Security in open source components

[Grant Murphy <gmurphy () redhat com>]

I don't have the original mail but some time ago a thread on this list
mentioned this article:

http://www.sonatype.com/Products/Why-Sonatype/Reduce-Security-Risk/Security-Brief

It might be of interest to you that the Red Hat Security Response Team
has put together a database containing fingerprints of vulnerable Maven
artifacts. We have just recently released a Maven Enforcer rule that
scans a projects dependencies against the entries in this database.

An example of the configuration options and the source code is available
here:           

  https://github.com/gcmurphy/enforce-victims-rule

Try it out. I would be interested to get your feedback.

Regards,

Grant Murphy | Red Hat Product Security Team

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________