[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[ https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16726570#comment-16726570 ] Martin Wiesner commented on TOMEE-2363: --- Backports conducted for 7.0.x and 7.1.0, see PRs: v7.0.x: [https://github.com/apache/tomee/pull/298] v7.1.x: [https://github.com/apache/tomee/pull/297] > Introduce OWASP dependency checking in the Maven build process > -- > > Key: TOMEE-2363 > URL: https://issues.apache.org/jira/browse/TOMEE-2363 > Project: TomEE > Issue Type: Improvement > Components: TomEE Build >Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1 >Reporter: Richard Zowalla >Assignee: Richard Zowalla >Priority: Minor > Labels: pull-request-available > Fix For: 7.0.6, 7.1.1, 8.0.0-M2 > > > As discussed on the mailing list > > {quote}Hey, > > any objectives against automatic checking of known, publicly disclosed > dependency vulnerabilities in the Maven build process (e.g. via a profile). > > I was thinking about introducing OWASP dependency checking (see > [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE > project, so we are aware of security risks introduced by (transient) > dependencies. > > Any thoughs on this? > > Best, > > Richard > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[ https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16726161#comment-16726161 ] ASF GitHub Bot commented on TOMEE-2363: --- Github user asfgit closed the pull request at: https://github.com/apache/tomee/pull/298 > Introduce OWASP dependency checking in the Maven build process > -- > > Key: TOMEE-2363 > URL: https://issues.apache.org/jira/browse/TOMEE-2363 > Project: TomEE > Issue Type: Improvement > Components: TomEE Build >Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1 >Reporter: Richard Zowalla >Priority: Minor > Labels: pull-request-available > Fix For: 7.0.6, 7.1.1, 8.0.0-M2 > > > As discussed on the mailing list > > {quote}Hey, > > any objectives against automatic checking of known, publicly disclosed > dependency vulnerabilities in the Maven build process (e.g. via a profile). > > I was thinking about introducing OWASP dependency checking (see > [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE > project, so we are aware of security risks introduced by (transient) > dependencies. > > Any thoughs on this? > > Best, > > Richard > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[ https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16726160#comment-16726160 ] ASF GitHub Bot commented on TOMEE-2363: --- Github user asfgit closed the pull request at: https://github.com/apache/tomee/pull/297 > Introduce OWASP dependency checking in the Maven build process > -- > > Key: TOMEE-2363 > URL: https://issues.apache.org/jira/browse/TOMEE-2363 > Project: TomEE > Issue Type: Improvement > Components: TomEE Build >Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1 >Reporter: Richard Zowalla >Priority: Minor > Labels: pull-request-available > Fix For: 7.0.6, 7.1.1, 8.0.0-M2 > > > As discussed on the mailing list > > {quote}Hey, > > any objectives against automatic checking of known, publicly disclosed > dependency vulnerabilities in the Maven build process (e.g. via a profile). > > I was thinking about introducing OWASP dependency checking (see > [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE > project, so we are aware of security risks introduced by (transient) > dependencies. > > Any thoughs on this? > > Best, > > Richard > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[ https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16725923#comment-16725923 ] ASF GitHub Bot commented on TOMEE-2363: --- GitHub user rzo1 opened a pull request: https://github.com/apache/tomee/pull/298 [BACKPORT 7.0.x] TOMEE-2363 Introduces OWASP dependency check via profile Backport of TOMEE-2363, see #276 You can merge this pull request into a Git repository by running: $ git pull https://github.com/rzo1/tomee tomee-7.0.x Alternatively you can review and apply these changes as the patch at: https://github.com/apache/tomee/pull/298.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #298 commit cfa04251c2981030c4c74405dd6713bbb042601f Author: rzo1 Date: 2018-12-18T10:20:23Z TOMEE-2363 Introduces OWASP dependency check via two profiles "owasp-check" (will fail the build for CVE score > 8.0" and "owasp-report" > Introduce OWASP dependency checking in the Maven build process > -- > > Key: TOMEE-2363 > URL: https://issues.apache.org/jira/browse/TOMEE-2363 > Project: TomEE > Issue Type: Improvement > Components: TomEE Build >Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1 >Reporter: Richard Zowalla >Priority: Minor > Labels: pull-request-available > Fix For: 7.0.6, 7.1.1, 8.0.0-M2 > > > As discussed on the mailing list > > {quote}Hey, > > any objectives against automatic checking of known, publicly disclosed > dependency vulnerabilities in the Maven build process (e.g. via a profile). > > I was thinking about introducing OWASP dependency checking (see > [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE > project, so we are aware of security risks introduced by (transient) > dependencies. > > Any thoughs on this? > > Best, > > Richard > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[ https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16725917#comment-16725917 ] ASF GitHub Bot commented on TOMEE-2363: --- GitHub user rzo1 opened a pull request: https://github.com/apache/tomee/pull/297 [BACKPORT 7.1.x] TOMEE-2363 Introduces OWASP dependency check via profile Backport of TOMEE-2363, see https://github.com/apache/tomee/pull/276 You can merge this pull request into a Git repository by running: $ git pull https://github.com/rzo1/tomee tomee-7.1.x Alternatively you can review and apply these changes as the patch at: https://github.com/apache/tomee/pull/297.