Hey Daniel & Rest,
thanks for your replies.
The OWASP Java version (as Maven Plugin) is capable of (a) reporting
vulnerabilities and (b) failing the build, if the vulnerability has a
score greater than a pre-specified value (and a few other nice things
such as exclusions, ...).
Cheers,
Richard
On 13.12.18 11:26, Daniel S. Haischt wrote:
Hi, not sure how the Java version is implemented. For Node it is just a check.
E.g. it only generates a report where depending on the use case it would make
sense to break the build.
Something you may want to consider while implementing this.
Also there is commercial stuff available like Snyk that is free for OSS
projects.
Cheers
Daniel
Von meinem Xperia Smartphone von Sony gesendet
---- Jean-Louis Monteiro schrieb ----
No issue for me.
Sounds like a good idea and a valuable contribution
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com
On Thu, Dec 13, 2018 at 10:10 AM Richard Zowalla <[email protected]>
wrote:
Hey,
any objectives against automatic checking of known, publicly disclosed
dependency vulnerabilities in the Maven build process (e.g. via a profile).
I was thinking about introducing OWASP dependency checking (see
https://www.owasp.org/index.php/OWASP_Dependency_Check) in the TomEE
project, so we are aware of security risks introduced by (transient)
dependencies.
Any thoughs on this?
Best,
Richard
