Hi Richard, that sounds really cool! just +1 to have it!
Go for it! Em qui, 13 de dez de 2018 às 07:45, Richard Zowalla <rich...@zowalla.com> escreveu: > Hey Daniel & Rest, > > thanks for your replies. > > The OWASP Java version (as Maven Plugin) is capable of (a) reporting > vulnerabilities and (b) failing the build, if the vulnerability has a > score greater than a pre-specified value (and a few other nice things > such as exclusions, ...). > > Cheers, > > Richard > > On 13.12.18 11:26, Daniel S. Haischt wrote: > > Hi, not sure how the Java version is implemented. For Node it is just a > check. E.g. it only generates a report where depending on the use case it > would make sense to break the build. > > > > Something you may want to consider while implementing this. > > > > Also there is commercial stuff available like Snyk that is free for OSS > projects. > > > > Cheers > > Daniel > > > > Von meinem Xperia Smartphone von Sony gesendet > > > > ---- Jean-Louis Monteiro schrieb ---- > > > >> No issue for me. > >> Sounds like a good idea and a valuable contribution > >> -- > >> Jean-Louis Monteiro > >> http://twitter.com/jlouismonteiro > >> http://www.tomitribe.com > >> > >> > >> On Thu, Dec 13, 2018 at 10:10 AM Richard Zowalla <rich...@zowalla.com> > >> wrote: > >> > >>> Hey, > >>> > >>> any objectives against automatic checking of known, publicly disclosed > >>> dependency vulnerabilities in the Maven build process (e.g. via a > profile). > >>> > >>> I was thinking about introducing OWASP dependency checking (see > >>> https://www.owasp.org/index.php/OWASP_Dependency_Check) in the TomEE > >>> project, so we are aware of security risks introduced by (transient) > >>> dependencies. > >>> > >>> Any thoughs on this? > >>> > >>> Best, > >>> > >>> Richard > >>> > >>> > >>> > >>> > -- Daniel "soro" Cunha https://twitter.com/dvlc_