GitHub user rzo1 opened a pull request:
https://github.com/apache/tomee/pull/276
TOMEE-2363 Introduces OWASP dependency check via profile
This PR introduces the [OWASP Dependency Check Maven
Plugin](https://jeremylong.github.io/DependencyCheck/index.html) in a basic
configuration at the parent pom level of the project.
As the dependency checking is quite expensive (see time below), I added it
is a separate profile `owasp`. To enable it in the Maven build process, you
just need to add `-Powasp`. An aggregated report `dependency-check-report.html`
is created in the target directory of the root project.
I also added some exclusions related to false positives (see
`owasp-dc-suppression.xml`).
I also added the aggregated output for the run on my second system:
[dependency-check-report.zip](https://github.com/apache/tomee/files/2679597/dependency-check-report.zip)
Some timings for my system (here Windows, on Linux it is a lot faster...)
QuickBuild without OWASP: 07:08 min
QuickBuild with OWASP 1st RUN: 26:02 min (pre-caching vulnerabilities)
QuickBuild with OWASP 2nd+ RUN: 13:06 min
Note, that I did not yet include failing the build based on CVE scores.
However, we should decide on a common CVE score value to do so on the CI
systems. If this PR holds your expectations, I can backport this to 7.0.x and
7.1.x branches. In a next step, we can analyze the outcomes and create JIRA
issue and/or enhance the supress configuration for false positives.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/rzo1/tomee TOMEE-2363-OWASP-Dependency
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/tomee/pull/276.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #276
----
commit abac13284b8483327c183fb6490a1d6ee15f81b8
Author: rzo1 <richard@...>
Date: 2018-12-13T16:18:20Z
TOMEE-2363 Introduces OWASP dependency check via profile
----
---
