tomee-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (TOMEE-2363) Introduce OWASP dependency checking in the Maven build process
Date Mon, 17 Dec 2018 22:05:00 GMT

    [ https://issues.apache.org/jira/browse/TOMEE-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16723417#comment-16723417
] 

ASF GitHub Bot commented on TOMEE-2363:
---------------------------------------

Github user jeanouii commented on the issue:

    https://github.com/apache/tomee/pull/276
  
    HI,
    
    Thanks for the PR and the details.
    From my experience, in this kind of situation, if the check is not activated and does
not make the build to fail, it's not so useful. 
    
    So I'd VOTE to at least have the profile activated on our CI system (buildbot). And if
it fails it needs to fail the build.
    
    Thoughts?



> Introduce OWASP dependency checking in the Maven build process
> --------------------------------------------------------------
>
>                 Key: TOMEE-2363
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2363
>             Project: TomEE
>          Issue Type: Improvement
>          Components: TomEE Build
>    Affects Versions: 7.0.5, 7.1.0, 8.0.0-M1
>            Reporter: Richard Zowalla
>            Priority: Minor
>              Labels: pull-request-available
>             Fix For: 7.0.6, 7.1.1, 8.0.0-M2
>
>
> As discussed on the mailing list
>  
> {quote}Hey, 
>  
> any objectives against automatic checking of known, publicly disclosed 
> dependency vulnerabilities in the Maven build process (e.g. via a profile). 
>  
> I was thinking about introducing OWASP dependency checking (see 
> [https://www.owasp.org/index.php/OWASP_Dependency_Check]) in the TomEE 
> project, so we are aware of security risks introduced by (transient) 
> dependencies. 
>  
> Any thoughs on this? 
>  
> Best, 
>  
> Richard 
> {quote}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message