Jacques Le Roux created OFBIZ-13121:
---------------------------------------
Summary: Abandon the Gradle Owasp dependencycheck task
Key: OFBIZ-13121
URL: https://issues.apache.org/jira/browse/OFBIZ-13121
Project: OFBiz
Issue Type: Task
Components: Gradle
Affects Versions: 18.12.16
Reporter: Jacques Le Roux
Assignee: Jacques Le Roux
Fix For: 18.12.16
Following this conversation
[https://lists.apache.org/thread/lnfvbfm5wfyhj6f111njo8movwd84ylr]
With here an excerpt:
{quote}
We have abandoned this feature for years as it was no longer usable (too much
false positive in large numbers).
[https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check]
The last time I tried to use it was after the last commit for
https://issues.apache.org/jira/browse/OFBIZ-10700
[http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/build.gradle?r1=1854818&r2=1854817&pathrev=1854818]
I just tried and got this:
{noformat}
C:\projectsASF\Git\ofbiz-framework>gradlew -PenableOwasp dependencyCheckAnalyze
Starting a Gradle Daemon (subsequent builds will be faster)
[...]
> Task :dependencyCheckAnalyze
Verifying dependencies for project ofbiz
Checking for updates and analyzing dependencies for vulnerabilities
An NVD API Key was not provided - it is highly recommended to use an NVD API
key as the update can take a VERY long time without an API Key
{noformat}
Actually nothing happens in a reasonable time and I bet it would be mostly
unusable. You though may try to follow the NVD API key way, whatever it is.
I forgot to remove this information in the main README files (actually in all
OFBiz versions supported). You see the README trunk version GH repo.
Thanks to your report I'll remove this information and the related code in a
week, except if you come back with something positive.
Jacques
{quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
