maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MPOM-210) Adding CVE Checks via OWASP
Date Fri, 02 Nov 2018 05:57:00 GMT

    [ https://issues.apache.org/jira/browse/MPOM-210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16672598#comment-16672598
] 

Allen Wittenauer commented on MPOM-210:
---------------------------------------

bq. I don't like the owasp plugin because of the noise (false positives) it can give. 

We were trying to integrate it into Apache Yetus and the results were beyond ridiculous. 
My favorite was flagging pure Java projects with vulnerabilities from Apache httpd.  Its quality
level is highly questionable.

> Adding CVE Checks via OWASP
> ---------------------------
>
>                 Key: MPOM-210
>                 URL: https://issues.apache.org/jira/browse/MPOM-210
>             Project: Maven POMs
>          Issue Type: Improvement
>          Components: maven
>    Affects Versions: MAVEN-33
>            Reporter: Karl Heinz Marbaise
>            Priority: Critical
>             Fix For: MAVEN-34
>
>
> We should add a configuration for CVS checks for example via OWASP maven plugin.
> I think the first step should be add at least an entry in pluginManagement:
> {code}
>     <plugin>
>               <groupId>org.owasp</groupId>
>               <artifactId>dependency-check-maven</artifactId>
>               <version>3.3.2</version>
>   </plugin>
> {code}
> The other parts would be to add an entry for:
> https://github.com/sonatype/ossindex-maven
> which is not a good idea at the moment, cause it does not support JDK 10...



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message