Thanks! This looks like it covers the most important part of what I'm looking for.
-----Original Message----- From: Mark Derricutt [mailto:[email protected]] Sent: Tuesday, September 30, 2014 5:04 PM To: Maven Users List Subject: Re: Maven, Dependencies and Vulnerabilities On 1 Oct 2014, at 7:44, David Dillard wrote: > Hi, > > I've been working on an internal presentation on how letting Maven's > dependency mediation feature select versions of transitive > dependencies can introduce vulnerabilities into a product and how to > deal with that problem. Unfortunately, it's a very manual process and > I was thinking that perhaps changes could be made to Maven that would > provide better automation. To that end I'm wondering if the team has > ever considered adding a section to the POM that would list > significant changes in that release. This would include a list of > vulnerabilities fixed (e.g. CVE-XXXX-YYYY) or serious bugs fixed. > Each one could include a known set of versions affected (ala how CVEs > work today) thus allowing tooling to say: the version of artifact XYZ > you're using has a known vulnerability, would you like to upgrade to > this new version with that vuln fixed? There already exists a plugin covering a lot of this, using the CVE databases: https://github.com/jeremylong/DependencyCheck This comes with a CLI, Jenkins, Maven, and Ant tasks for checking your dependencies/jars against CVE vulnerabilities. Does this cover all the things you're working on? Maybe join forces? Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
