[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[
https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16726570#comment-16726570
]
Martin Wiesner commented on TOMEE-2363:
---
Backports conducted for 7.0.x and 7.1.0, see PRs:
v7.0.x: [https://github.com/apache/tomee/pull/298]
v7.1.x: [https://github.com/apache/tomee/pull/297]
> Introduce OWASP dependency checking in the Maven build process
> --
>
> Key: TOMEE-2363
> URL: https://issues.apache.org/jira/browse/TOMEE-2363
> Project: TomEE
> Issue Type: Improvement
> Components: TomEE Build
>Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1
>Reporter: Richard Zowalla
>Assignee: Richard Zowalla
>Priority: Minor
> Labels: pull-request-available
> Fix For: 7.0.6, 7.1.1, 8.0.0-M2
>
>
> As discussed on the mailing list
>
> {quote}Hey,
>
> any objectives against automatic checking of known, publicly disclosed
> dependency vulnerabilities in the Maven build process (e.g. via a profile).
>
> I was thinking about introducing OWASP dependency checking (see
> [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE
> project, so we are aware of security risks introduced by (transient)
> dependencies.
>
> Any thoughs on this?
>
> Best,
>
> Richard
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[
https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16726161#comment-16726161
]
ASF GitHub Bot commented on TOMEE-2363:
---
Github user asfgit closed the pull request at:
https://github.com/apache/tomee/pull/298
> Introduce OWASP dependency checking in the Maven build process
> --
>
> Key: TOMEE-2363
> URL: https://issues.apache.org/jira/browse/TOMEE-2363
> Project: TomEE
> Issue Type: Improvement
> Components: TomEE Build
>Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1
>Reporter: Richard Zowalla
>Priority: Minor
> Labels: pull-request-available
> Fix For: 7.0.6, 7.1.1, 8.0.0-M2
>
>
> As discussed on the mailing list
>
> {quote}Hey,
>
> any objectives against automatic checking of known, publicly disclosed
> dependency vulnerabilities in the Maven build process (e.g. via a profile).
>
> I was thinking about introducing OWASP dependency checking (see
> [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE
> project, so we are aware of security risks introduced by (transient)
> dependencies.
>
> Any thoughs on this?
>
> Best,
>
> Richard
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[
https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16726160#comment-16726160
]
ASF GitHub Bot commented on TOMEE-2363:
---
Github user asfgit closed the pull request at:
https://github.com/apache/tomee/pull/297
> Introduce OWASP dependency checking in the Maven build process
> --
>
> Key: TOMEE-2363
> URL: https://issues.apache.org/jira/browse/TOMEE-2363
> Project: TomEE
> Issue Type: Improvement
> Components: TomEE Build
>Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1
>Reporter: Richard Zowalla
>Priority: Minor
> Labels: pull-request-available
> Fix For: 7.0.6, 7.1.1, 8.0.0-M2
>
>
> As discussed on the mailing list
>
> {quote}Hey,
>
> any objectives against automatic checking of known, publicly disclosed
> dependency vulnerabilities in the Maven build process (e.g. via a profile).
>
> I was thinking about introducing OWASP dependency checking (see
> [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE
> project, so we are aware of security risks introduced by (transient)
> dependencies.
>
> Any thoughs on this?
