[ https://issues.apache.org/jira/browse/AMQ-7023?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jeff Genender resolved AMQ-7023. -------------------------------- Resolution: Fixed Fix Version/s: 5.15.5 5.16.0 > Add OWASP Dependency Check to build (all open source projects everywhere) > ------------------------------------------------------------------------- > > Key: AMQ-7023 > URL: https://issues.apache.org/jira/browse/AMQ-7023 > Project: ActiveMQ > Issue Type: New Feature > Components: Broker > Affects Versions: 5.15.3, 5.15.4 > Environment: All development, build, test, environments. > Reporter: Albert Baker > Priority: Major > Labels: build, easyfix, security > Fix For: 5.16.0, 5.15.5 > > Original Estimate: 1h > Remaining Estimate: 1h > > Please add OWASP Dependency Check to the ActiveMQ build (pom.xml). OWASP DC > makes an outbound REST call to MITRE Common Vulnerabilities & Exposures (CVE) > to perform a lookup for each dependant .jar > OWASP Dependency check : > [https://www.owasp.org/index.php/OWASP_Dependency_Check > |https://www.owasp.org/index.php/OWASP_Dependency_Check]has plug-ins for most > Java build/make types (ant, maven, gradle). Add the appropriate command to > the nightly build to generate a report of all known vulnerabilities in > any/all third party libraries/dependencies that get pulled in. > Generating this report nightly/weekly will help inform the project's > development team if any dependant libraries have a reported known > vulneraility. Project teams that keep up with removing vulnerabilities on a > weekly basis weekly basis will help protect businesses that rely on these > open source componets. -- This message was sent by Atlassian JIRA (v7.6.3#76005)