[jira] [Closed] (OFBIZ-13121) Keep the Gradle Owasp dependencycheck task

Thu, 31 Oct 2024 02:42:05 -0700 


     [ 
https://issues.apache.org/jira/browse/OFBIZ-13121?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux closed OFBIZ-13121.
-----------------------------------
    Resolution: Done

Closing, after OFBIZ-13123 nothing more needed here

> Keep the  Gradle Owasp dependencycheck task
> -------------------------------------------
>
>                 Key: OFBIZ-13121
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-13121
>             Project: OFBiz
>          Issue Type: Task
>          Components: Gradle
>    Affects Versions: 18.12.16
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Trivial
>             Fix For: 18.12.17
>
>
> Following this conversation 
> [https://lists.apache.org/thread/lnfvbfm5wfyhj6f111njo8movwd84ylr] 
> With here an excerpt:
> {quote}
> We have abandoned this feature for years as it was no longer usable (too much 
> false positive in large numbers). 
> [https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check]
> The last time I tried to use it was after the last commit for 
> https://issues.apache.org/jira/browse/OFBIZ-10700 
> [http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/build.gradle?r1=1854818&r2=1854817&pathrev=1854818]
> I just tried and got this: 
> {noformat}
> C:\projectsASF\Git\ofbiz-framework>gradlew -PenableOwasp 
> dependencyCheckAnalyze 
> Starting a Gradle Daemon (subsequent builds will be faster) 
> [...] 
> > Task :dependencyCheckAnalyze 
> Verifying dependencies for project ofbiz 
> Checking for updates and analyzing dependencies for vulnerabilities 
> An NVD API Key was not provided - it is highly recommended to use an NVD API 
> key as the update can take a VERY long time without an API Key
> {noformat}
> Actually nothing happens in a reasonable time and I bet it would be mostly 
> unusable. You though may try to follow the NVD API key way, whatever it is.
> I forgot to remove this information in the main README files (actually in all 
> OFBiz versions supported). You see the README trunk version GH repo.
>  
> Thanks to your report I'll remove this information and the related code in a 
> week, except if you come back with something positive.
> Jacques
> {quote}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to