Hi Duo,
Generally, I think that this is a good idea. I have previously attempted to
use the Jenkins OWASP stuff and found it was a non-trivial project to
manage exclusions lists. We ended up abandoning the effort for lack of
value-for-time reward. I think it's more important that we manage this as a
community, though. Maybe some other folks here with experience can share
their strategies.
Thanks,
Nick
On Sat, Oct 7, 2023 at 4:13 PM 张铎(Duo Zhang) wrote:
> https://jeremylong.github.io/DependencyCheck/dependency-check-maven/
>
> The plugin will download the NVD database and use it to detect CVEs in
> our dependencies.
>
> I think we could make this part of the release process, and also add
> the check to nightly build and pre commit check.
>
> Thoughts? Thanks.
>