[
https://issues.apache.org/jira/browse/YETUS-441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16481689#comment-16481689
]
Allen Wittenauer commented on YETUS-441:
----------------------------------------
Sort of. Let me try this whole communication thing again. :)
The --mvn-custom-repos-dir series of options for a different location than
~/.m2 to store the maven repo. Theoretically, we could use it to also stuff
away from other data. This would allow us to copy the database to a well-known
location. The first run would take the hit but subsequent runs would be able
to use the cached copy. All without using a secondary job to populate it.
One other thing I'm not sure about is how to know if the cached copy is old.
It would be nice if both an inline version and the external version could
detect whether or not the file even needs to get downloaded.
There's also the issue of signing. How do we know if what we got is actually
legit?
> Add a precommit check for known CVEs from dependencies
> ------------------------------------------------------
>
> Key: YETUS-441
> URL: https://issues.apache.org/jira/browse/YETUS-441
> Project: Yetus
> Issue Type: New Feature
> Components: Test Patch
> Reporter: Sean Busbey
> Assignee: Sean Busbey
> Priority: Major
> Attachments: YETUS-441.0.patch, YETUS-441.1.patch, YETUS-441.2.patch,
> YETUS-441.3.patch, dependency-check-suppression.xml
>
>
> Add in a precommit test that makes use of [The OWASP Dependency
> Check|https://www.owasp.org/index.php/OWASP_Dependency_Check] to look for
> known bad dependencies.
> there's a maven plugin, ant task, and command line tool. So we should be able
> to build similar support to what we have for RAT.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
