+1 to the OWASP-failure patch. I applied the patch and ran "gradlew -PenableOwasp dependencyCheckAnalyze" on Windows 10, JDK 8, "BUILD SUCCESSFUL in 23m 16s".
-----邮件原件----- 发件人: Mathieu Lirzin [mailto:[email protected]] 发送时间: 2019年3月3日 18:39 收件人: [email protected] 主题: Re: [REMOVE?] OWASP Dependency Check feature (Gradle plugin) Hello Jacques, Jacques Le Roux <[email protected]> writes: > I added the OWASP Dependency Check feature before we switched to > Gradle. It was then really useful, but it's no disputable as explained > at > https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check: > > Since OFBiz uses Gradle, all dependent libraries (ie also > dependencies from the libraries OFBiz uses and recursively) are > loaded by Gradle and analysed by the OWASP Dependency Check > plugin. So it's materially impossible to check all the possible > vulnerabilities. I decided to only check the higher ones, currently > (2017-09-29) we have only already know ones: > > So one option could be to completely remove this feature, what do you > think? (see more at OFBIZ-10700) I am not familiar with OWASP dependency check, but since it doesn't work on my machine (See OFBIZ-10700) I can hardly see any reason to keep it. -- Mathieu Lirzin GPG: F2A3 8D7E EB2B 6640 5761 070D 0ADE E100 9460 4D37
