While sometimes (like log4j-core) it is about security and owasp can help. Other times, it's mostly about reducing redundant libraries - like slf4j-api or log4j-api.
Other common libraries are ❯ csvsql "SELECT jarGroupId, jarArtifactId, jarVersion, count(*) as CT FROM plugin-jars.csv GROUP BY jarGroupId, jarArtifactId, jarVersion ORDER BY CT DESC LIMIT 20 " jarGroupId jarArtifactId jarVersion CT 344 commons-codec commons-codec 1.9 75 com.google.code.findbugs jsr305 3.0.2 62 org.apache.httpcomponents httpcore 4.4.13 58 com.github.stephenc.findbugs findbugs-annotations 1.3.9-1 56 org.slf4j slf4j-api 1.7.30 48 com.google.code.gson gson 2.8.5 45 org.apache.httpcomponents httpclient 4.5.13 44 org.apache.httpcomponents httpclient 4.5.2 42 com.google.code.findbugs jsr305 1.3.9 41 org.apache.httpcomponents httpcore 4.4.4 41 commons-codec commons-codec 1.10 40 commons-codec commons-codec 1.11 38 com.google.code.gson gson 2.8.6 37 commons-io commons-io 2.4 35 commons-lang commons-lang 2.6 35 org.apache.commons commons-lang3 3.7 34 commons-httpclient commons-httpclient 3.1 33 org.apache.commons commons-lang3 3.4 33 com.fasterxml.jackson.core jackson-annotations 2.9.0 31 Some of these are already part of jenkins-core. E.g. commons-codec, commons-io, commons-httpclient, etc. On Monday, December 13, 2021 at 11:00:19 AM UTC-8 m...@basilcrow.com wrote: > Might be interesting to look into adding something like OWASP > Dependency-Check <https://jeremylong.github.io/DependencyCheck/> to the > parent > POM <https://github.com/jenkinsci/pom> and plugin parent POM > <https://github.com/jenkinsci/plugin-pom>, with suppressions for existing > false positives > <https://jeremylong.github.io/DependencyCheck/general/suppression.html>. > We could start by adding warnings to the build and then later upgrade those > warnings to errors once we feel confident that most false positives have > been suppressed. > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/5e4da21f-8617-492f-8378-d902bbd6c168n%40googlegroups.com.