This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 0a9ee32539 Improved: Abandon the Gradle Owasp dependencycheck task
(OFBIZ-13121)
0a9ee32539 is described below
commit 0a9ee32539a6abe1c3e5d2805fb03df1e8d98144
Author: Jacques Le Roux <[email protected]>
AuthorDate: Tue Jun 25 10:07:51 2024 +0200
Improved: Abandon the Gradle Owasp dependencycheck task (OFBIZ-13121)
We have abandoned this feature for years as it was no longer usable
(too much false positive in large numbers).
https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check
The last time I tried to use it was after the last commit for
https://issues.apache.org/jira/browse/OFBIZ-10700
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/build.gradle?r1=1854818&r2=1854817&pathrev=1854818
I just tried and got this:
C:\projectsASF\Git\ofbiz-framework>gradlew -PenableOwasp
dependencyCheckAnalyze
Starting a Gradle Daemon (subsequent builds will be faster)
[...]
> Task :dependencyCheckAnalyze
Verifying dependencies for project ofbiz
Checking for updates and analyzing dependencies for vulnerabilities
An NVD API Key was not provided - it is highly recommended to use an NVD
API key as the update can take a VERY long time without an API Key
Actually nothing happens in a reasonable time and I bet it would be mostly
unusable.
You though may try to follow the NVD API key way, whatever it is.
I forgot to remove this information in the main README files
(actually in all OFBiz versions supported). You see the README trunk
version GH repo.
Thanks: Sumesh Acharya for his question on user ML
---
README.adoc | 10 ----------
build.gradle | 12 ------------
2 files changed, 22 deletions(-)
diff --git a/README.adoc b/README.adoc
index d484853edc..553198a023 100644
--- a/README.adoc
+++ b/README.adoc
@@ -640,16 +640,6 @@ want to silence them
`gradlew -PXlint:none build`
-[[run-owasp-tool-to-identify-dependency-vulnerabilities-cves]]
-==== Run OWASP tool to identify dependency vulnerabilities (CVEs)
-
-The below command activates a gradle plugin (OWASP) and Identifies and reports
-known vulnerabilities (CVEs) in OFBiz library dependencies. The task takes time
-to complete, and once done, a report will be generated in
-$OFBIZ_HOME/build/reports/dependency-check-report.html
-
-`gradlew -PenableOwasp dependencyCheckAnalyze`
-
[[setup-eclipse-project-for-ofbiz]]
==== Setup eclipse project for OFBiz
diff --git a/build.gradle b/build.gradle
index 0df79ed945..d5d20c61aa 100644
--- a/build.gradle
+++ b/build.gradle
@@ -39,18 +39,6 @@ plugins {
id "com.github.node-gradle.node" version '7.0.2' apply false
}
-/* OWASP plugin
- *
- * If project property "enableOwasp" is flagged then
- * gradle will download required dependencies and
- * activate Gradle's OWASP plugin and its related tasks.
- *
- * Syntax: gradlew -PenableOwasp dependencyCheckAnalyze
- */
-if (project.hasProperty('enableOwasp')) {
- apply plugin: 'org.owasp.dependencycheck'
-}
-
/* DependencyUpdates plugin
*
* If project property "enableDependencyUpdates" is flagged then