>
> Best,
>
> Richard
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[
https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16725923#comment-16725923
]
ASF GitHub Bot commented on TOMEE-2363:
---
GitHub user rzo1 opened a pull request:
https://github.com/apache/tomee/pull/298
[BACKPORT 7.0.x] TOMEE-2363 Introduces OWASP dependency check via profile
Backport of TOMEE-2363, see #276
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/rzo1/tomee tomee-7.0.x
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/tomee/pull/298.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #298
commit cfa04251c2981030c4c74405dd6713bbb042601f
Author: rzo1
Date: 2018-12-18T10:20:23Z
TOMEE-2363 Introduces OWASP dependency check via two profiles "owasp-check"
(will fail the build for CVE score > 8.0" and "owasp-report"
> Introduce OWASP dependency checking in the Maven build process
> --
>
> Key: TOMEE-2363
> URL: https://issues.apache.org/jira/browse/TOMEE-2363
> Project: TomEE
> Issue Type: Improvement
> Components: TomEE Build
>Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1
>Reporter: Richard Zowalla
>Priority: Minor
> Labels: pull-request-available
> Fix For: 7.0.6, 7.1.1, 8.0.0-M2
>
>
> As discussed on the mailing list
>
> {quote}Hey,
>
> any objectives against automatic checking of known, publicly disclosed
> dependency vulnerabilities in the Maven build process (e.g. via a profile).
>
> I was thinking about introducing OWASP dependency checking (see
> [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE
> project, so we are aware of security risks introduced by (transient)
> dependencies.
>
> Any thoughs on this?
>
> Best,
>
> Richard
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[
https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16725917#comment-16725917
]
ASF GitHub Bot commented on TOMEE-2363:
---
GitHub user rzo1 opened a pull request:
https://github.com/apache/tomee/pull/297
[BACKPORT 7.1.x] TOMEE-2363 Introduces OWASP dependency check via profile
Backport of TOMEE-2363, see https://github.com/apache/tomee/pull/276
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/rzo1/tomee tomee-7.1.x
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/tomee/pull/297.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #297
commit 52b6e61f100b8bbae1e9717e0884d5d52e440c4c
Author: rzo1
Date: 2018-12-18T10:20:23Z
TOMEE-2363 Introduces OWASP dependency check via two profiles "owasp-check"
(will fail the build for CVE score > 8.0" and "owasp-report"
> Introduce OWASP dependency checking in the Maven build process
> --
>
> Key: TOMEE-2363
> URL: https://issues.apache.org/jira/browse/TOMEE-2363
> Project: TomEE
> Issue Type: Improvement
> Components: TomEE Build
>Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1
>Reporter: Richard Zowalla
>Priority: Minor
> Labels: pull-request-available
> Fix For: 7.0.6, 7.1.1, 8.0.0-M2
>
>
> As discussed on the mailing list
>
> {quote}Hey,
>
> any objectives against automatic checking of known, publicly disclosed
> dependency vulnerabilities in the Maven build process (e.g. via a profile).
>
> I was thinking about introducing OWASP dependency checking (see
> [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE
> project, so we are aware of security risks introduced by (transient)
> dependencies.
>
> Any thoughs on this?
>
> Best,
>
> Richard
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[
https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16725889#comment-16725889
]
ASF GitHub Bot commented on TOMEE-2363:
---
Github user rzo1 commented on the issue:
https://github.com/apache/tomee/pull/276
Thanks for merging this in. Can anyone add the profile on the CI system?
I will start to backport the changes now.
> Introduce OWASP dependency checking in the Maven build process
> --
>
> Key: TOMEE-2363
> URL: https://issues.apache.org/jira/browse/TOMEE-2363
> Project: TomEE
> Issue Type: Improvement
> Components: TomEE Build
>Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1
>Reporter: Richard Zowalla
>Priority: Minor
> Labels: pull-request-available
> Fix For: 7.0.6, 7.1.1, 8.0.0-M2
>
>
> As discussed on the mailing list
>
> {quote}Hey,
>
> any objectives against automatic checking of known, publicly disclosed
> dependency vulnerabilities in the Maven build process (e.g. via a profile).
>
> I was thinking about introducing OWASP dependency checking (see
> [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE
> project, so we are aware of security risks introduced by (transient)
> dependencies.
>
> Any thoughs on this?
