+1 to add it with both report and build failed. As you may already saw in other threads, timing it becomes important when it dramatically increase build time. When you create the JIRA, I would recommend to add the before/after measurement.
El jue., 13 dic. 2018 a las 8:32, Daniel Cunha (<[email protected]>) escribió: > Hi Richard, > > that sounds really cool! > just +1 to have it! > > Go for it! > > Em qui, 13 de dez de 2018 às 07:45, Richard Zowalla <[email protected]> > escreveu: > > > Hey Daniel & Rest, > > > > thanks for your replies. > > > > The OWASP Java version (as Maven Plugin) is capable of (a) reporting > > vulnerabilities and (b) failing the build, if the vulnerability has a > > score greater than a pre-specified value (and a few other nice things > > such as exclusions, ...). > > > > Cheers, > > > > Richard > > > > On 13.12.18 11:26, Daniel S. Haischt wrote: > > > Hi, not sure how the Java version is implemented. For Node it is just a > > check. E.g. it only generates a report where depending on the use case it > > would make sense to break the build. > > > > > > Something you may want to consider while implementing this. > > > > > > Also there is commercial stuff available like Snyk that is free for OSS > > projects. > > > > > > Cheers > > > Daniel > > > > > > Von meinem Xperia Smartphone von Sony gesendet > > > > > > ---- Jean-Louis Monteiro schrieb ---- > > > > > >> No issue for me. > > >> Sounds like a good idea and a valuable contribution > > >> -- > > >> Jean-Louis Monteiro > > >> http://twitter.com/jlouismonteiro > > >> http://www.tomitribe.com > > >> > > >> > > >> On Thu, Dec 13, 2018 at 10:10 AM Richard Zowalla <[email protected] > > > > >> wrote: > > >> > > >>> Hey, > > >>> > > >>> any objectives against automatic checking of known, publicly > disclosed > > >>> dependency vulnerabilities in the Maven build process (e.g. via a > > profile). > > >>> > > >>> I was thinking about introducing OWASP dependency checking (see > > >>> https://www.owasp.org/index.php/OWASP_Dependency_Check) in the TomEE > > >>> project, so we are aware of security risks introduced by (transient) > > >>> dependencies. > > >>> > > >>> Any thoughs on this? > > >>> > > >>> Best, > > >>> > > >>> Richard > > >>> > > >>> > > >>> > > >>> > > > > > -- > Daniel "soro" Cunha > https://twitter.com/dvlc_ > -- Atentamente: César Hernández Mendoza.
