https://github.com/jeremylong/dependency-check-gradle#current-release
Tim Allison pointed us to this on twitter... Should we use it (maybe
just in "pedantic" mode, because it needs 400MB in the repository)?
Or just recommend our users to use it?
Or should just tika use it?
It tells whether any components we're using have security risks. This
xml segment is to be put into the pom.xml:
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>2.0.0</version>
<configuration>
<failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
I tried it with a project that linked pdfbox 2.0.0 (has XXE
vulnerability) and yes, the build stopped.
Tilman
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
