The English version of quarkus.io is the official project site. Translated sites are community supported on a best-effort basis.

Security vulnerability detection and reporting in Quarkus

Most of the Quarkus tags are registered in the US National Vulnerability Database (NVD) in Common Platform Enumeration (CPE) name format.

US National Vulnerability Database

To view the registered Quarkus CPE names in the US NVD, use the following search URL:

If the NVD database flags a CVE against a Quarkus tag, a link that provides more details about the CVE is added to the given CPE name entry.

NVD CPE团队会定期更新列表,但如果您遇到一个异常,请在 quarkusio 仓库中创建一个issue来报告细节。

Detect vulnerabilities in Quarkus at build time

You can detect the vulnerabilities at the application build time with an NVD feed by using the Maven OWASP Dependency-check-maven plugin.

To add the Open Worldwide Application Security Project (OWASP) Dependency-check-maven plugin to your Quarkus Maven project, add the following XML configuration to the pom.xml file:

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>${owasp-dependency-check-plugin.version}</version>
</plugin>

Set the owasp-dependency-check-plugin.version value to 8.3.1 or later.

您可以像这样配置该插件:

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>${owasp-dependency-check-plugin.version}</version>
    <configuration>
        <!-- Fail only when detecting High Vulnerability issues -->
        <failBuildOnCVSS>7</failBuildOnCVSS>
        <suppressionFiles>
            <suppressionFile>${project.basedir}/dependency-cpe-suppression.xml</suppressionFile>
        </suppressionFiles>
    </configuration>
</plugin>

To detect less severe issues, adjust the value of failBuildOnCVSS to suppress the false positives, as demonstrated in the following code sample:

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
    <!--
        This is a CPE suppression file for the maven dependency check plugin.
        Each CPE that is found by error (false positive) needs to be suppressed for a specific jar using its' GAV.
        See https://jeremylong.github.io/DependencyCheck/general/suppression.html
     -->
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for netty-tcnative-classes to netty
            ]]>
        </notes>
        <gav regex="true">^io\.netty:netty-tcnative-classes.*:.*$</gav>
        <cpe>cpe:/a:netty:netty</cpe>
    </suppress>
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for Quarkus Mutiny to mutiny:mutiny
            ]]>
        </notes>
        <gav regex="true">^io\.quarkus:quarkus-mutiny.*:.*$</gav>
        <cpe>cpe:/a:mutiny:mutiny</cpe>
    </suppress>
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for Smallrye Mutiny to mutiny:mutiny
            ]]>
        </notes>
        <gav regex="true">^io\.smallrye\.reactive:mutiny.*:.*$</gav>
        <cpe>cpe:/a:mutiny:mutiny</cpe>
    </suppress>
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for Smallrye Mutiny to mutiny:mutiny
            ]]>
        </notes>
        <gav regex="true">^io\.smallrye\.reactive:smallrye-mutiny.*:.*$</gav>
        <cpe>cpe:/a:mutiny:mutiny</cpe>
    </suppress>
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for Smallrye Mutiny to mutiny:mutiny
            ]]>
        </notes>
        <gav regex="true">^io\.smallrye\.reactive:vertx-mutiny.*:.*$</gav>
        <cpe>cpe:/a:mutiny:mutiny</cpe>
    </suppress>
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for graal-sdk to GraalVM (the JVM distribution)
            ]]>
        </notes>
        <gav regex="true">^org\.graalvm\.sdk:graal-sdk.*:.*$</gav>
    </suppress>
</suppressions>

确保您会检查和更新这个suppression列表以保证结果是及时更新的。 您可以选择通过添加过期属性来对单个的suppression项目应用一个时间限制,如下面所示:

<suppress until="2022-01-01Z">…​</suppress>

You can adjust the expiry date if you need to.

Related content