Integrate CVE checks into the build

[torsten-liermann]

The Maven plugin cannot be executed in a secured network. All Maven artifacts are retrieved via a dedicated repository manager. Artifacts from the public network undergo a security review, which is conducted using the Sonatype IQ Server.

Maven is invoked from the command line as follows:

mvn org.openrewrite.maven:rewrite-maven-plugin:5.46.3:run

These artifacts are intercepted by the IQ Server:

org.jetbrains.kotlin : kotlin-compiler-embeddable
io.projectreactor.netty : reactor-netty-core
io.projectreactor.netty : reactor-netty-http

Surely, a similar verification process can be integrated into the build of the Maven plugin and the OpenRewrite software.

Thanks!

[timtebeek]

hi @torsten-liermann ; thanks for raising your concerns here! On our end we run a weekly job to triage an CVEs reported by https://github.com/dependency-check/dependency-check-gradle, and also maintain a suppressions file with records for those netty items:

rewrite-maven-plugin/suppressions.xml

Lines 109 to 124 in 5f07731

	<suppress until="2024-12-13Z">
	<notes><![CDATA[
	file name: reactor-netty-core-1.0.32.jar
	]]></notes>
	<packageUrl regex="true">^pkg:maven/io\.projectreactor\.netty/reactor\-netty\-core@.*$</packageUrl>
	<cve>CVE-2023-34054</cve>
	<cve>CVE-2023-34062</cve>
	</suppress>
	<suppress until="2024-12-13Z">
	<notes><![CDATA[
	file name: reactor-netty-http-1.0.32.jar
	]]></notes>
	<packageUrl regex="true">^pkg:maven/io\.projectreactor\.netty/reactor\-netty\-http@.*$</packageUrl>
	<cve>CVE-2023-34054</cve>
	<cve>CVE-2023-34062</cve>
	</suppress>

It's a bit of a long shot, but did you try the version released two days ago as well?
https://github.com/openrewrite/rewrite-maven-plugin/releases/tag/v5.47.0

[timtebeek]

I'm also curious to hear what versions would be acceptable to your IQ Server, as we run a different process, but can reasonably bump where needed.

[torsten-liermann]

Result of version 5.47.0

org.jetbrains.kotlin:kotlin-compiler-embeddable:1.9.25 => Found security vulnerability CVE-2022-3509 with severity >= 7 (severity = 7.5), Found security vulnerability CVE-2022-3509 with severity < 9 (severity = 7.5)

io.projectreactor.netty:reactor-netty-core:1.0.32 => Found security vulnerability CVE-2023-34054 with severity >= 7 (severity = 7.5), Found security vulnerability CVE-2023-34054 with severity < 9 (severity = 7.5) (better is 1.0.39 .. 1.0.48)

io.projectreactor.netty:reactor-netty-http:1.0.32 => Found security vulnerability CVE-2023-34062 with severity >= 7 (severity = 7.5). Found security vulnerability CVE-2023-34062 with severity < 9 (severity = 7.5) (better is 1.0.39 .. 1.0.48)