Hi, For those of you that don't know me, one of my roles at the ASF is as a member of the Apache Security Team. One of the common problems we face when processing a security vulnerability report is how to identify the projects that depend on the vulnerable library. What I wanted to explore with the Maven dev community is the possibility of doing something along the following lines:
1. Add the ability to publish vulnerability information to a Maven repository. 2. Enhance Maven to check that vulnerability information when building a project and warn users that that are building using a library with known vulnerabilities. As an aside, it might be nice to be able to publish de-support notices or similar along the same sort of lines so users building with old, unsupported libraries are also warned. Users would, of course, need an option to silence individual warnings if they are happy that they do not apply to their product. Does something like the above sound possible? Is it already possible and I have just missed it? Cheers, Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
