On 06/07/18 22:27, Joe Murphy wrote:
https://github.com/jeremylong/DependencyCheck
I've been running this Owasp DependencyCheck for about a year on various
projects, it can be as easy as adding the following to the travis or
jenkins file:
mvn org.owasp:dependency-check-maven:aggregate -Dformat=ALL
-DsuppressionFile=./.mvn/owasp-suppression.xml
eg. https://github.com/B3Partners/brmo/blob/master/Jenkinsfile#L118
and adding the following to the plugingManagment section of the parent
pom file:
<pluginManagement>
....
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>3.2.1</version>
</plugin>
...
</pluginManagement>
eg. https://github.com/B3Partners/brmo/blob/master/pom.xml#L884-L888
probably you'll want to set up a suppression file to catch false
positives like
https://github.com/B3Partners/brmo/blob/master/.mvn/owasp-suppression.xml
I have suppressions in place for CVE-2015-6737 in gt-swing and
CVE-2005-0406 in gt-coverage.
I have a similar setup in https://github.com/flamingo-geocms/flamingo
hth, Mark
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
GeoTools-Devel mailing list
GeoTools-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-devel
