[
https://issues.apache.org/jira/browse/OFBIZ-12186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17288554#comment-17288554
]
Jacques Le Roux commented on OFBIZ-12186:
-----------------------------------------
As I mentioned in the thread: we will later need to update the
verification-metadata.xml file when updating dependencies.
I have put
https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check
in Wiki Attic and copied its last section in the description of OFBIZ-10213
because of the switch from jcenter to Maven Central we also need to modify this
last section.
I have also
https://cwiki.apache.org/confluence/display/OFBIZ/Load+new+gradle+wrapper+version+on+bintray
in Wiki Attic
We also need to update
https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz
> Dependency verification
> ------------------------
>
> Key: OFBIZ-12186
> URL: https://issues.apache.org/jira/browse/OFBIZ-12186
> Project: OFBiz
> Issue Type: Sub-task
> Components: Gradle
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Priority: Major
> Attachments: verification-metadata.xml
>
>
> I posted a related message in dev ML:
> https://markmail.org/message/55r5ycn2wrbotnbn:
> {quote}
> Hi,
> I just read a members thread about this article:
> https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
> One member mentioned that the Groovy project is using the Gradle's dependency
> verification feature\[1] in the Apache Groovy build.
> I suggest we do the same, even after the move from JCenter to MavenCentral
> where things should be safer.
> What do you think?
> \[1] https://docs.gradle.org/current/userguide/dependency_verification.html
> Jacques
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
