Hehe ... Well then, I hope 2022 will be known as the year that the industry finally paid attention to it ;) (Sorry couldn't resist) ... and possibly paid people to make and keep things safe.
Chris -----Original Message----- From: Stefano Bossi <[email protected]> Sent: Montag, 27. Dezember 2021 16:31 To: [email protected] Subject: Re: [NOTICE] Enabled OWASP plugin ... automated CVE checks ... That's a great news! Security is always important in Industry. Thanks, S. On 26/12/21 18:51, Christofer Dutz wrote: > Hi all, > > as I was a bit unsure if we really got all the potentially vulnerable log4j > versions excluded (yes, we did). I enabled the owasp dependency checker. > Also did I update all dependencies to the latest released versions as > especially most of the integration modules just received fixed versions. > > When enabling the owasp maven plugin we now continuously check our build > against the official CVE registry. If a dependency is detected for which any > non-minor vulnerabilities exist, the build automatically failed. > > I did need a bit of tweaking of some dependencies, but now I was able to set > the score to 4 which means that we don't have any dependency in our tree that > has any medium or severe issues reported. > > The first build might take a bit longer, as the plugin must download the bug > databases for the last years, but this only has to be done once. > > Chris > >
openpgp-digital-signature.asc
Description: PGP signature
