We will need to think about how much appetite the community has into
looking into these issues if and once they are reported. Last time when a
scan like this was run and several possible vulnerabilities in the
dependencies were reported, it took about a year to verify and address
them. Not because they were particularly hard to address but because there
were no volunteers. In fact, the majority of them if I remember correctly,
turned out to be non-issues for the software but somebody had to go through
each one and make that determination. Also once these are reported they
become a high priority as they come into the radar of the security teams in
apache and they need to be addressed in a timely manner and appropriate
reports filed. Second and more importantly, the vulnerabilities cannot be
reported in a public way which integrating with the open build systems will
do. For these reasons I am -1 but I am willing to change my opinion if we
can find ways to mitigate both the concerns.

Thanks

On Fri, Sep 8, 2017 at 1:41 PM, Thomas Weise <t...@apache.org> wrote:

> +1 for implementing it. I'm not sure it will be suitable for CI build
> though due to initial download overhead?
>
>
> On Fri, Sep 8, 2017 at 1:33 PM, Vlad Rozov <v.rozo...@gmail.com> wrote:
>
> > Any objections to implementing https://www.owasp.org/index.ph
> > p/OWASP_Dependency_Check maven plugin that will run on Travis/Jenkins and
> > check for known vulnerabilities?
> >
> > Thank you,
> >
> > Vlad
> >
>

Reply via email to