[
https://issues.apache.org/jira/browse/CLOUDSTACK-10271?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16618904#comment-16618904
]
ASF GitHub Bot commented on CLOUDSTACK-10271:
---------------------------------------------
rhtyd closed pull request #2446: CLOUDSTACK-10271 maven plugin for owasp
dependency check added
URL: https://github.com/apache/cloudstack/pull/2446
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/pom.xml b/pom.xml
index 7f8d3e0d747..66e60cb6e7c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -65,6 +65,7 @@
<cs.failsafe-plugin.version>2.21.0</cs.failsafe-plugin.version>
<cs.findbugs-plugin.version>3.0.5</cs.findbugs-plugin.version>
<cs.jar-plugin.version>3.1.0</cs.jar-plugin.version>
+
<cs.owasp.dependency-checker-plugin.version>3.1.1</cs.owasp.dependency-checker-plugin.version>
<cs.pmd-plugin.version>3.9.0</cs.pmd-plugin.version>
<cs.project-info-plugin.version>2.9</cs.project-info-plugin.version>
<cs.release-plugin.version>2.5.3</cs.release-plugin.version>
@@ -72,6 +73,7 @@
<cs.site-plugin.version>3.7.1</cs.site-plugin.version>
<cs.surefire-plugin.version>2.21.0</cs.surefire-plugin.version>
+
<!-- Logging versions -->
<cs.log4j.version>1.2.17</cs.log4j.version>
<cs.log4j.extras.version>1.2.17</cs.log4j.extras.version>
@@ -152,6 +154,7 @@
<cs.neethi.version>2.0.4</cs.neethi.version>
<cs.nitro.version>10.1</cs.nitro.version>
<cs.opensaml.version>2.6.4</cs.opensaml.version>
+ <cs.owasp.esapi.version>2.1.0.1</cs.owasp.esapi.version>
<cs.rados-java.version>0.2.0</cs.rados-java.version>
<cs.rampart.version>1.5.1</cs.rampart.version>
<cs.reflections.version>0.9.11</cs.reflections.version>
@@ -577,7 +580,7 @@
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
- <version>2.1.0.1</version>
+ <version>${cs.owasp.esapi.version}</version>
</dependency>
<!-- Test dependency in mysql for db tests -->
<dependency>
@@ -717,6 +720,22 @@
</execution>
</executions>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+
<version>${cs.owasp.dependency-checker-plugin.version}</version>
+ <configuration>
+ <skipProvidedScope>true</skipProvidedScope>
+ <skipRuntimeScope>true</skipRuntimeScope>
+ </configuration>
+ <executions>
+ <execution>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
</plugins>
<pluginManagement>
<plugins>
@@ -1123,6 +1142,18 @@
</build>
<reporting>
<plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+
<version>${cs.owasp.dependency-checker-plugin.version}</version>
+ <reportSets>
+ <reportSet>
+ <reports>
+ <report>aggregate</report>
+ </reports>
+ </reportSet>
+ </reportSets>
+ </plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> detect vulnerabilities in depndencies
> -------------------------------------
>
> Key: CLOUDSTACK-10271
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10271
> Project: CloudStack
> Issue Type: Wish
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Reporter: Daan Hoogland
> Assignee: Daan Hoogland
> Priority: Major
>
> As a developer I want to know whether and what dependencies I am using that
> might harm my users. For this we need to add the owasp dependency checker to
> the maven build. It will require more then just this but it is a good first
> step.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
