[
https://issues.apache.org/jira/browse/YETUS-441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15421725#comment-15421725
]
Sean Busbey commented on YETUS-441:
-----------------------------------
Note that this tool relies on an external data file, so it would be good to
either cache this ourselves, or allow specifying it on the command line so we
can cache it externally:
{quote}
Dependency-check automatically updates itself using the NVD Data Feeds hosted
by NIST. IMPORTANT NOTE: The initial download of the data may take ten minutes
or more, if you run the tool at least once every seven days only a small XML
file needs to be downloaded to keep the local copy of the data current.
{quote}
> Add a precommit check for known CVEs from dependencies
> ------------------------------------------------------
>
> Key: YETUS-441
> URL: https://issues.apache.org/jira/browse/YETUS-441
> Project: Yetus
> Issue Type: New Feature
> Components: Test Patch
> Reporter: Sean Busbey
>
> Add in a precommit test that makes use of [The OWASP Dependency
> Check|https://www.owasp.org/index.php/OWASP_Dependency_Check] to look for
> known bad dependencies.
> there's a maven plugin, ant task, and command line tool. So we should be able
> to build similar support to what we have for RAT.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
