search

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.
https://quarkus.io
Apache License 2.0
13.44k stars 2.58k forks source link

Docs: security-vulnerability-detection #37491

Open fedinskiy opened 8 months ago

fedinskiy commented 8 months ago

Describe the bug

I went through Security vulnerability detection and reporting in Quarkus guide[1] and found the following issues:

  1. The configuration, described in this guide, will not even start the plugin. According to the random guide[2] I was able to find, it requires adding execution segment[3] into the plugin configuration
  2. Property failBuildOnCVSS and value of 7 are not explained. If I want to detect less severe vulnerabilities, do I need to change it to 6 or to 8? (From my investigation it should be 6, since this property describes minimal severity for existing CVE, which can trigger the build failure)
  3. Notice about long time spent on first run should be added, this check probably should not be run on ephemeral CI nodes, unless file ~/.m2/repository/org/owasp/dependency-check-data/7.0/odc.mv.db is copied there
  4. I presume, that the code sample with suppressions tag describes a content of a file, named dependency-cpe-suppression.xml in the root folder for the module, but that is not described anywhere in the text
  5. Current suppression example is not very informative, as it shows only how to suppress all CPEs for a dependency. As a user, I want to know answers for the following questions: How can I suppress a notice of some particular vulnerability? How can I rise tolerance level for a single dependency? How can I exclude a single version of a dependency?

[1] https://quarkus.io/version/main/guides/security-vulnerability-detection [2] https://jeremylong.github.io/DependencyCheck/dependency-check-maven/ [3]

<plugin>
  <...>
     <version>8.3.1</version>
     <executions>
         <execution>
             <goals>
                 <goal>check</goal>
             </goals>
         </execution>
     </executions>
     <configuration>
   <...>
</plugin>

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

quarkus-bot[bot] commented 8 months ago

/cc @sberyozkin (security)

fedinskiy commented 8 months ago

Also, https://github.com/quarkusio/quarkus/labels/area%2Fdocumentation