[
https://issues.apache.org/jira/browse/NIFI-13493?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17862893#comment-17862893
]
ASF subversion and git services commented on NIFI-13493:
--------------------------------------------------------
Commit e4014b5525c2b26fc02c6c4c241b82e1fec7b520 in nifi's branch
refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=e4014b5525 ]
NIFI-13493 Removed dependency-check GitHub workflow
This closes #9037
- Upgraded dependency-check plugin from 9.1.0 to 10.0.1
Signed-off-by: Joseph Witt <[email protected]>
> Disable dependency-check workflow
> ---------------------------------
>
> Key: NIFI-13493
> URL: https://issues.apache.org/jira/browse/NIFI-13493
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Tools and Build
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Minor
> Time Spent: 20m
> Remaining Estimate: 0h
>
> The dependency check workflow executes the OWASP Dependency Check Maven
> Plugin to evaluate project dependencies against current published
> vulnerabilities. Although this provides benefits, changes in version 9 of the
> plugin involve using the new NVD API which has significant rate limits.
> Additional caching options should be evaluated, but removing the workflow for
> now avoids false positives. Running the dependency-check profile on a local
> build still provides value, but other approaches should be evaluated for
> automated vulnerability scanning.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