>
> Best,
>
> Richard
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[
https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16725858#comment-16725858
]
ASF GitHub Bot commented on TOMEE-2363:
---
Github user asfgit closed the pull request at:
https://github.com/apache/tomee/pull/276
> Introduce OWASP dependency checking in the Maven build process
> --
>
> Key: TOMEE-2363
> URL: https://issues.apache.org/jira/browse/TOMEE-2363
> Project: TomEE
> Issue Type: Improvement
> Components: TomEE Build
>Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1
>Reporter: Richard Zowalla
>Priority: Minor
> Labels: pull-request-available
> Fix For: 7.0.6, 7.1.1, 8.0.0-M2
>
>
> As discussed on the mailing list
>
> {quote}Hey,
>
> any objectives against automatic checking of known, publicly disclosed
> dependency vulnerabilities in the Maven build process (e.g. via a profile).
>
> I was thinking about introducing OWASP dependency checking (see
> [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE
> project, so we are aware of security risks introduced by (transient)
> dependencies.
>
> Any thoughs on this?
>
> Best,
>
> Richard
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[
https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16724156#comment-16724156
]
ASF GitHub Bot commented on TOMEE-2363:
---
Github user jeanouii commented on the issue:
https://github.com/apache/tomee/pull/276
Sounds perfect @rzo1 .
@radcortez I am ready to merge. Did you get a chance to also review and
test?
> Introduce OWASP dependency checking in the Maven build process
> --
>
> Key: TOMEE-2363
> URL: https://issues.apache.org/jira/browse/TOMEE-2363
> Project: TomEE
> Issue Type: Improvement
> Components: TomEE Build
>Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1
>Reporter: Richard Zowalla
>Priority: Minor
> Labels: pull-request-available
> Fix For: 7.0.6, 7.1.1, 8.0.0-M2
>
>
> As discussed on the mailing list
>
> {quote}Hey,
>
> any objectives against automatic checking of known, publicly disclosed
> dependency vulnerabilities in the Maven build process (e.g. via a profile).
>
> I was thinking about introducing OWASP dependency checking (see
> [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE
> project, so we are aware of security risks introduced by (transient)
> dependencies.
>
> Any thoughs on this?
>
> Best,
>
> Richard
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[
https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16723920#comment-16723920
]
ASF GitHub Bot commented on TOMEE-2363:
---
Github user radcortez commented on the issue:
https://github.com/apache/tomee/pull/276
@rzo1 that sounds great. I'll try it.
> Introduce OWASP dependency checking in the Maven build process
> --
>
> Key: TOMEE-2363
> URL: https://issues.apache.org/jira/browse/TOMEE-2363
> Project: TomEE
> Issue Type: Improvement
> Components: TomEE Build
>Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1
>Reporter: Richard Zowalla
>Priority: Minor
> Labels: pull-request-available
> Fix For: 7.0.6, 7.1.1, 8.0.0-M2
>
>
> As discussed on the mailing list
>
> {quote}Hey,
>
> any objectives against automatic checking of known, publicly disclosed
> dependency vulnerabilities in the Maven build process (e.g. via a profile).
>
> I was thinking about introducing OWASP dependency checking (see
> [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE
> project, so we are aware of security risks introduced by (transient)
> dependencies.
>
> Any thoughs on this?
>
> Best,
>
> Richard
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[
https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16723905#comment-16723905
]
ASF GitHub Bot commented on TOMEE-2363:
---
Github user rzo1 commented on the issue:
https://github.com/apache/tomee/pull/276
I adjusted the PR to my comments above.
Feel free to give any other suggestions. If we introduce this, I would
recommend to add `owasp-check` to the CI system. Who can do this?
The CVE score to fail the build needs to be greater 8.0 atm.
> Introduce OWASP dependency checking in the Maven build process
> --
>
> Key: TOMEE-2363
> URL: https://issues.apache.org/jira/browse/TOMEE-2363
> Project: TomEE
> Issue Type: Improvement
> Components: TomEE Build
>Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1
>Reporter: Richard Zowalla
>Priority: Minor
> Labels: pull-request-available
> Fix For: 7.0.6, 7.1.1, 8.0.0-M2
>
>
> As discussed on the mailing list
>
> {quote}Hey,
>
> any objectives against automatic checking of known, publicly disclosed
> dependency vulnerabilities in the Maven build process (e.g. via a profile).
