Hi,
I created https://issues.apache.org/jira/browse/OFBIZ-12186 for that. It's much
more simple that I feared.
I'll soon commit the attached verification-metadata.xml file there, if nobody
oppose.
We will later need to update it when updating dependencies.
So I'll also update
https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check
As actually we no longer use OWASP+Dependency+Check (does not fit with Gradle), we need to remove this page but keep the last section in a new page.
With the switch from jcenter to Maven Central we also need to modify this last section.
We also need to update
https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz
https://cwiki.apache.org/confluence/display/OFBIZ/Load+new+gradle+wrapper+version+on+bintray
https://issues.apache.org/jira/browse/OFBIZ-10213
I'll do so in relation, with OFBIZ-12186
Jacques
Le 13/02/2021 à 12:50, Jacques Le Roux a écrit :
Hi,
I just read a members thread about this article:
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
One member mentioned that the Groovy project is using the Gradle's dependency
verification feature[1] in the Apache Groovy build.
I suggest we do the same, even after the move from JCenter to MavenCentral
where things should be safer.
What do you think?
[1] https://docs.gradle.org/current/userguide/dependency_verification.html
<https://docs.gradle.org/current/userguide/dependency_verification.html>
Jacques