[jira] [Commented] (OFBIZ-7930) Load the OWASP dependency checker Gradle plugin efficiently

Tue, 30 Aug 2016 05:42:32 -0700 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-7930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15448908#comment-15448908
 ] 

Jacques Le Roux commented on OFBIZ-7930:
----------------------------------------

Thanks Taher, much appreciated.

# 
https://github.com/jeremylong/dependency-check-gradle#what-if-my-project-includes-multiple-sub-project-how-can-i-use-this-plugin-for-each-of-them-including-the-root-project
# The purpose is two-fold. 
## To inform our users about possible vulnerabilities in our external 
dependencies
## To fix them as much as possible before exposing them to public
Committers are more concerned, but everybody can help
# I put it here 
https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check 
It's actually reports from versions in the svn repo
I want to have a report for each releases and even for each supported branches, 
including trunk of course. 
Once you have the report it's nice to publish it. But before it should be uised 
to fix possible vulnerabilities in our external dependencies. 
Note that the suppress file is needed because OWASP-DC report a lot of false 
positive initially. AFAIK there is no other such free tools.

> Load the OWASP dependency checker Gradle plugin efficiently
> -----------------------------------------------------------
>
>                 Key: OFBIZ-7930
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-7930
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Minor
>             Fix For: Upcoming Branch
>
>
> As I warned at 
> https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check
>  it's currently difficult to separate the OFBiz jars from other jars in the 
> .gradle\caches contains which may contain jars unrelated to OFBiz. Notably 
> Eclipse jars if you use the Gradle Eclipse task and more if you use Gradle 
> for other reasons than OFBiz.
> I did not find yet a way to avoid to have all external jars in .gradle\caches 
> and I wonder if it's even possible. What I would like to have is the external 
> jars mandatory for OFBiz to work in an isolated place. For instance a sub 
> folder of the main Gradle build folder. I picked $buildDir/externalJars.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to