>
> I was thinking about introducing OWASP dependency checking (see
> [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE
> project, so we are aware of security risks introduced by (transient)
> dependencies.
>
> Any thoughs on this?
>
> Best,
>
> Richard
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[
https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16723784#comment-16723784
]
ASF GitHub Bot commented on TOMEE-2363:
---
Github user rzo1 commented on the issue:
https://github.com/apache/tomee/pull/276
Hey @jeanouii & @radcortez
thanks for the feedback - I can update this PR.
I would propose:
- (1) I will add a profile `owasp-report` to generate the aggregated HTML
report, which can be triggered manually as it takes a long time
- (2) I will add a profile `owasp-check`, which does not generate HTML
reports (which will speed up this process) and which will **fail** the build
for CVE's greater a specific value. This profile can then be added on the CI
System (build bot), which may support caching the owasp CVE files (so we will
get a speed boost).
What do you think?
> Introduce OWASP dependency checking in the Maven build process
> --
>
> Key: TOMEE-2363
> URL: https://issues.apache.org/jira/browse/TOMEE-2363
> Project: TomEE
> Issue Type: Improvement
> Components: TomEE Build
>Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1
>Reporter: Richard Zowalla
>Priority: Minor
> Labels: pull-request-available
> Fix For: 7.0.6, 7.1.1, 8.0.0-M2
>
>
> As discussed on the mailing list
>
> {quote}Hey,
>
> any objectives against automatic checking of known, publicly disclosed
> dependency vulnerabilities in the Maven build process (e.g. via a profile).
>
> I was thinking about introducing OWASP dependency checking (see
> [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE
> project, so we are aware of security risks introduced by (transient)
> dependencies.
>
> Any thoughs on this?
>
> Best,
>
> Richard
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[
https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16723419#comment-16723419
]
ASF GitHub Bot commented on TOMEE-2363:
---
Github user jeanouii commented on the issue:
https://github.com/apache/tomee/pull/276
BTW, happy to check that in as a first step and you can create another PR
for iteration 2.
> Introduce OWASP dependency checking in the Maven build process
> --
>
> Key: TOMEE-2363
> URL: https://issues.apache.org/jira/browse/TOMEE-2363
> Project: TomEE
> Issue Type: Improvement
> Components: TomEE Build
>Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1
>Reporter: Richard Zowalla
>Priority: Minor
> Labels: pull-request-available
> Fix For: 7.0.6, 7.1.1, 8.0.0-M2
>
>
> As discussed on the mailing list
>
> {quote}Hey,
>
> any objectives against automatic checking of known, publicly disclosed
> dependency vulnerabilities in the Maven build process (e.g. via a profile).
>
> I was thinking about introducing OWASP dependency checking (see
> [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE
> project, so we are aware of security risks introduced by (transient)
> dependencies.
>
> Any thoughs on this?
>
> Best,
>
> Richard
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[
https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16723417#comment-16723417
]
ASF GitHub Bot commented on TOMEE-2363:
---
Github user jeanouii commented on the issue:
https://github.com/apache/tomee/pull/276
HI,
Thanks for the PR and the details.
From my experience, in this kind of situation, if the check is not
activated and does not make the build to fail, it's not so useful.
So I'd VOTE to at least have the profile activated on our CI system
(buildbot). And if it fails it needs to fail the build.
Thoughts?
> Introduce OWASP dependency checking in the Maven build process
> --
>
> Key: TOMEE-2363
> URL: https://issues.apache.org/jira/browse/TOMEE-2363
> Project: TomEE
> Issue Type: Improvement
> Components: TomEE Build
>Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1
>Reporter: Richard Zowalla
>Priority: Minor
> Labels: pull-request-available
> Fix For: 7.0.6, 7.1.1, 8.0.0-M2
>
>
> As discussed on the mailing list
>
> {quote}Hey,
>
> any objectives against automatic checking of known, publicly disclosed
> dependency vulnerabilities in the Maven build process (e.g. via a profile).
