More on this Tom and folks... Some of you may have seen on the news lately security 101 e.g. patch (and version) upgrades, are critical... @Tom, can we possibly have the checks reflected on dev@? Another option which has been thrown out there is the following https://www.owasp.org/index.php/OWASP_Dependency_Check I am by no means stating that any one is more appropriate, I do however think that a notification mechanism would be very approbate. Lewis
On Sat, Sep 9, 2017 at 6:03 AM, Tom Barber <t...@spicule.co.uk> wrote: > Hi folks > > This isn't supposed to be an alarmist email, but quite enlightening all the > same. > > I saw a link to a plugin on the Drill mailing list called Dependency Check > Report so I wired it into my OODT repo amongst others to see what was > flagged up since the Struts fallout. > > Anyway, of course its unlikely but not out of the question to run OODT > fronting on to the interwebs so I think this is decent food for thought as > to why its useful to keep dependencies up to date as much as possible. > > Here's a selection of the output: > > https://www.dropbox.com/s/2ida8dk54yleedo/curator-webapp.html?dl=0 > https://www.dropbox.com/s/wgt1facgjhqiqkq/fmbrowser.html?dl=0 > https://www.dropbox.com/s/o8kqcaktplzjy4y/metadata.html?dl=0 > https://www.dropbox.com/s/cli4pj4jc564f16/pge.html?dl=0 > > Of course there is a bunch of repetition in there and plenty that aren't > over the top severe, some may also be false positives, but as we work > through to OODT 2.0 with the new stuff and chopping out the old stuff, > reducing these as much as possible I would posture. > > Tom > -- http://home.apache.org/~lewismc/ @hectorMcSpector http://www.linkedin.com/in/lmcgibbney
