[
https://issues.apache.org/jira/browse/OFBIZ-10213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-10213:
------------------------------------
Description:
We want to check from time to time if we need to update the dependencies.
It's easily done with the [gradle-versions-plugin
|https://github.com/ben-manes/gradle-versions-plugin] which analyzes the
dependencies and checks if there are newer versions available.
Running the check with
{code:java}
gradlew -PenableDependencyUpdates dependencyUpdates -Drevision=release
{code}
We get a list of dependencies to update. This is an umbrella task for action
tasks.
It's then good to run OWASP dependency check to get a report about the security
situation. Note though that all dependent libraries (ie also dependencies from
the libraries OFBiz uses and recursively) are loaded by Gradle and analysed by
the OWASP Dependency Check plugin. So it's materially impossible to check all
the possible vulnerabilities. You can refer to this wiki page: [About OWASP
Dependency
Check|https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check].
We have problems with a number of libs. We keep comments in the main
build.gradle for special updating issues. For ease of use, you may also refer
to "Libs that can't be updated in their last version section" in [About OWASP
Dependency
Check|https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check]
wiki page. Beware that this may not be as up to date as in the main
build.gradle file.
was:
We want to check from time to time if we need to update the dependencies.
It's easily done with the [gradle-versions-plugin
|https://github.com/ben-manes/gradle-versions-plugin] which analyzes the
dependencies and checks if there are newer versions available.
Running the check with
{code:java}
gradlew -PenableDependencyUpdates dependencyUpdates -Drevision=release
{code}
We get a list of dependencies to update. This is an umbrella task for action
tasks.
We have problems with a number of libs. We keep comments in the main
build.gradle for special updating issues
It's then good to run OWASP dependency check to get a report about the security
situation. Note though that all dependent libraries (ie also dependencies from
the libraries OFBiz uses and recursively) are loaded by Gradle and analysed by
the OWASP Dependency Check plugin. So it's materially impossible to check all
the possible vulnerabilities. You can refer to this wiki page: [About OWASP
Dependency
Check|https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check].
> Update build.gradle to the latest dependencies
> ----------------------------------------------
>
> Key: OFBIZ-10213
> URL: https://issues.apache.org/jira/browse/OFBIZ-10213
> Project: OFBiz
> Issue Type: Task
> Components: Gradle
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Trivial
> Attachments: OFBIZ-10213.patch, OFBIZ-10213.patch, OFBIZ-10213.patch
>
>
> We want to check from time to time if we need to update the dependencies.
> It's easily done with the [gradle-versions-plugin
> |https://github.com/ben-manes/gradle-versions-plugin] which analyzes the
> dependencies and checks if there are newer versions available.
> Running the check with
> {code:java}
> gradlew -PenableDependencyUpdates dependencyUpdates -Drevision=release
> {code}
> We get a list of dependencies to update. This is an umbrella task for action
> tasks.
> It's then good to run OWASP dependency check to get a report about the
> security situation. Note though that all dependent libraries (ie also
> dependencies from the libraries OFBiz uses and recursively) are loaded by
> Gradle and analysed by the OWASP Dependency Check plugin. So it's materially
> impossible to check all the possible vulnerabilities. You can refer to this
> wiki page: [About OWASP Dependency
> Check|https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check].
> We have problems with a number of libs. We keep comments in the main
> build.gradle for special updating issues. For ease of use, you may also refer
> to "Libs that can't be updated in their last version section" in [About OWASP
> Dependency
> Check|https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check]
> wiki page. Beware that this may not be as up to date as in the main
> build.gradle file.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