>
> I was thinking about introducing OWASP dependency checking (see
> [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE
> project, so we are aware of security risks introduced by (transient)
> dependencies.
>
> Any thoughs on this?
>
> Best,
>
> Richard
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[
https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16721179#comment-16721179
]
ASF GitHub Bot commented on TOMEE-2363:
---
GitHub user rzo1 opened a pull request:
https://github.com/apache/tomee/pull/276
TOMEE-2363 Introduces OWASP dependency check via profile
This PR introduces the [OWASP Dependency Check Maven
Plugin](https://jeremylong.github.io/DependencyCheck/index.html) in a basic
configuration at the parent pom level of the project.
As the dependency checking is quite expensive (see time below), I added it
is a separate profile `owasp`. To enable it in the Maven build process, you
just need to add `-Powasp`. An aggregated report `dependency-check-report.html`
is created in the target directory of the root project.
I also added some exclusions related to false positives (see
`owasp-dc-suppression.xml`).
I also added the aggregated output for the run on my second system:
[dependency-check-report.zip](https://github.com/apache/tomee/files/2679597/dependency-check-report.zip)
Some timings for my system (here Windows, on Linux it is a lot faster...)
QuickBuild without OWASP: 07:08 min
QuickBuild with OWASP 1st RUN: 26:02 min (pre-caching vulnerabilities)
QuickBuild with OWASP 2nd+ RUN: 13:06 min
Note, that I did not yet include failing the build based on CVE scores.
However, we should decide on a common CVE score value to do so on the CI
systems. If this PR holds your expectations, I can backport this to 7.0.x and
7.1.x branches. In a next step, we can analyze the outcomes and create JIRA
issue and/or enhance the supress configuration for false positives.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/rzo1/tomee TOMEE-2363-OWASP-Dependency
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/tomee/pull/276.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #276
commit abac13284b8483327c183fb6490a1d6ee15f81b8
Author: rzo1
Date: 2018-12-13T16:18:20Z
TOMEE-2363 Introduces OWASP dependency check via profile
> Introduce OWASP dependency checking in the Maven build process
> --
>
> Key: TOMEE-2363
> URL: https://issues.apache.org/jira/browse/TOMEE-2363
> Project: TomEE
> Issue Type: Improvement
> Components: TomEE Build
>Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1
>Reporter: Richard Zowalla
>Priority: Minor
> Labels: pull-request-available
> Fix For: 7.0.6, 7.1.1, 8.0.0-M2
>
>
> As discussed on the mailing list
>
> {quote}Hey,
>
> any objectives against automatic checking of known, publicly disclosed
> dependency vulnerabilities in the Maven build process (e.g. via a profile).
>
> I was thinking about introducing OWASP dependency checking (see
> [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE
> project, so we are aware of security risks introduced by (transient)
> dependencies.
>
> Any thoughs on this?
>
> Best,
>
> Richard
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[
https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16720250#comment-16720250
]
Martin Wiesner commented on TOMEE-2363:
---
[~rzo1] is working on this, yet can't be assigned to this issue (?).
> Introduce OWASP dependency checking in the Maven build process
> --
>
> Key: TOMEE-2363
> URL: https://issues.apache.org/jira/browse/TOMEE-2363
> Project: TomEE
> Issue Type: Improvement
> Components: TomEE Build
>Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1
>Reporter: Richard Zowalla
>Priority: Minor
>
> As discussed on the mailing list
>
> {quote}Hey,
>
> any objectives against automatic checking of known, publicly disclosed
> dependency vulnerabilities in the Maven build process (e.g. via a profile).
>
> I was thinking about introducing OWASP dependency checking (see
> [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE
> project, so we are aware of security risks introduced by (transient)
> dependencies.
>
> Any thoughs on this?
>
> Best,
>
> Richard
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
