That's a great news! Security is always important in Industry.
Thanks, S. On 26/12/21 18:51, Christofer Dutz wrote:
Hi all, as I was a bit unsure if we really got all the potentially vulnerable log4j versions excluded (yes, we did). I enabled the owasp dependency checker. Also did I update all dependencies to the latest released versions as especially most of the integration modules just received fixed versions. When enabling the owasp maven plugin we now continuously check our build against the official CVE registry. If a dependency is detected for which any non-minor vulnerabilities exist, the build automatically failed. I did need a bit of tweaking of some dependencies, but now I was able to set the score to 4 which means that we don't have any dependency in our tree that has any medium or severe issues reported. The first build might take a bit longer, as the plugin must download the bug databases for the last years, but this only has to be done once. Chris
OpenPGP_signature
Description: OpenPGP digital signature
