failBuildOnCVSS の値を設定することで、CVSS Score が 7.0 以上、つまり脆弱性としての評価が High 以上のもんのの場合は FAIL する、というようなルールを設定することが可能だ。
例えば、spring boot 1.5.0 に依存している場合は以下のような出力になる。
$ ./gradlew check
:dependencyCheckAnalyze
Verifying dependencies for project demo
Checking for updates and analyzing vulnerabilities for dependencies
Generating report for project demo
Found 24 vulnerabilities in project demo
One or more dependencies were identified with known vulnerabilities:
spring-boot-starter-security-1.5.0.RELEASE.jar (org.springframework.boot:spring-boot-starter-security:1.5.0.RELEASE, cpe:/a:pivotal_software:spring_boot:1.5.0, cpe:/a:pivotal_software:spring_security:1.5.0) : CVE-2017-8046, CVE-2018-1196
spring-boot-starter-1.5.0.RELEASE.jar (cpe:/a:pivotal_software:spring_boot:1.5.0, org.springframework.boot:spring-boot-starter:1.5.0.RELEASE) : CVE-2017-8046, CVE-2018-1196
spring-aop-4.3.6.RELEASE.jar (cpe:/a:pivotal_software:spring_framework:4.3.6, org.springframework:spring-aop:4.3.6.RELEASE, cpe:/a:pivotal:spring_framework:4.3.6) : CVE-2018-1199
spring-security-config-4.2.1.RELEASE.jar (org.springframework.security:spring-security-config:4.2.1.RELEASE, cpe:/a:pivotal_software:spring_security:4.2.1) : CVE-2017-4995, CVE-2018-1199
spring-security-web-4.2.1.RELEASE.jar (org.springframework.security:spring-security-web:4.2.1.RELEASE, cpe:/a:pivotal_software:spring_security:4.2.1) : CVE-2017-4995, CVE-2018-1199
spring-boot-1.5.0.RELEASE.jar (cpe:/a:pivotal_software:spring_boot:1.5.0, org.springframework.boot:spring-boot:1.5.0.RELEASE) : CVE-2017-8046, CVE-2018-1196
spring-boot-autoconfigure-1.5.0.RELEASE.jar (cpe:/a:pivotal_software:spring_boot:1.5.0, org.springframework.boot:spring-boot-autoconfigure:1.5.0.RELEASE) : CVE-2017-8046, CVE-2018-1196
spring-boot-starter-logging-1.5.0.RELEASE.jar (cpe:/a:pivotal_software:spring_boot:1.5.0, org.springframework.boot:spring-boot-starter-logging:1.5.0.RELEASE) : CVE-2017-8046, CVE-2018-1196
spring-core-4.3.6.RELEASE.jar (cpe:/a:pivotal_software:spring_framework:4.3.6, org.springframework:spring-core:4.3.6.RELEASE, cpe:/a:pivotal:spring_framework:4.3.6) : CVE-2018-1199
spring-beans-4.3.6.RELEASE.jar (cpe:/a:pivotal_software:spring_framework:4.3.6, org.springframework:spring-beans:4.3.6.RELEASE, cpe:/a:pivotal:spring_framework:4.3.6) : CVE-2018-1199
spring-security-core-4.2.1.RELEASE.jar (org.springframework.security:spring-security-core:4.2.1.RELEASE, cpe:/a:pivotal_software:spring_security:4.2.1) : CVE-2017-4995, CVE-2018-1199
spring-context-4.3.6.RELEASE.jar (cpe:/a:pivotal_software:spring_framework:4.3.6, cpe:/a:pivotal:spring_framework:4.3.6, org.springframework:spring-context:4.3.6.RELEASE) : CVE-2018-1199
spring-expression-4.3.6.RELEASE.jar (cpe:/a:pivotal_software:spring_framework:4.3.6, cpe:/a:pivotal:spring_framework:4.3.6, org.springframework:spring-expression:4.3.6.RELEASE) : CVE-2018-1199
spring-web-4.3.6.RELEASE.jar (cpe:/a:pivotal_software:spring_framework:4.3.6, cpe:/a:pivotal:spring_framework:4.3.6, org.springframework:spring-web:4.3.6.RELEASE) : CVE-2018-1199
logback-classic-1.1.9.jar (cpe:/a:logback:logback:1.1.9, ch.qos.logback:logback-classic:1.1.9) : CVE-2017-5929
logback-core-1.1.9.jar (cpe:/a:logback:logback:1.1.9, ch.qos.logback:logback-core:1.1.9) : CVE-2017-5929
See the dependency-check report for more details.
