This is an automated email from the ASF dual-hosted git repository.

gk pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/turbine-parent.git


The following commit(s) were added to refs/heads/master by this push:
     new 4efa2a7  Fix profile owasp and update dependency-check-maven with 
warning about how to use without NVI key
4efa2a7 is described below

commit 4efa2a7f69c4a58fb81e203a8ae492dd991236c4
Author: Georg Kallidis <[email protected]>
AuthorDate: Mon Nov 18 16:05:27 2024 +0100

    Fix profile owasp and update dependency-check-maven with warning about how 
to use without NVI key
---
 pom.xml | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/pom.xml b/pom.xml
index 2113b41..6c57523 100644
--- a/pom.xml
+++ b/pom.xml
@@ -162,11 +162,8 @@
             <artifactId>dependency-check-maven</artifactId>
             <version>${turbine.dependency.check.version}</version>
          </plugin>
-        <!-- jacoco is since java 8 enabled by default -->
-        <!-- jacoco agent may block gpg agent ? -->
-        <!-- Be aware, as we exclude tests itself, jacoco only starts, if 
-          not skipping tests, as it is a coverage tool! 
-          -->
+        <!--   Be aware, as we exclude tests itself, jacoco only starts, if 
+          not skipping tests, as it is a coverage tool!         -->
         <plugin>
           <groupId>org.jacoco</groupId>
           <artifactId>jacoco-maven-plugin</artifactId>
@@ -522,7 +519,14 @@
       </build>
     </profile>    
     <profile>    
-       <!-- run in profile or optionally, use not as reporting plugin, as 
+       <!-- 
+          Since 2024 an NVI key is required and upgrading to 10.0.2 or later 
is mandatory:
+          
+          "[WARNING] An NVD API Key was not provided - it is highly 
recommended to use an NVD API key as the update can take a VERY long time 
without an API Key"
+
+          See https://github.com/jeremylong/DependencyCheck.
+          
+          Run in profile or optionally, use not as reporting plugin, as 
           it exposes file paths to artifacts and check each possible 
vulnerability 
           carefully, find more info about how to read, false positives et al. 
here: 
           
https://jeremylong.github.io/DependencyCheck/dependency-check-maven/plugin-info.html
 
@@ -538,13 +542,15 @@
             <value>!true</value>
          </property>
       </activation>
+       <properties>
+          <dependency.check.skip>false</dependency.check.skip>
+      </properties>
       <build>
             <plugins>
                 <plugin>
                   <groupId>org.owasp</groupId>
                   <artifactId>dependency-check-maven</artifactId>
-                  <!-- Find all configuration parameters here: 
https://jeremylong.github.io/DependencyCheck/dependency-check-maven/.
-                  -->
+                  <!-- Find all configuration parameters here: 
https://jeremylong.github.io/DependencyCheck/dependency-check-maven/.    -->
                   <executions>
                     <execution>
                       <goals>
@@ -660,7 +666,7 @@
         turbine.wagon-ssh.version>3.4.3</turbine.wagon-ssh.version as in 
apache pom : turbine.site.version>3.9.1</turbine.site.version -->
     <turbine.findbugs.version>3.0.5</turbine.findbugs.version>
     <turbine.jacoco.version>0.8.12</turbine.jacoco.version>
-    <turbine.dependency.check.version>9.2.0</turbine.dependency.check.version>
+    <turbine.dependency.check.version>10.0.2</turbine.dependency.check.version>
     <!-- may replace local settings -->
     <turbine.log4j2.version>2.23.1</turbine.log4j2.version>
     <jacoco.skip>false</jacoco.skip>

Reply via email to