Hi, Chas, thanks for answering, absolutely! I see this as a comprehensive approach which cannot be done on just one side: - IETF to define a new header X-something or even HTTP response code standard i.e. "460 - Content generally known to be insecure" - Repository providers to implement issuing this header (could be a community plugin you install on a mirror repo); in fact this is JFrog's and Sonatype's business to license dashboards with exactly this information; my point is to iterate whether they would like to issue such a header/response code - None of the above would make sense if Maven community does not have stakes here.
So now from your answer I could read between the lines "ok in general why not if repository gives you such a notification" :-) kind regards Peter 2018-03-07 4:56 GMT+01:00 Chas Honton <[email protected]>: > If you want the package repository to add the header, you will need to > make your request to Sonatype (Nexus) and JFrog (Artifactory) > > Chas > > > On Mar 6, 2018, at 4:12 AM, Peter Muryshkin <[email protected]> wrote: > > > > Hi, all, > > > > currently you can run OWASP dependency check plugin against your > projects. > > > > Though, this seems to make security more or less optional: unaware either > > lightheaded teams could miss this. > > > > What if a package repository would integrate with this dependency > checking > > and issue a warning, say a special HTTP response code or a header? > > > > Then, Maven would raise the warning in the console log, like "this > > component is known to have CVE-XYZ! consider upgrading" > > > > What do you think? > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
