maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Muryshkin <>
Subject RFC: Maven to raise a notification if downloading vulnerable content
Date Tue, 06 Mar 2018 12:12:36 GMT
Hi, all,

currently you can run OWASP dependency check plugin against your projects.

Though, this seems to make security more or less optional: unaware either
lightheaded teams could miss this.

What if a package repository would integrate with this dependency checking
and issue a warning, say a special HTTP response code or a header?

Then, Maven would raise the warning in the console log, like "this
component is known to have CVE-XYZ! consider upgrading"

What do you think?

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message