> Tilman Hausherr <[email protected]> hat am 8. Juli 2017 um 15:40 > geschrieben: > > > https://github.com/jeremylong/dependency-check-gradle#current-release > > Tim Allison pointed us to this on twitter... Should we use it (maybe > just in "pedantic" mode, because it needs 400MB in the repository)? > > Or just recommend our users to use it? > > Or should just tika use it? > > It tells whether any components we're using have security risks. This > xml segment is to be put into the pom.xml: > > <plugin> > <groupId>org.owasp</groupId> > <artifactId>dependency-check-maven</artifactId> > <version>2.0.0</version> > <configuration> > <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability> > </configuration> > <executions> > <execution> > <goals> > <goal>check</goal> > </goals> > </execution> > </executions> > </plugin> > > I tried it with a project that linked pdfbox 2.0.0 (has XXE > vulnerability) and yes, the build stopped. Let's add this, but just in "pedantic" mode
Andreas > Tilman > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
