Utilizing more than one,if feasible, would be a good avenue to pursue.
On Fri, Sep 15, 2017 at 2:22 AM, lewis john mcgibbney <lewi...@apache.org> wrote: > More on this Tom and folks... > Some of you may have seen on the news lately security 101 e.g. patch (and > version) upgrades, are critical... > @Tom, can we possibly have the checks reflected on dev@? > Another option which has been thrown out there is the following > https://www.owasp.org/index.php/OWASP_Dependency_Check > I am by no means stating that any one is more appropriate, I do however > think that a notification mechanism would be very approbate. > Lewis > > > On Sat, Sep 9, 2017 at 6:03 AM, Tom Barber <t...@spicule.co.uk> wrote: > >> Hi folks >> >> This isn't supposed to be an alarmist email, but quite enlightening all the >> same. >> >> I saw a link to a plugin on the Drill mailing list called Dependency Check >> Report so I wired it into my OODT repo amongst others to see what was >> flagged up since the Struts fallout. >> >> Anyway, of course its unlikely but not out of the question to run OODT >> fronting on to the interwebs so I think this is decent food for thought as >> to why its useful to keep dependencies up to date as much as possible. >> >> Here's a selection of the output: >> >> https://www.dropbox.com/s/2ida8dk54yleedo/curator-webapp.html?dl=0 >> https://www.dropbox.com/s/wgt1facgjhqiqkq/fmbrowser.html?dl=0 >> https://www.dropbox.com/s/o8kqcaktplzjy4y/metadata.html?dl=0 >> https://www.dropbox.com/s/cli4pj4jc564f16/pge.html?dl=0 >> >> Of course there is a bunch of repetition in there and plenty that aren't >> over the top severe, some may also be false positives, but as we work >> through to OODT 2.0 with the new stuff and chopping out the old stuff, >> reducing these as much as possible I would posture. >> >> Tom >> > > > > -- > http://home.apache.org/~lewismc/ > @hectorMcSpector > http://www.linkedin.com/in/lmcgibbney