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #297 commit 52b6e61f100b8bbae1e9717e0884d5d52e440c4c Author: rzo1 Date: 2018-12-18T10:20:23Z TOMEE-2363 Introduces OWASP dependency check via two profiles "owasp-check" (will fail the build for CVE score > 8.0" and "owasp-report" > Introduce OWASP dependency checking in the Maven build process > -- > > Key: TOMEE-2363 > URL: https://issues.apache.org/jira/browse/TOMEE-2363 > Project: TomEE > Issue Type: Improvement > Components: TomEE Build >Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1 >Reporter: Richard Zowalla >Priority: Minor > Labels: pull-request-available > Fix For: 7.0.6, 7.1.1, 8.0.0-M2 > > > As discussed on the mailing list > > {quote}Hey, > > any objectives against automatic checking of known, publicly disclosed > dependency vulnerabilities in the Maven build process (e.g. via a profile). > > I was thinking about introducing OWASP dependency checking (see > [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE > project, so we are aware of security risks introduced by (transient) > dependencies. > > Any thoughs on this? > > Best, > > Richard > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[ https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16725889#comment-16725889 ] ASF GitHub Bot commented on TOMEE-2363: --- Github user rzo1 commented on the issue: https://github.com/apache/tomee/pull/276 Thanks for merging this in. Can anyone add the profile on the CI system? I will start to backport the changes now. > Introduce OWASP dependency checking in the Maven build process > -- > > Key: TOMEE-2363 > URL: https://issues.apache.org/jira/browse/TOMEE-2363 > Project: TomEE > Issue Type: Improvement > Components: TomEE Build >Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1 >Reporter: Richard Zowalla >Priority: Minor > Labels: pull-request-available > Fix For: 7.0.6, 7.1.1, 8.0.0-M2 > > > As discussed on the mailing list > > {quote}Hey, > > any objectives against automatic checking of known, publicly disclosed > dependency vulnerabilities in the Maven build process (e.g. via a profile). > > I was thinking about introducing OWASP dependency checking (see > [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE > project, so we are aware of security risks introduced by (transient) > dependencies. > > Any thoughs on this? > > Best, > > Richard > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[ https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16725858#comment-16725858 ] ASF GitHub Bot commented on TOMEE-2363: --- Github user asfgit closed the pull request at: https://github.com/apache/tomee/pull/276 > Introduce OWASP dependency checking in the Maven build process > -- > > Key: TOMEE-2363 > URL: https://issues.apache.org/jira/browse/TOMEE-2363 > Project: TomEE > Issue Type: Improvement > Components: TomEE Build >Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1 >Reporter: Richard Zowalla >Priority: Minor > Labels: pull-request-available > Fix For: 7.0.6, 7.1.1, 8.0.0-M2 > > > As discussed on the mailing list > > {quote}Hey, > > any objectives against automatic checking of known, publicly disclosed > dependency vulnerabilities in the Maven build process (e.g. via a profile). > > I was thinking about introducing OWASP dependency checking (see > [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE > project, so we are aware of security risks introduced by (transient) > dependencies. > > Any thoughs on this? > > Best, > > Richard > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[ https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16724156#comment-16724156 ] ASF GitHub Bot commented on TOMEE-2363: --- Github user jeanouii commented on the issue: https://github.com/apache/tomee/pull/276 Sounds perfect @rzo1 . @radcortez I am ready to merge. Did you get a chance to also review and test? > Introduce OWASP dependency checking in the Maven build process > -- > > Key: TOMEE-2363 > URL: https://issues.apache.org/jira/browse/TOMEE-2363 > Project: TomEE > Issue Type: Improvement > Components: TomEE Build >Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1 >Reporter: Richard Zowalla >Priority: Minor > Labels: pull-request-available > Fix For: 7.0.6, 7.1.1, 8.0.0-M2 > > > As discussed on the mailing list > > {quote}Hey, > > any objectives against automatic checking of known, publicly disclosed > dependency vulnerabilities in the Maven build process (e.g. via a profile). > > I was thinking about introducing OWASP dependency checking (see > [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE > project, so we are aware of security risks introduced by (transient) > dependencies. > > Any thoughs on this? > > Best, > > Richard > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[ https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16723920#comment-16723920 ] ASF GitHub Bot commented