:dependencyCheckAnalyze FAILED
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':dependencyCheckAnalyze'.
>
Dependency-Analyze Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '0.0': CVE-2017-5929, CVE-2017-8046, CVE-2017-4995, CVE-2018-1199, CVE-2018-1196
See the dependency-check report for more details.
* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.
BUILD FAILED
Total time: 6.561 secs
$ javac Hello.java
$ java Hello
Hello
$ time java Hello
Hello
java Hello 0.08s user 0.02s system 102% cpu 0.097 total
$ ~/Downloads/graalvm-1.0.0-rc1/Contents/Home/bin/native-image Hello
Build on Server(pid: 55301, port: 26681)*
classlist: 918.63 ms
(cap): 1,817.31 ms
setup: 2,839.95 ms
(typeflow): 3,744.88 ms
(objects): 2,570.67 ms
(features): 43.37 ms
analysis: 6,469.76 ms
universe: 281.22 ms
(parse): 1,153.94 ms
(inline): 1,592.75 ms
(compile): 10,151.29 ms
compile: 13,517.63 ms
image: 2,241.96 ms
write: 1,410.72 ms
[total]: 27,753.54 ms
$ ls -lah
total 5.0M
drwxr-xr-x 5 tokuhirom staff 160 May 23 11:14 ./
drwxr-xr-x 121 tokuhirom staff 3.8K May 23 11:11 ../
-rw-r--r-- 1 tokuhirom staff 401 May 23 11:13 Hello.class
-rw-r--r-- 1 tokuhirom staff 111 May 23 11:13 Hello.java
-rwxr-xr-x 1 tokuhirom staff 5.0M May 23 11:14 hello*
$ time ./hello
Hello
./hello 0.00s user 0.00s system 65% cpu 0.011 total
$ file ./hello
./hello: Mach-O 64-bit executable x86_64
結論/考察
結論からいうと、Hello World レベルのプログラムでも起動が高速化されている。ファイルサイズは 5MB 程度。
この速度ならば、日常的に利用する command line application を Java で記述することも現実的といえる。
@Test
fun bench() {
val tries = 10000000
val startA = System.currentTimeMillis()
for (i in 0 until tries) {
Array2DRowRealMatrix(11, 11)
}
val endA = System.currentTimeMillis()
val startB = System.currentTimeMillis()
for (i in 0 until tries) {
BlockRealMatrix(11, 11)
}
val endB = System.currentTimeMillis()
println("A=${endA-startA} B=${endB-startB}")
}
com.fasterxml.jackson.databind.exc.InvalidDefinitionException: Cannot construct instance of `MyGreatResponse` (no Creators, like default construct, exist): cannot deserialize from Object value (no delegate- or property-based Creator) at [Source: (String)"{"FOO":"BAR"}"; line: 1, column: 2]
require 'msgpack'
require 'benchmark'
require 'json'
# https://github.com/fluent/fluentd/blob/master/lib/fluent/plugin/parser_ltsv.rb
class LTSV
def self.parse(text)
r = {}
text.split("\t").each do |pair|
key, value = pair.split(":", 2)
r[key] = value
end
r
end
def self.generate(data)
data.map {|k,v| k+":"+v }.join("\t")
end
end
src = Hash[(1..1000).map{|i| i.to_s}.each_slice(2).to_a]
msgpk = src.to_msgpack
json = JSON.generate(src)
ltsv = LTSV.generate(src)
iterations = 100_000
puts "msgpk=#{msgpk.length} bytes"
puts "json=#{json.length} bytes"
puts "ltsv=#{ltsv.length} bytes"
puts ""
Benchmark.bm(10) do |x|
x.report('msgpack') do
iterations.times { MessagePack.unpack(msgpk) }
end
x.report('json') do
iterations.times { JSON.parse(json) }
end
x.report('ltsv') do
iterations.times { LTSV.parse(ltsv) }
end
end
msgpk=3896 bytes
json=5894 bytes
ltsv=3892 bytes
user system total real
msgpack 11.390000 0.050000 11.440000 ( 11.509034)
json 31.690000 0.140000 31.830000 ( 32.131092)
ltsv 36.870000 0.270000 37.140000 ( 37.986320)
If you make multiple requests for an image, subsequent calls return a cached version of the image. This means that the returned image might not include the latest changes to the view. To decrease the amount of time that an image is cached, use tabadmin to reduce the value of the vizportal.rest_api.view_image.max_age setting. For more information, see tabadmin set options in the Tableau Server help.
で、これの default value は 720min=12hours なので、とにかくキャッシュが長い。