Maybe in model 5.0.0, if POM fragments are implemented (MNG-5102), this feature can be more seamless. If there was (1) a POM element that represented CVE information and (2) a repository out there that hosted independent fragments about the vulnerabilities, builds could automatically be warned/halted.... Just another idea. It may not be better than a REST service, but I think external fragments would integrate better. It definitely allows "published" POMs to become updated with security vulnerability info when necessary.
On Thu, Feb 27, 2014 at 2:59 PM, Jason van Zyl <[email protected]> wrote: > The RedHat idea is a good one but the implementation is fairly poor > insofar as it requires you to download an H2 database before you can > actually check your build. I noticed that if the process is interrupted you > are forced to download the database again. Good idea with the enforcer > plugin, but not a good idea to use a database. If it was stand-alone > service where a simple REST call can be made with your coordinates then it > would be excellent. > > On Feb 27, 2014, at 3:49 AM, Barrie Treloar <[email protected]> wrote: > > > On 27 February 2014 21:17, Bernd Eckenfels <[email protected]> > wrote: > >> Hello Mark, > >> > >> Just wanted to point you to a redhat project which I recently > discovered, as it seems to have potential for this (even if the approach is > not the most decentralized one): > >> > >> The Victims Database maps JAR Signatures to known vulnerabilities, if > this is extended with maven coordinates it would be a real helpfull static > analysis tool for build time. > >> > > > > Sonatype were (are) looking at doing something similar with the data > > from Central. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > Thanks, > > Jason > > ---------------------------------------------------------- > Jason van Zyl > Founder, Apache Maven > http://twitter.com/jvanzyl > http://twitter.com/takari_io > --------------------------------------------------------- > > There's no sense in being precise when you don't even know what you're > talking about. > > -- John von Neumann > > > > > > > > > > -- Cheers, Paul
