ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (Jira)" <j...@apache.org>
Subject [jira] [Updated] (OFBIZ-10213) Update build.gradle to the latest dependencies
Date Fri, 20 Dec 2019 12:49:00 GMT

     [ https://issues.apache.org/jira/browse/OFBIZ-10213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jacques Le Roux updated OFBIZ-10213:
------------------------------------
    Description: 
We want to check from time to time if we need to update the dependencies.

It's easily done with the [gradle-versions-plugin |https://github.com/ben-manes/gradle-versions-plugin]
which analyzes the dependencies and checks if there are newer versions available.

Running the check with
{code:java}
gradlew -PenableDependencyUpdates dependencyUpdates -Drevision=release
{code}

We get a list of dependencies to update. This is an umbrella task for action tasks.

We have problems with a number of libs, see OFBIZ-10922 for details. Some have been fixed
since, notably Lucene+Solr

It then good to run OWASP dependency check to get a report about the security situation. Note
though that all dependent libraries (ie also dependencies from the libraries OFBiz uses and
recursively) are loaded by Gradle and analysed by the OWASP Dependency Check plugin. So it's
materially impossible to check all the possible vulnerabilities. You can refer to this wiki
page:  [About OWASP Dependency Check|https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check]

  was:
We want to check from time to time if we need to update the dependencies.

It's easily done with the [gradle-versions-plugin |https://github.com/ben-manes/gradle-versions-plugin]
which analyzes the dependencies and checks if there are newer versions available.

Running the check with
{code:java}
gradlew -PenableDependencyUpdates dependencyUpdates -Drevision=release
{code}

We get a list of dependencies to update. This is an umbrella task for action tasks.

We have problems with a number of libs, see OFBIZ-10922 for details. Some have been fixed
since, notably Lucene+Solr

It then good to run OWASP dependency check to get a report about the security situation. Note
though that all dependent libraries (ie also dependencies from the libraries OFBiz uses and
recursively) are loaded by Gradle and analysed by the OWASP Dependency Check plugin. So it's
materially impossible to check all the possible vulnerabilities. You can refer to About OWASP
Dependency Check


> Update build.gradle to the latest dependencies
> ----------------------------------------------
>
>                 Key: OFBIZ-10213
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10213
>             Project: OFBiz
>          Issue Type: Task
>          Components: Gradle
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Trivial
>         Attachments: OFBIZ-10213.patch, OFBIZ-10213.patch, OFBIZ-10213.patch
>
>
> We want to check from time to time if we need to update the dependencies.
> It's easily done with the [gradle-versions-plugin |https://github.com/ben-manes/gradle-versions-plugin]
which analyzes the dependencies and checks if there are newer versions available.
> Running the check with
> {code:java}
> gradlew -PenableDependencyUpdates dependencyUpdates -Drevision=release
> {code}
> We get a list of dependencies to update. This is an umbrella task for action tasks.
> We have problems with a number of libs, see OFBIZ-10922 for details. Some have been fixed
since, notably Lucene+Solr
> It then good to run OWASP dependency check to get a report about the security situation.
Note though that all dependent libraries (ie also dependencies from the libraries OFBiz uses
and recursively) are loaded by Gradle and analysed by the OWASP Dependency Check plugin. So
it's materially impossible to check all the possible vulnerabilities. You can refer to this
wiki page:  [About OWASP Dependency Check|https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message