The RedHat idea is a good one but the implementation is fairly poor insofar as it requires you to download an H2 database before you can actually check your build. I noticed that if the process is interrupted you are forced to download the database again. Good idea with the enforcer plugin, but not a good idea to use a database. If it was stand-alone service where a simple REST call can be made with your coordinates then it would be excellent.
On Feb 27, 2014, at 3:49 AM, Barrie Treloar <[email protected]> wrote: > On 27 February 2014 21:17, Bernd Eckenfels <[email protected]> wrote: >> Hello Mark, >> >> Just wanted to point you to a redhat project which I recently discovered, as >> it seems to have potential for this (even if the approach is not the most >> decentralized one): >> >> The Victims Database maps JAR Signatures to known vulnerabilities, if this >> is extended with maven coordinates it would be a real helpfull static >> analysis tool for build time. >> > > Sonatype were (are) looking at doing something similar with the data > from Central. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > Thanks, Jason ---------------------------------------------------------- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl http://twitter.com/takari_io --------------------------------------------------------- There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann
