[
https://issues.apache.org/jira/browse/GEODE-5098?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16441565#comment-16441565
]
Praveendra Singh commented on GEODE-5098:
-----------------------------------------
this is something we should leverage in all Apache Open Source systems.
> Integrate OWASP Dependency Check for known vulnerabilities
> ----------------------------------------------------------
>
> Key: GEODE-5098
> URL: https://issues.apache.org/jira/browse/GEODE-5098
> Project: Geode
> Issue Type: Improvement
> Components: build
> Reporter: Praveendra Singh
> Priority: Major
>
> Given the sensitivity of the Geode system, we would like to avoid any
> vulnerable dependencies sneaking into the final product. One way to be little
> defensive is to leverage OWASP Dependency-Check. There are paid services
> (e.g. Veracode) in the market however OWASP tool gives results which are very
> close to the commercial services.
> h2. OWASP Dependency-Check
> Dependency-Check is a utility that identifies project dependencies and checks
> if there are any known, publicly disclosed, vulnerabilities.
>
> ref: [https://www.owasp.org/index.php/OWASP_Dependency_Check]
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
