[
https://issues.apache.org/jira/browse/YETUS-441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15425833#comment-15425833
]
Sean Busbey commented on YETUS-441:
-----------------------------------
the only way something like this works if if problems are found aggressively
and early. release time is far too late, especially for projects that have a
slow release cadence, where a problem may have been introduced months earlier.
In Apache Yetus Precommit we already distinguish between problems that are
extant in the code base and those introduced or fixed by a patch, so this is
the perfect place to show when an incoming patch has a net gain or causes a
problem.
Additionally, having it here means we can catch it in nightly post-commit for
those who make use of qbt. That means when a new vulnerability is found
upstream we maximize the amount of time the project has to respond before a
release is expected to happen.
> Add a precommit check for known CVEs from dependencies
> ------------------------------------------------------
>
> Key: YETUS-441
> URL: https://issues.apache.org/jira/browse/YETUS-441
> Project: Yetus
> Issue Type: New Feature
> Components: Test Patch
> Reporter: Sean Busbey
>
> Add in a precommit test that makes use of [The OWASP Dependency
> Check|https://www.owasp.org/index.php/OWASP_Dependency_Check] to look for
> known bad dependencies.
> there's a maven plugin, ant task, and command line tool. So we should be able
> to build similar support to what we have for RAT.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
