Security scanning for Maven now available in OCI DevOps

May 18, 2022 | 3 minute read
Doug Clarke
Director of Software Development
Jonathan Schreiber
Sr. Principal Product Manager
Text Size 100%:

We’re excited to announce the general availability of security scanning for package vulnerabilities in Oracle Cloud Infrastructure (OCI) DevOps service's build pipeline in conjunction with the new Application Dependency Management service. Application Dependency Management maintains an expert curated database of vulnerabilities and their relationships to Maven Central dependencies.

Developers today working on any kind of production software have a set of security and compliance best practices to ensure that they don't release code that’s open to attacks on known vulnerabilities. We all remember scrambling last year to patch software vulnerable to the Log4Shell exploit. This scanning and patching cycle can add manual steps to a software delivery workflow, and we're excited to make it easier for developers to start to automate compliance in their DevOps service pipelines.

The new vulnerability audit feature enables you to scan for common vulnerabilities and exposures (CVEs) as part of your continuous integration (CI) pipelines. Currently, we’re supporting Maven dependencies based on pom.xml files. Developers can now add a vulnerability audit step for Maven projects within their DevOps service build instructions. Developers can set up the minimum CVSS scores to fail a build and, if a CVE above that threshold in a package is detected in the pipeline, run the build fail to ensure that developers are alerted on the vulnerability and patch it. Integrated vulnerability audits help developers keep known vulnerabilities from making it into production.

A graphic depicting the workflow for a deployment with the bubble for the vulnerability audit highlighted in yellow.

Vulnerability audit build step

The new Vulnerability Audit step can be added to the existing DevOps service build instructions as shown:


...
- type: VulnerabilityAudit
  name: "Vulnerability Audit Step"
  configuration:
    buildType: maven
    pomFilePath: ${OCI_PRIMARY_SOURCE_DIR}/pom.xml
	packagesToIgnore:
      - org.apache.struts
    maxPermissibleCvssV2Score: 6.0
    maxPermissibleCvssV3Score: 8.1
  knowledgeBaseId: ocid1...
  vulnerabilityAuditCompartmentId: ocid1...
  vulnerabilityAuditName: sample_va
...

With this simple configuration, developers can control the configuration of the scan to pass or fail. In the step configuration, developers can ignore certain artifacts or versions paths and control the maximum permissible CVSS scores (the overall score assigned to a vulnerability) that they allow within their project. For example, you can specify that you have tolerance for certain medium or low severity CVEs or for specific package names like struts.

Next, developers can view the results of their vulnerability audit in the build instructions output and details of the build run.

A screenshot of the Oracle Cloud Console showing a build pipeline run with the vulnerability audit step.

Vulnerability audit

If the DevOps build pipeline fails because of found vulnerabilities, developers can view the vulnerability audit result to see the full tree of dependencies along with the associated CVEs. The developer can inspect CVE scores to understand the issue and then make the necessary changes, such as patching some of the dependencies to versions that don’t include the vulnerabilities.

A screenshot of the Vulnerability Audit Details page showing the application dependencies.

Get started today

Security vulnerability scanning for Maven builds is a new capability part of Oracle Cloud Infrastructure DevOps CI pipeline service. To use OCI DevOps and create your CI build, simply sign up for a free account and follow the vulnerability audit documentation.

Doug Clarke

Director of Software Development

Doug is a director of software development in Oracle Labs focussing on product management of solutions in OCI and related tooling that reduce the effort and human labor required to develop and manage modern cloud apps. The solutions automate testing, scaling, tuning, and failure detection and recovery to help improve application security, reliability, and performance.

Jonathan Schreiber

Sr. Principal Product Manager

Jonathan is a product manager in the Developer Services group, working on DevOps and creating a great developer exeperience on Oracle Cloud. Previously, Jonathan worked in a variety of engineering an product roles at adtech and marketing startups. 

He studied history at the University of British Columbia where he also helped start a bike sharing co-op to improve the student experience!


Previous Post

Announcing interactive mode for Oracle Cloud Infrastructure command line interface

Kartik Hegde | 3 min read

Next Post


Why customers choose Oracle for cloud security

Rachel Bennett | 4 min read