maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Exposing security vulnerability information (CVEs) when building with Maven
Date Thu, 27 Feb 2014 10:34:28 GMT
Hi,

For those of you that don't know me, one of my roles at the ASF is as a
member of the Apache Security Team. One of the common problems we face
when processing a security vulnerability report is how to identify the
projects that depend on the vulnerable library. What I wanted to explore
with the Maven dev community is the possibility of doing something along
the following lines:

1. Add the ability to publish vulnerability information to a Maven
repository.

2. Enhance Maven to check that vulnerability information when building a
project and warn users that that are building using a library with known
vulnerabilities.

As an aside, it might be nice to be able to publish de-support notices
or similar along the same sort of lines so users building with old,
unsupported libraries are also warned.

Users would, of course, need an option to silence individual warnings if
they are happy that they do not apply to their product.

Does something like the above sound possible? Is it already possible and
I have just missed it?

Cheers,

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org


Mime
View raw message