A side note: you can specify version ranges if you want to leave it up
to Maven to select the latest version.
It makes it harder to have a repeatable build or to determine what
version was used to build your artifact.
I generally like to pick the versions of dependencies and Eclipse/STS's
Maven support makes it easy to spot conflicts and exclude transitive
dependencies that conflict with what you want.
I doubt that adding a section to the POM to record bug fixes would be
very useful.
No one would keep it up to date and the traffic on the POM source might
drive a team crazy if they did.
Ron
On 30/09/2014 3:53 PM, Jeremy Long wrote:
There are commercial solutions (sonatype, contrast, blackduck, palamida,
etc.) and FOSS solutions (dependency-check, victims, retire.js, etc.) to
identify and report on known vulnerabilities. I would recommend looking at
these solutions (note, I am the main contributed to dependency-check).
A better solution for the POM modification would be to add a CPE
identifier. This would also be a great entry for a jar file's manifest. CPE
identifiers can be requested even if there are no known CVEs, but the CPE
can be used to lookup the related CVEs.
-jeremy
@ctxt
On Sep 30, 2014 2:45 PM, "David Dillard" <[email protected]> wrote:
Hi,
I've been working on an internal presentation on how letting Maven's
dependency mediation feature select versions of transitive dependencies can
introduce vulnerabilities into a product and how to deal with that
problem. Unfortunately, it's a very manual process and I was thinking that
perhaps changes could be made to Maven that would provide better
automation. To that end I'm wondering if the team has ever considered
adding a section to the POM that would list significant changes in that
release. This would include a list of vulnerabilities fixed (e.g.
CVE-XXXX-YYYY) or serious bugs fixed. Each one could include a known set
of versions affected (ala how CVEs work today) thus allowing tooling to
say: the version of artifact XYZ you're using has a known vulnerability,
would you like to upgrade to this new version with that vuln fixed?
On a related note, has a different dependency mediation system ever been
considered (as an option), e.g. latest version or latest version on a
branch?
Thanks,
David
--
Ron Wheeler
President
Artifact Software Inc
email: [email protected]
skype: ronaldmwheeler
phone: 866-970-2435, ext 102
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
