[
https://issues.apache.org/jira/browse/MNG-6487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17625748#comment-17625748
]
Abdel Hajou commented on MNG-6487:
----------------------------------
Hi [~khmarbaise] , I just realized I added the plugin to the parent POM of
maven-core, not to the maven-parent project itself. I can move it to
micronaut-parent, but this would mean all maven repositories might have
breaking builds when upgrading to the latest maven-parent version.
About the CVSS treshold: should every Maven project be able to override the
threshold or should we set a baseline for all Maven projects? E.g. could
maven-core have a CVSS treshold of 7.0 and maven-surefire have a threshold of
4.0?
> Adding CVE Checks via OWASP
> ---------------------------
>
> Key: MNG-6487
> URL: https://issues.apache.org/jira/browse/MNG-6487
> Project: Maven
> Issue Type: Improvement
> Reporter: Karl Heinz Marbaise
> Priority: Critical
>
> {{mvn compile org.sonatype.ossindex.maven:ossindex-maven-plugin:audit}}
> Result on all modules is a CVSS-score threshold: 0.0
> In contrast: IIRC the owasp dependency plugin gave several false positives.
> We should consider to add this to the maven-parent to get early notifications
> on known CVEs.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
