Hi Duo, Generally, I think that this is a good idea. I have previously attempted to use the Jenkins OWASP stuff and found it was a non-trivial project to manage exclusions lists. We ended up abandoning the effort for lack of value-for-time reward. I think it's more important that we manage this as a community, though. Maybe some other folks here with experience can share their strategies.
Thanks, Nick On Sat, Oct 7, 2023 at 4:13 PM 张铎(Duo Zhang) <[email protected]> wrote: > https://jeremylong.github.io/DependencyCheck/dependency-check-maven/ > > The plugin will download the NVD database and use it to detect CVEs in > our dependencies. > > I think we could make this part of the release process, and also add > the check to nightly build and pre commit check. > > Thoughts? Thanks. >
