On 06/07/18 22:27, Joe Murphy wrote:
https://github.com/jeremylong/DependencyCheck
I've been running this Owasp DependencyCheck for about a year on various
projects, it can be as easy as adding the following to the travis or
jenkins file:
mvn org.owasp:dependency-check-maven:aggregate -Dformat=ALL
-DsuppressionFile=./.mvn/owasp-suppression.xml
eg. https://github.com/B3Partners/brmo/blob/master/Jenkinsfile#L118
and adding the following to the plugingManagment section of the parent
pom file:
<pluginManagement>
....
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>3.2.1</version>
</plugin>
...
</pluginManagement>
eg. https://github.com/B3Partners/brmo/blob/master/pom.xml#L884-L888
probably you'll want to set up a suppression file to catch false
positives like
https://github.com/B3Partners/brmo/blob/master/.mvn/owasp-suppression.xml
I have suppressions in place for CVE-2015-6737 in gt-swing and
CVE-2005-0406 in gt-coverage.
I have a similar setup in https://github.com/flamingo-geocms/flamingo
hth, Mark
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
