Re: Feedback on some analysis I'm doing

Mon, 13 Dec 2021 11:22:05 -0800 

While sometimes (like log4j-core) it is about security and owasp can help.
Other times, it's mostly about reducing redundant libraries - like 
slf4j-api or log4j-api.

Other common libraries are

❯ csvsql "SELECT jarGroupId, jarArtifactId, jarVersion, count(*) as CT
FROM plugin-jars.csv
GROUP BY jarGroupId, jarArtifactId, jarVersion
ORDER BY CT DESC
LIMIT 20
"
jarGroupId                    jarArtifactId         jarVersion  CT
344
commons-codec                 commons-codec         1.9         75
com.google.code.findbugs      jsr305                3.0.2       62
org.apache.httpcomponents     httpcore              4.4.13      58
com.github.stephenc.findbugs  findbugs-annotations  1.3.9-1     56
org.slf4j                     slf4j-api             1.7.30      48
com.google.code.gson          gson                  2.8.5       45
org.apache.httpcomponents     httpclient            4.5.13      44
org.apache.httpcomponents     httpclient            4.5.2       42
com.google.code.findbugs      jsr305                1.3.9       41
org.apache.httpcomponents     httpcore              4.4.4       41
commons-codec                 commons-codec         1.10        40
commons-codec                 commons-codec         1.11        38
com.google.code.gson          gson                  2.8.6       37
commons-io                    commons-io            2.4         35
commons-lang                  commons-lang          2.6         35
org.apache.commons            commons-lang3         3.7         34
commons-httpclient            commons-httpclient    3.1         33
org.apache.commons            commons-lang3         3.4         33
com.fasterxml.jackson.core    jackson-annotations   2.9.0       31

Some of these are already part of jenkins-core. E.g. commons-codec, 
commons-io, commons-httpclient, etc.

On Monday, December 13, 2021 at 11:00:19 AM UTC-8 m...@basilcrow.com wrote:

> Might be interesting to look into adding something like OWASP 
> Dependency-Check <https://jeremylong.github.io/DependencyCheck/> to the 
> parent 
> POM <https://github.com/jenkinsci/pom> and plugin parent POM 
> <https://github.com/jenkinsci/plugin-pom>, with suppressions for existing 
> false positives 
> <https://jeremylong.github.io/DependencyCheck/general/suppression.html>. 
> We could start by adding warnings to the build and then later upgrade those 
> warnings to errors once we feel confident that most false positives have 
> been suppressed.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/5e4da21f-8617-492f-8378-d902bbd6c168n%40googlegroups.com.

Reply via email to