Hi, not sure how the Java version is implemented. For Node it is just a check. E.g. it only generates a report where depending on the use case it would make sense to break the build.
Something you may want to consider while implementing this. Also there is commercial stuff available like Snyk that is free for OSS projects. Cheers Daniel Von meinem Xperia Smartphone von Sony gesendet ---- Jean-Louis Monteiro schrieb ---- >No issue for me. >Sounds like a good idea and a valuable contribution >-- >Jean-Louis Monteiro >http://twitter.com/jlouismonteiro >http://www.tomitribe.com > > >On Thu, Dec 13, 2018 at 10:10 AM Richard Zowalla <[email protected]> >wrote: > >> Hey, >> >> any objectives against automatic checking of known, publicly disclosed >> dependency vulnerabilities in the Maven build process (e.g. via a profile). >> >> I was thinking about introducing OWASP dependency checking (see >> https://www.owasp.org/index.php/OWASP_Dependency_Check) in the TomEE >> project, so we are aware of security risks introduced by (transient) >> dependencies. >> >> Any thoughs on this? >> >> Best, >> >> Richard >> >> >> >>
