We will need to think about how much appetite the community has into looking into these issues if and once they are reported. Last time when a scan like this was run and several possible vulnerabilities in the dependencies were reported, it took about a year to verify and address them. Not because they were particularly hard to address but because there were no volunteers. In fact, the majority of them if I remember correctly, turned out to be non-issues for the software but somebody had to go through each one and make that determination. Also once these are reported they become a high priority as they come into the radar of the security teams in apache and they need to be addressed in a timely manner and appropriate reports filed. Second and more importantly, the vulnerabilities cannot be reported in a public way which integrating with the open build systems will do. For these reasons I am -1 but I am willing to change my opinion if we can find ways to mitigate both the concerns.
Thanks On Fri, Sep 8, 2017 at 1:41 PM, Thomas Weise <t...@apache.org> wrote: > +1 for implementing it. I'm not sure it will be suitable for CI build > though due to initial download overhead? > > > On Fri, Sep 8, 2017 at 1:33 PM, Vlad Rozov <v.rozo...@gmail.com> wrote: > > > Any objections to implementing https://www.owasp.org/index.ph > > p/OWASP_Dependency_Check maven plugin that will run on Travis/Jenkins and > > check for known vulnerabilities? > > > > Thank you, > > > > Vlad > > >
