires a maven repository, it must be provided in distfil=
es
when committing. It works like in archivers/snappy-java. I could provide he=
lp
or a script to easily create the repository from scratch, if wanted by the
committer.

[0] https://jeremylong.github.io/DependencyCheck/analyzers/index.html
[1] https://lists.freebsd.org/pipermail/freebsd-ports/2018-February/112425.=
html

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-226206-13>