[
https://issues.apache.org/jira/browse/HADOOP-13732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15586420#comment-15586420
]
Mike Yoder commented on HADOOP-13732:
-------------------------------------
I'd have to make a dependency-check specific note in BUILDING.txt, which seems
a little awkard. (The normal build isn't affected, of course.) I'll see what I
can do. My only alternative idea is a comment around this plugin in pom.xml. I
do agree it needs to be documented somewhere.
* I don't even think that maven is _available_ on RHEL 6.6
* My RHEL 7.2 machine looks like it would use version 3.0.5-16
* My Ubuntu 16.04 machine is using 3.3.9
* Looks like Ubuntu 14.04 uses 3.0.5-1
The maven release history page is at https://maven.apache.org/docs/history.html
> Upgrade OWASP dependency-check plugin version
> ---------------------------------------------
>
> Key: HADOOP-13732
> URL: https://issues.apache.org/jira/browse/HADOOP-13732
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Mike Yoder
> Assignee: Mike Yoder
> Priority: Minor
> Attachments: HADOOP-13732.001.patch
>
>
> For reasons I don't fully understand, the current version (1.3.6) of the
> OWASP dependency-check plugin produces an essentially empty report on trunk
> (3.0.0). After some research, it appears that this plugin has undergone
> significant work in the latest version, 1.4.3. Upgrading to this version
> produces the expected full report.
> The only gotcha is that a new-ish version of maven is required. I'm using
> 3.2.2; I know that 3.0.x fails with a strange error.
> This plugin was introduced in HADOOP-13198.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
