[ https://issues.apache.org/jira/browse/MENFORCER-422?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17633924#comment-17633924 ]
Jimisola Laursen edited comment on MENFORCER-422 at 11/14/22 4:39 PM: ---------------------------------------------------------------------- We have a similar request and I was wondering if it could be handled together or it might already be. Looking at the PR and [docs|https://github.com/apache/maven-enforcer/pull/180/files#diff-52ca79536e0b1dc2298afdae5b7e6357c5af22eef6b5c63444237c5e189a037b] it seems as if it's the entire <rules> section that can be externalized. However, only to a file or classpath. Or am I missing that an URL is supported? Background: A feature request has been filed with [OSS|https://github.com/sonatype/ossindex-maven/issues/80] regarding this matter but any solution in Maven Enforcer or OSSIndex that solves it for us would of course do :) We are using OSS Index with Maven Enforcer. However, there are lot of CVEs nowadays which causes us to have to rebuild a lot of Maven POMs to update excludes (excludeCoordinates and excludeVulnerabilityIds). It would be very useful if the excludes could be configured so that they are external, e.g. using a file and/or url. Preferably an URL as I believe this would work better with our CI/CD and DevOps (solution needs to work for local development as well as in pipelines). What is the status of this issue and PR(s)? What release can it be suspected to be released with? And will URLs be supported? was (Author: JIRAUSER281352): We have a similar request and I was wondering if it could be handled together or it might already be. Looking at the PR and [docs|https://github.com/apache/maven-enforcer/pull/180/files#diff-52ca79536e0b1dc2298afdae5b7e6357c5af22eef6b5c63444237c5e189a037b] it seems as if it's the entire <rules> section that can be externalized. A feature request has been filed with [OSS|https://github.com/sonatype/ossindex-maven/issues/80] regarding this matter but any solution in Maven Enforcer or OSSIndex that solves it for us would of course do :) We are using OSS Index with Maven Enforcer. However, there are lot of CVEs nowadays which causes us to have to rebuild a lot of Maven POMs to update excludes (excludeCoordinates and excludeVulnerabilityIds). It would be very useful if the excludes could be configured so that they are external, e.g. using a file and/or url. Preferably an URL as I believe this would work better with our CI/CD and DevOps (solution needs to work for local development as well as in pipelines). Is this something that this ticket could handle or should I create a new ticket? > Support declaring external banned dependencies in an external file/URL > ---------------------------------------------------------------------- > > Key: MENFORCER-422 > URL: https://issues.apache.org/jira/browse/MENFORCER-422 > Project: Maven Enforcer Plugin > Issue Type: New Feature > Reporter: George Gastaldi > Priority: Major > > There are some use cases where the list of banned dependencies declared in an > enforcer plugin configuration needs to be reused in another project. It would > be nice if the {{bannedDependencies}} rule could read the list of banned > dependencies from an external file/URL -- This message was sent by Atlassian Jira (v8.20.10#820010)