Hello Jacques, Jacques Le Roux <[email protected]> writes:
> I added the OWASP Dependency Check feature before we switched to > Gradle. It was then really useful, but it's no disputable as explained > at > https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check: > > Since OFBiz uses Gradle, all dependent libraries (ie also > dependencies from the libraries OFBiz uses and recursively) are > loaded by Gradle and analysed by the OWASP Dependency Check > plugin. So it's materially impossible to check all the possible > vulnerabilities. I decided to only check the higher ones, currently > (2017-09-29) we have only already know ones: > > So one option could be to completely remove this feature, what do you > think? (see more at OFBIZ-10700) I am not familiar with OWASP dependency check, but since it doesn't work on my machine (See OFBIZ-10700) I can hardly see any reason to keep it. -- Mathieu Lirzin GPG: F2A3 8D7E EB2B 6640 5761 070D 0ADE E100 9460 4D37
