[
https://issues.apache.org/jira/browse/OFBIZ-13121?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17889150#comment-17889150
]
ASF subversion and git services commented on OFBIZ-13121:
---------------------------------------------------------
Commit 67fbf13e9b4e12401cd593ceae34c78e7e7fa721 in ofbiz-framework's branch
refs/heads/trunk from Danny Trunk
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=67fbf13e9b ]
Updated several (transitive) dependencies (OFBIZ-13123) (#819)
* Fixed: Corrections based on Checkstyle errors
* Improved: Upgrade to gradle 8.8
* Revert "Improved: Abandon the Gradle Owasp dependencycheck task
(OFBIZ-13121)"
NVD REST API isn't stable but that shouldn't be the reason to abandon this
feature.
This reverts commit 0a9ee32539a6abe1c3e5d2805fb03df1e8d98144.
* Improved: Update org.owasp.dependencycheck to 10.0.2
* Improved: Set checkstyle.toolVersion
* Improved: Add guava as dependency
It's used in the OFBiz codebase so this should be added as a dependency
* Improved: Update esapi to 2.5.4.0
* Improved: Update jackson-databind to 2.17.1
* Improved: Update derby to 10.16.1.1
* Fixed: Corrections based on Checkstyle errors
* Improved: Update clojure to 1.11.3
* Improved: Update transitive dependency mime4j to 0.8.10
* Improved: Update fop to 2.9
* Improved: Update tika parsers to 2.9.2
* Improved: Update transitive dependency bcprov-jdk18on to 1.78
* Improved: Update Apache CXF Runtime JAX-RS Frontend to 3.6.3
* Improved: Update jdom to 2.0.6.1
* Improved: Update ez-vcard to 0.12.1
* Improved: Update poi to 5.3.0
* Improved: Update Apache MINA sshd to 2.13.1
* Improved: Update Groovy to 4.0.22
* Improved: Update transitive dependency testng to 7.7.0
* Improved: Update Asciidoctor Gradle Plugin to 4.0.2
* Improved: Update Apache CXF Runtime JAX-RS Frontend to 3.6.4
* Improved: Update Apache PDFBox to 2.0.32
---------
Co-authored-by: Jacques Le Roux <jacques.le.r...@les7arts.com>
> Keep the Gradle Owasp dependencycheck task
> -------------------------------------------
>
> Key: OFBIZ-13121
> URL: https://issues.apache.org/jira/browse/OFBIZ-13121
> Project: OFBiz
> Issue Type: Task
> Components: Gradle
> Affects Versions: 18.12.16
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Trivial
> Fix For: 18.12.17
>
>
> Following this conversation
> [https://lists.apache.org/thread/lnfvbfm5wfyhj6f111njo8movwd84ylr]
> With here an excerpt:
> {quote}
> We have abandoned this feature for years as it was no longer usable (too much
> false positive in large numbers).
> [https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check]
> The last time I tried to use it was after the last commit for
> https://issues.apache.org/jira/browse/OFBIZ-10700
> [http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/build.gradle?r1=1854818&r2=1854817&pathrev=1854818]
> I just tried and got this:
> {noformat}
> C:\projectsASF\Git\ofbiz-framework>gradlew -PenableOwasp
> dependencyCheckAnalyze
> Starting a Gradle Daemon (subsequent builds will be faster)
> [...]
> > Task :dependencyCheckAnalyze
> Verifying dependencies for project ofbiz
> Checking for updates and analyzing dependencies for vulnerabilities
> An NVD API Key was not provided - it is highly recommended to use an NVD API
> key as the update can take a VERY long time without an API Key
> {noformat}
> Actually nothing happens in a reasonable time and I bet it would be mostly
> unusable. You though may try to follow the NVD API key way, whatever it is.
> I forgot to remove this information in the main README files (actually in all
> OFBiz versions supported). You see the README trunk version GH repo.
>
> Thanks to your report I'll remove this information and the related code in a
> week, except if you come back with something positive.
> Jacques
> {quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
