On 2019-12-20 13:39, Marlow, Andrew wrote:
Hello everyone,
I am using the owasp maven dependency plugin to tell me when I am
using components that have CVEs. That’s great. I was wondering if
there was something similar that would tell me when I am using very
old components (where the judgement about what is old is configurable,
e.g number of years, months etc).
never seen one, it would be hard without querying the source repository
for the release tag/branch for the moment the release was cut (which is
problematic in case a minimal release pom is in use. The current pom
does not have this/a timestamp for this and you cannot use the file date.
I guess you could look at the date of the (class) files inside the
artifact (jar) to determine build/release date, not sure how that would
work out with shaded dependencies or provided manifest files
-M
*Andrew Marlow*
Software Engineer Specialist, Apex
38^th Floor, 25 Canada Square,
Canary Wharf, London E14 5LQ
*T*: 020-8081-2367 / 07966-451-521
*E*: andrew.mar...@fisglobal.com <mailto:andrew.mar...@fisglobal.com>
*FIS | Advancing the way the world pays, banks and invests™ *
cid:image004.png@01D542DF.1DA72090
<https://www.facebook.com/FIStoday>cid:image005.png@01D542DF.1DA72090
<https://twitter.com/FISGlobal>cid:image008.png@01D542DF.1DA72090
<https://www.linkedin.com/company/fis>
The information contained in this message is proprietary and/or
confidential jadajadajada...
