en Users List
Subject: Re: Maven, Dependencies and Vulnerabilities
Hello,
instead of requiring everybody to come up with a CPE and add it to the POM, I
would prefer if Maven Central publishes an approved (and registered) naming
scheme to form CPEs which point to well known maven artifacts.
cpe:/a:
Hello,
instead of requiring everybody to come up with a CPE and add it to the POM,
I would prefer if Maven Central publishes an approved (and registered)
naming scheme to form CPEs which point to well known maven artifacts.
cpe:/a:org.maven.central:groupid,artifactid[,classifier]:version
(or simi
ember 30, 2014 3:53 PM
To: Maven Users List
Subject: Re: Maven, Dependencies and Vulnerabilities
There are commercial solutions (sonatype, contrast, blackduck, palamida,
etc.) and FOSS solutions (dependency-check, victims, retire.js, etc.) to
identify and report on known vulnerabilities. I
Thanks! This looks like it covers the most important part of what I'm looking
for.
-Original Message-
From: Mark Derricutt [mailto:m...@talios.com]
Sent: Tuesday, September 30, 2014 5:04 PM
To: Maven Users List
Subject: Re: Maven, Dependencies and Vulnerabilities
On 1 Oct 2014,
On 1 Oct 2014, at 7:44, David Dillard wrote:
Hi,
I've been working on an internal presentation on how letting Maven's
dependency mediation feature select versions of transitive
dependencies can introduce vulnerabilities into a product and how to
deal with that problem. Unfortunately, it's a
A side note: you can specify version ranges if you want to leave it up
to Maven to select the latest version.
It makes it harder to have a repeatable build or to determine what
version was used to build your artifact.
I generally like to pick the versions of dependencies and Eclipse/STS's
Mave
There are commercial solutions (sonatype, contrast, blackduck, palamida,
etc.) and FOSS solutions (dependency-check, victims, retire.js, etc.) to
identify and report on known vulnerabilities. I would recommend looking at
these solutions (note, I am the main contributed to dependency-check).
A bett
There is a Maven Changes Plugin which projects can use to list out changes
to their project.
http://maven.apache.org/plugins/maven-changes-plugin/
Regarding CVE, Redhat has a Maven plugin to find "victim" dependencies:
https://securityblog.redhat.com/2013/01/02/detecting-vulnerable-java-dependenci