[
https://issues.apache.org/jira/browse/YETUS-441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16570362#comment-16570362
]
Allen Wittenauer commented on YETUS-441:
----------------------------------------
The primary bug I reported in aggregate will be fixed in the next version.
Hooray!
But people should be aware that only files in certain directories are checked
with this current implementation:
* any dependencies listed in the pom
* files in src/main/resources, src/main/filters, src/main/webapp
I've been trying to set the scanset from the CLI (ideally to "everything but
target"), but it doesn't appear to work. In the end, it means things like
Hadoop's CMakeLists.txt files aren't getting scanned due to being outside of
those directories.
This patch is gonna need some hard core docs. :(
> Add a precommit check for known CVEs from dependencies
> ------------------------------------------------------
>
> Key: YETUS-441
> URL: https://issues.apache.org/jira/browse/YETUS-441
> Project: Yetus
> Issue Type: New Feature
> Components: Test Patch
> Reporter: Sean Busbey
> Assignee: Sean Busbey
> Priority: Major
> Fix For: 0.8.0
>
> Attachments: YETUS-441.0.patch, YETUS-441.004.patch,
> YETUS-441.005.patch, YETUS-441.006.patch, YETUS-441.007.patch,
> YETUS-441.008.patch, YETUS-441.1.patch, YETUS-441.2.patch, YETUS-441.3.patch,
> dependency-check-suppression.xml
>
>
> Add in a precommit test that makes use of [The OWASP Dependency
> Check|https://www.owasp.org/index.php/OWASP_Dependency_Check] to look for
> known bad dependencies.
> there's a maven plugin, ant task, and command line tool. So we should be able
> to build similar support to what we have for RAT.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
