[
https://issues.apache.org/jira/browse/TIKA-3648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17478178#comment-17478178
]
Tim Allison commented on TIKA-3648:
-----------------------------------
I'm +1 on dependabot. There are a few dependencies that we can't upgrade yet –
commented in tika-parent's pom.xml (e.g. mime4j), but dependabot only sends one
ping/PR per dependency and we can ignore it for those dependencies, right?
> Fail build if ossindex-maven-plugin violation is detected
> ---------------------------------------------------------
>
> Key: TIKA-3648
> URL: https://issues.apache.org/jira/browse/TIKA-3648
> Project: Tika
> Issue Type: Improvement
> Components: build, security
> Affects Versions: 2.2.1
> Reporter: Lewis John McGibbney
> Assignee: Lewis John McGibbney
> Priority: Critical
> Fix For: 2.2.2
>
>
> The ossindex-maven-plugin can really assist us in detecting and preventing
> security vulnerabilities and also mitigating associated risk and exposure.
> I propose to fail the build if ossindex-maven-plugin violation is detected
> https://github.com/apache/tika/blob/main/tika-parent/pom.xml#L639
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
