Hi, Chas, thanks for answering, absolutely! I see this as a comprehensive approach which cannot be done on just one side: - IETF to define a new header X-something or even HTTP response code standard i.e. "460 - Content generally known to be insecure" - Repository providers to implement issuing this header (could be a community plugin you install on a mirror repo); in fact this is JFrog's and Sonatype's business to license dashboards with exactly this information; my point is to iterate whether they would like to issue such a header/response code - None of the above would make sense if Maven community does not have stakes here.
So now from your answer I could read between the lines "ok in general why not if repository gives you such a notification" :-) kind regards Peter 2018-03-07 4:56 GMT+01:00 Chas Honton <c...@honton.org>: > If you want the package repository to add the header, you will need to > make your request to Sonatype (Nexus) and JFrog (Artifactory) > > Chas > > > On Mar 6, 2018, at 4:12 AM, Peter Muryshkin <murysh...@gmail.com> wrote: > > > > Hi, all, > > > > currently you can run OWASP dependency check plugin against your > projects. > > > > Though, this seems to make security more or less optional: unaware either > > lightheaded teams could miss this. > > > > What if a package repository would integrate with this dependency > checking > > and issue a warning, say a special HTTP response code or a header? > > > > Then, Maven would raise the warning in the console log, like "this > > component is known to have CVE-XYZ! consider upgrading" > > > > What do you think? > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
