Done at revision 1854818.
Le 04/03/2019 à 11:14, Shi Jinghai a écrit :
+1 to the OWASP-failure patch.
I applied the patch and ran "gradlew -PenableOwasp dependencyCheckAnalyze" on Windows 10,
JDK 8, "BUILD SUCCESSFUL in 23m 16s".
-----邮件原件-----
发件人: Mathieu Lirzin [mailto:[email protected]]
发送时间: 2019年3月3日 18:39
收件人: [email protected]
主题: Re: [REMOVE?] OWASP Dependency Check feature (Gradle plugin)
Hello Jacques,
Jacques Le Roux <[email protected]> writes:
I added the OWASP Dependency Check feature before we switched to
Gradle. It was then really useful, but it's no disputable as explained
at
https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check:
Since OFBiz uses Gradle, all dependent libraries (ie also
dependencies from the libraries OFBiz uses and recursively) are
loaded by Gradle and analysed by the OWASP Dependency Check
plugin. So it's materially impossible to check all the possible
vulnerabilities. I decided to only check the higher ones, currently
(2017-09-29) we have only already know ones:
So one option could be to completely remove this feature, what do you
think? (see more at OFBIZ-10700)
I am not familiar with OWASP dependency check, but since it doesn't work
on my machine (See OFBIZ-10700) I can hardly see any reason to keep it.
