There is a Maven Changes Plugin which projects can use to list out changes to their project. http://maven.apache.org/plugins/maven-changes-plugin/
Regarding CVE, Redhat has a Maven plugin to find "victim" dependencies: https://securityblog.redhat.com/2013/01/02/detecting-vulnerable-java-dependencies-at-build-time/ Paul Cheers, Paul On Tue, Sep 30, 2014 at 1:44 PM, David Dillard <ddill...@symantec.com> wrote: > Hi, > > I've been working on an internal presentation on how letting Maven's > dependency mediation feature select versions of transitive dependencies can > introduce vulnerabilities into a product and how to deal with that > problem. Unfortunately, it's a very manual process and I was thinking that > perhaps changes could be made to Maven that would provide better > automation. To that end I'm wondering if the team has ever considered > adding a section to the POM that would list significant changes in that > release. This would include a list of vulnerabilities fixed (e.g. > CVE-XXXX-YYYY) or serious bugs fixed. Each one could include a known set > of versions affected (ala how CVEs work today) thus allowing tooling to > say: the version of artifact XYZ you're using has a known vulnerability, > would you like to upgrade to this new version with that vuln fixed? > > On a related note, has a different dependency mediation system ever been > considered (as an option), e.g. latest version or latest version on a > branch? > > > Thanks, > > David > >