on TOMEE-2363: --- Github user radcortez commented on the issue: https://github.com/apache/tomee/pull/276 @rzo1 that sounds great. I'll try it. > Introduce OWASP dependency checking in the Maven build process > -- > > Key: TOMEE-2363 > URL: https://issues.apache.org/jira/browse/TOMEE-2363 > Project: TomEE > Issue Type: Improvement > Components: TomEE Build >Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1 >Reporter: Richard Zowalla >Priority: Minor > Labels: pull-request-available > Fix For: 7.0.6, 7.1.1, 8.0.0-M2 > > > As discussed on the mailing list > > {quote}Hey, > > any objectives against automatic checking of known, publicly disclosed > dependency vulnerabilities in the Maven build process (e.g. via a profile). > > I was thinking about introducing OWASP dependency checking (see > [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE > project, so we are aware of security risks introduced by (transient) > dependencies. > > Any thoughs on this? > > Best, > > Richard > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[ https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16723905#comment-16723905 ] ASF GitHub Bot commented on TOMEE-2363: --- Github user rzo1 commented on the issue: https://github.com/apache/tomee/pull/276 I adjusted the PR to my comments above. Feel free to give any other suggestions. If we introduce this, I would recommend to add `owasp-check` to the CI system. Who can do this? The CVE score to fail the build needs to be greater 8.0 atm. > Introduce OWASP dependency checking in the Maven build process > -- > > Key: TOMEE-2363 > URL: https://issues.apache.org/jira/browse/TOMEE-2363 > Project: TomEE > Issue Type: Improvement > Components: TomEE Build >Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1 >Reporter: Richard Zowalla >Priority: Minor > Labels: pull-request-available > Fix For: 7.0.6, 7.1.1, 8.0.0-M2 > > > As discussed on the mailing list > > {quote}Hey, > > any objectives against automatic checking of known, publicly disclosed > dependency vulnerabilities in the Maven build process (e.g. via a profile). > > I was thinking about introducing OWASP dependency checking (see > [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE > project, so we are aware of security risks introduced by (transient) > dependencies. > > Any thoughs on this? > > Best, > > Richard > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[ https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16723784#comment-16723784 ] ASF GitHub Bot commented on TOMEE-2363: --- Github user rzo1 commented on the issue: https://github.com/apache/tomee/pull/276 Hey @jeanouii & @radcortez thanks for the feedback - I can update this PR. I would propose: - (1) I will add a profile `owasp-report` to generate the aggregated HTML report, which can be triggered manually as it takes a long time - (2) I will add a profile `owasp-check`, which does not generate HTML reports (which will speed up this process) and which will **fail** the build for CVE's greater a specific value. This profile can then be added on the CI System (build bot), which may support caching the owasp CVE files (so we will get a speed boost). What do you think? > Introduce OWASP dependency checking in the Maven build process > -- > > Key: TOMEE-2363 > URL: https://issues.apache.org/jira/browse/TOMEE-2363 > Project: TomEE > Issue Type: Improvement > Components: TomEE Build >Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1 >Reporter: Richard Zowalla >Priority: Minor > Labels: pull-request-available > Fix For: 7.0.6, 7.1.1, 8.0.0-M2 > > > As discussed on the mailing list > > {quote}Hey, > > any objectives against automatic checking of known, publicly disclosed > dependency vulnerabilities in the Maven build process (e.g. via a profile). > > I was thinking about introducing OWASP dependency checking (see > [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE > project, so we are aware of security risks introduced by (transient) > dependencies. > > Any thoughs on this? > > Best, > > Richard > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[ https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16723419#comment-16723419 ] ASF GitHub Bot commented on TOMEE-2363: --- Github user jeanouii commented on the issue: https://github.com/apache/tomee/pull/276 BTW, happy to check that in as a first step and you can create another PR for iteration 2. > Introduce OWASP dependency checking in the Maven build process > -- > > Key: TOMEE-2363 > URL: https://issues.apache.org/jira/browse/TOMEE-2363 > Project: TomEE > Issue Type: Improvement > Components: TomEE Build >Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1 >Reporter: Richard Zowalla >Priority: Minor > Labels: pull-request-available > Fix For: 7.0.6, 7.1.1, 8.0.0-M2 > > > As discussed on the mailing list > > {quote}Hey, > > any objectives against automatic checking of known, publicly disclosed > dependency vulnerabilities in the Maven build process (e.g. via a profile). > > I was thinking about introducing OWASP dependency checking (see > [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE > project, so we are aware of security risks introduced by (transient) > dependencies. > > Any thoughs on this? > > Best, > > Richard > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[ https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16723417#comment-16723417 ] ASF GitHub Bot commented on TOMEE-2363: --- Github user jeanouii commented on the issue: https://github.com/apache/tomee/pull/276 HI, Thanks for the PR and the details. From my experience, in this kind of situation, if the check is not activated and does not make the build to fail, it's not so useful. So I'd VOTE to at least have the profile activated on our CI system (buildbot). And if it fails it needs to fail the build. Thoughts? > Introduce OWASP dependency checking in the Maven build process > -- > > Key: TOMEE-2363 > URL: https://issues.apache.org/jira/browse/TOMEE-2363 > Project: TomEE > Issue Type: Improvement > Components: TomEE Build >Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1 >Reporter: Richard Zowalla >Priority: Minor > Labels: pull-request-available > Fix For: 7.0.6, 7.1.1, 8.0.0-M2 > > > As discussed on the mailing list > > {quote}Hey, > > any objectives against automatic checking of known, publicly disclosed > dependency vulnerabilities in the Maven build process (e.g. via a profile). > > I was thinking about introducing OWASP dependency checking (see > [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE > project, so we are aware of security risks introduced by (transient) > dependencies. > > Any thoughs on this? > > Best, > > Richard > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[ https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16721179#comment-16721179 ] ASF GitHub Bot commented on TOMEE-2363: --- GitHub user rzo1 opened a pull request: https://github.com/apache/tomee/pull/276 TOMEE-2363 Introduces OWASP dependency check via profile This PR introduces the [OWASP Dependency Check Maven Plugin](https://jeremylong.github.io/DependencyCheck/index.html) in a basic configuration at the parent pom level of the project. As the dependency checking is quite expensive (see time below), I added it is a separate profile `owasp`. To enable it in the Maven build process, you just need to add `-Powasp`. An aggregated report `dependency-check-report.html` is created in the target directory of the root project. I also added some exclusions related to false positives (see `owasp-dc-suppression.xml`). I also added the aggregated output for the run on my second system: [dependency-check-report.zip](https://github.com/apache/tomee/files/2679597/dependency-check-report.zip) Some timings for my system (here Windows, on Linux it is a lot faster...) QuickBuild without OWASP: 07:08 min QuickBuild with OWASP 1st RUN: 26:02 min (pre-caching vulnerabilities) QuickBuild with OWASP 2nd+ RUN: 13:06 min Note, that I did not yet include failing the build based on CVE scores. However, we should decide on a common CVE score value to do so on the CI systems. If this PR holds your expectations, I can backport this to 7.0.x and 7.1.x branches. In a next step, we can analyze the outcomes and create JIRA issue and/or enhance the supress configuration for false positives. You can merge this pull request into a Git repository by running: $ git pull https://github.com/rzo1/tomee TOMEE-2363-OWASP-Dependency Alternatively you can review and apply these changes as the patch at: https://github.com/apache/tomee/pull/276.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #276 commit abac13284b8483327c183fb6490a1d6ee15f81b8 Author: rzo1 Date: 2018-12-13T16:18:20Z TOMEE-2363 Introduces OWASP dependency check via profile > Introduce OWASP dependency checking in the Maven build process > -- > > Key: TOMEE-2363 > URL: https://issues.apache.org/jira/browse/TOMEE-2363 > Project: TomEE > Issue Type: Improvement > Components: TomEE Build >Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1 >Reporter: Richard Zowalla >Priority: Minor > Labels: pull-request-available > Fix For: 7.0.6, 7.1.1, 8.0.0-M2 > > > As discussed on the mailing list > > {quote}Hey, > > any objectives against automatic checking of known, publicly disclosed > dependency vulnerabilities in the Maven build process (e.g. via a profile). > > I was thinking about introducing OWASP dependency checking (see > [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE > project, so we are aware of security risks introduced by (transient) > dependencies. > > Any thoughs on this? > > Best, > > Richard > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
[ https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16720250#comment-16720250 ] Martin Wiesner commented on TOMEE-2363: --- [~rzo1] is working on this, yet can't be assigned to this issue (?). > Introduce OWASP dependency checking in the Maven build process > -- > > Key: TOMEE-2363 > URL: https://issues.apache.org/jira/browse/TOMEE-2363 > Project: TomEE > Issue Type: Improvement > Components: TomEE Build >Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1 >Reporter: Richard Zowalla >Priority: Minor > > As discussed on the mailing list > > {quote}Hey, > > any objectives against automatic checking of known, publicly disclosed > dependency vulnerabilities in the Maven build process (e.g. via a profile). > > I was thinking about introducing OWASP dependency checking (see > [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE > project, so we are aware of security risks introduced by (transient) > dependencies. > > Any thoughs on this? > > Best, > > Richard > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)