Security vulnerability detection and reporting in Quarkus

大多数的 Quarkus 标签都在 US National Vulnerability Database (NVD) 中以通用平台枚举 (CPE) 名称格式注册。

Most of the Quarkus tags are registered in the US National Vulnerability Database (NVD) in Common Platform Enumeration (CPE) name format.

US National Vulnerability Database

如要在 US NVD 中查看已注册的 Quarkus CPE 名称,请使用以下搜索 URL:

To view the registered Quarkus CPE names in the US NVD, use the following search URL:

如果 NVD 数据库针对 Quarkus 标签标记了一个 CVE,那么将会向给定的 CPE 名称条目添加一个提供有关 CVE 更多详细信息的链接。

If the NVD database flags a CVE against a Quarkus tag, a link that provides more details about the CVE is added to the given CPE name entry.

NVD CPE 团队会定期更新此列表,但是如果你遇到误报,请通过在 quarkusio 存储库中创建一个工单来报告详细信息。

The NVD CPE team updates the list regularly, but if you encounter a false positive, report the details by creating an issue in the quarkusio repository.

Detect vulnerabilities in Quarkus at build time

你可以通过使用 Maven OWASP Dependency-check-maven plugin 来检测应用程序构建时的漏洞。

You can detect the vulnerabilities at the application build time with an NVD feed by using the Maven OWASP Dependency-check-maven plugin.

如要将开放式全球应用程序安全项目 (OWASP) Dependency-check-maven 插件添加到你的 Quarkus Maven 项目,请将以下 XML 配置添加到 pom.xml 文件中:

To add the Open Worldwide Application Security Project (OWASP) Dependency-check-maven plugin to your Quarkus Maven project, add the following XML configuration to the pom.xml file:

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>${owasp-dependency-check-plugin.version}</version>
</plugin>

owasp-dependency-check-plugin.version 值设置为 8.3.1 或更高。

Set the owasp-dependency-check-plugin.version value to 8.3.1 or later.

接下来,按如下方式配置该插件:

Next, configure the plugin as follows:

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>${owasp-dependency-check-plugin.version}</version>
    <configuration>
        <!-- Fail only when detecting High Vulnerability issues -->
        <failBuildOnCVSS>7</failBuildOnCVSS>
        <suppressionFiles>
            <suppressionFile>${project.basedir}/dependency-cpe-suppression.xml</suppressionFile>
        </suppressionFiles>
    </configuration>
</plugin>

以检测不那么严重的问题,请调整 failBuildOnCVSS 的值以抑制误报,如下面的代码示例所示:

To detect less severe issues, adjust the value of failBuildOnCVSS to suppress the false positives, as demonstrated in the following code sample:

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
    <!--
        This is a CPE suppression file for the maven dependency check plugin.
        Each CPE that is found by error (false positive) needs to be suppressed for a specific jar using its' GAV.
        See https://jeremylong.github.io/DependencyCheck/general/suppression.html
     -->
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for netty-tcnative-classes to netty
            ]]>
        </notes>
        <gav regex="true">^io\.netty:netty-tcnative-classes.*:.*$</gav>
        <cpe>cpe:/a:netty:netty</cpe>
    </suppress>
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for Quarkus Mutiny to mutiny:mutiny
            ]]>
        </notes>
        <gav regex="true">^io\.quarkus:quarkus-mutiny.*:.*$</gav>
        <cpe>cpe:/a:mutiny:mutiny</cpe>
    </suppress>
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for Smallrye Mutiny to mutiny:mutiny
            ]]>
        </notes>
        <gav regex="true">^io\.smallrye\.reactive:mutiny.*:.*$</gav>
        <cpe>cpe:/a:mutiny:mutiny</cpe>
    </suppress>
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for Smallrye Mutiny to mutiny:mutiny
            ]]>
        </notes>
        <gav regex="true">^io\.smallrye\.reactive:smallrye-mutiny.*:.*$</gav>
        <cpe>cpe:/a:mutiny:mutiny</cpe>
    </suppress>
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for Smallrye Mutiny to mutiny:mutiny
            ]]>
        </notes>
        <gav regex="true">^io\.smallrye\.reactive:vertx-mutiny.*:.*$</gav>
        <cpe>cpe:/a:mutiny:mutiny</cpe>
    </suppress>
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for graal-sdk to GraalVM (the JVM distribution)
            ]]>
        </notes>
        <gav regex="true">^org\.graalvm\.sdk:graal-sdk.*:.*$</gav>
    </suppress>
</suppressions>

确保定期查看和更新抑制列表,以确保结果是最新的。你可以通过添加“过期”属性,选择对单个抑制应用时间限制,如下面的示例所示:

Ensure that you review and update the suppression list regularly to ensure that the results are up to date. You can optionally apply a time limit to individual suppressions by adding an expiry attribute, as outlined in the following example:

<suppress until="2022-01-01Z">…​</suppress>

<suppress until="2022-01-01Z">…​</suppress>

需要的话你可以调整过期日期。

You can adjust the expiry date if you need to.