Create JSON files to mark repackaging libraries as non-vulnerable
henrikplate opened this issue · comments
Is your feature request related to a problem? Please describe.
Sine version 3.1.0, Steady also detects repackaged libraries (where the original Java package names have been modified before being rebundled/included) by checking whether a given Java archive contains pom.xml
files of other projects. For every repackaged library, all its vulnerabilities are then reported for the rebundling library. However, this ignores that the repackaging library could use the vulnerable, repackaged library in a secure way, thus, the vulnerability will never be exploitable (regardless of how the repackaging library is used by applications). To overcome this problem, a Steady administrator has to mark the repackaging library as non-vulnerable with respect the vulnerability of the repackaged library.
Describe the solution you'd like
To reduce manual efforts of application developers and Steady admins, it would be nice if a JSON file and shell script can be generated during the execution of the REPORT goal (for all exempted vulnerabilities). The application developer will be able to use both those files in order to mark the repackaging library as non-vulnerable himself (by performing a HTTP POST request to the rest-backend
).
Describe alternatives you've considered
None.
Additional context
Todo: Provide example
Implemented with #319