[GitHub] ctubbsii commented on issue #1046: Please add OWASP Dependency Check to the build (pom.xml)
ctubbsii commented on issue #1046: Please add OWASP Dependency Check to the build (pom.xml) URL: https://github.com/apache/fluo/issues/1046#issuecomment-413709535 Hmm, I'm not sure there's much to do here. I looked into it, and the OWASP plugin can be executed with a simple: `mvn org.owasp:dependency-check-maven:3.3.1:check` The only way to add it to the POM would be to create a profile which executed it by default, but activating the profile isn't much different than calling the plugin directly... and you have to keep the plugin up-to-date, which I'm not sure is any cleaner than just calling the plugin directly. We wouldn't want it running by default in the POM, because it's expensive to run and only needs to be run periodically. What do others think? What's the best way to "add" it to the POM? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] ctubbsii commented on issue #1046: Please add OWASP Dependency Check to the build (pom.xml)
ctubbsii commented on issue #1046: Please add OWASP Dependency Check to the build (pom.xml) URL: https://github.com/apache/fluo/issues/1046#issuecomment-413094178 This has been on my personal TODO list for some time, and is a good idea for informational purposes. However, be aware that Fluo does not (generally) bundle dependencies in the project, so the CVEs that affect any given individual and their dependency set depends not on what Fluo has declared in its POM, but on what the user decides to install on their system during their own dependency-integration and packaging phases of their particular Fluo deployment. CVE analysis on the dependencies in Fluo's POMs only tells you what is vulnerable in the versions we're developing against, not necessarily what is vulnerable the versions in their configured Maven repository, class path, or deployment environment. Users should be aware of that limitation and should always be responsible for their own deployed software environments. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services