Closed barahate90 closed 6 years ago
diemol
commented
6 years ago Hi @barahate90,
Thanks for taking the time to check Zalenium with the OWASP tool. Nevertheless, the vulnerabilities are in the dependencies and I guess they need to be fixed there... I am not sure how to proceed. Do you have any suggestions or solutions?
barahate90
commented
6 years ago Hi @diemol ,
Yes , most of the vulnerabilities are related transitive dependency and agreed that it has to be fixed by respective dependencies vendor.
But as a best practice can you guys maintain the tracker of known vulnerabilities and possible CVE code with risk factor associated with it.
only way I can think to solve this vulnerability is , waiting for vendor to resolve the vulnerability and then updating the zalenium POM with new dependency version.
if you think of any better approach let's explore that.
diemol
commented
6 years ago Makes sense, nevertheless we don't have the bandwidth the vulnerabilities tracker for now. Perhaps you would like to help us and add it to the Travis builds whenever a new release is pushed. The html report could be embedded in the GitHub docs and then linked from any given page.
barahate90
commented
6 years ago I have added OWASP maven plugin to pom.xml and checked on my local it is generating report in the target folder.
updated pom file: https://github.com/barahate90/zalenium/blob/master/pom.xml Command-specific to OWASP task : mvn clean install org.owasp:dependency-check-maven:check
Issue: I am trying to add this with Travis but build is getting failed every time. travis file: https://github.com/barahate90/zalenium/blob/master/.travis.yml
The gist of logs : [unitTesting step] : https://gist.github.com/barahate90/3b1589428c6287b746befe19b27c67e6
Most of the logs show permission related issue while building the project using Travis
Please provide some direction, so that I can add this to Travis build and we can maintain vulnerability tracker.
diemol
commented
6 years ago What permission related issues do you mean? I checked and I mostly saw that there was an error downloading kubectl and an error reporting the coverage in the unit tests.
The security check, the error seems to be in the file copy command you added. Please double check that. Also keep in mind that the file needs to be committed to the repo and added somewhere to the docs.
barahate90
commented
6 years ago @diemol I have done few changes in the approach. Now I am scanning the project using tool Blackduck.
[updated travis] (https://github.com/barahate90/zalenium/blob/master/.travis.yml)
line added :
after_success:
visit this repo: https://github.com/barahate90/zalenium and notice the badge
you can find the detailed report with resolution using this tools.
Alternatively We have tools like . synk.io (https://app.snyk.io) which perfroms the same work and maven OWASP maven plugin .
diemol
commented
6 years ago Sure, looks fine, but please also document somewhere in the Readme what that badge means.
diemol
commented
6 years ago Closing this one as the PR was not sent, in any case we can continue it when the PR is sent.
Zalenium Image Version(s): 3.12.0
Docker Version: 18.03.1-ce
Recently I scanned the zalenium project with "OWASP Dependency-Check Maven Plugin". Looks like few dependancy at zalenium are having the vulnerability.
Here I have provided the report of scan and if you have any solution or approach to solve this listed vulnerability please do let know.
dependency-check-report.zip