Hi, Chas,

thanks for answering, absolutely! I see this as a comprehensive approach
which cannot be done on just one side:
- IETF to define a new header X-something or even HTTP response code
standard i.e. "460 - Content generally known to be insecure"
- Repository providers to implement issuing this header (could be a
community plugin you install on a mirror repo); in fact this is JFrog's and
Sonatype's business to license dashboards with exactly this information; my
point is to iterate whether they would like to issue such a header/response
- None of the above would make sense if Maven community does not have
stakes here.

So now from your answer I could read between the lines "ok in general why
not if repository gives you such a notification" :-)

kind regards

2018-03-07 4:56 GMT+01:00 Chas Honton <c...@honton.org>:

> If you want the package repository to add the header, you will need to
> make your request to Sonatype (Nexus) and JFrog (Artifactory)
> Chas
> > On Mar 6, 2018, at 4:12 AM, Peter Muryshkin <murysh...@gmail.com> wrote:
> >
> > Hi, all,
> >
> > currently you can run OWASP dependency check plugin against your
> projects.
> >
> > Though, this seems to make security more or less optional: unaware either
> > lightheaded teams could miss this.
> >
> > What if a package repository would integrate with this dependency
> checking
> > and issue a warning, say a special HTTP response code or a header?
> >
> > Then, Maven would raise the warning in the console log, like "this
> > component is known to have CVE-XYZ! consider upgrading"
> >
> > What do you think?
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org

Reply via email to