Not Considering

manage or merge vulnerability remediations

we need to not have packaged WAR from SDL but a pom.xml that has references to all libraries and we can more easily manage/merge vulnerability remediations. The current process is incredibly painful.

update (by Warner Soditus):

Let me try to describe what we deal with here. We are continually dealing with third-party library vulnerability remediations. for point releases (e.g. foo-1.2.3.jar to foo-1.2.4.jar) SDL requires us to update. So, we have the exploded deployer.war, search and replace all foo-1.2.3.jar with the newer. However, we frequently hit the case where we have a vulnerability with bar-4.5.6.jar that can't be fixed with any version of bar-4.5.*.jar and has to go to bar-4.6.8.jar. for this, we often require SDL to give us a hotfix deployer package since often code changes are required for library updates. That's all well and good until we expand the new deployer.war from SDL and find that our earlier remediations have been reverted (e.g. now there's foo-1.2.3.jar not foo-1.2.4.jar) and we have to do lengthy merge processes to get all remediations that "we" did back into the latest from SDL.

This is a poor way of doing things. what we need from SDL to help us maintain is what we have for our custom code packages: just a list of references to the required libraries and have our build process pull the required libraries into the deployable war file.

I presume this would be managed in pom.xml. we already see many references there, like:

            <artifactItem>
              <groupId>org.bouncycastle</groupId>
              <artifactId>bcpkix-jdk15on</artifactId>
              <version>1.60</version>
              <type>jar</type>
              <overWrite>false</overWrite>
              <outputDirectory>${project.build.directory}/deployerExtensionRuntime/lib</outputDirectory>
            </artifactItem>

so, if we have just reference to libraries in a file, we can easily merge our updates with SDL's updates and build the war. As of now, we have to do this manual merge, re-war this 1GB file and then try to manage it in our corporate artifactory.

I hope that makes things more clear.

~Warner