[REMOVE?] OWASP Dependency Check feature (Gradle plugin)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[REMOVE?] OWASP Dependency Check feature (Gradle plugin)

Jacques Le Roux
Administrator
Hi All,

As discussed at OFBIZ-10700

I added the OWASP Dependency Check feature before we switched to Gradle. It was then really useful, but it's no disputable as explained at
https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check:

    Since OFBiz uses Gradle, all dependent libraries (ie also dependencies from the libraries OFBiz uses and recursively) are loaded by Gradle and
    analysed by the OWASP Dependency Check plugin. So it's materially impossible to check all the possible vulnerabilities. I decided to only check
    the higher ones, currently (2017-09-29) we have only already know ones:

So one option could be to completely remove this feature, what do you think? (see more at OFBIZ-10700)

Thanks

Jacques

Reply | Threaded
Open this post in threaded view
|

Re: [REMOVE?] OWASP Dependency Check feature (Gradle plugin)

Mathieu Lirzin
Hello Jacques,

Jacques Le Roux <[hidden email]> writes:

> I added the OWASP Dependency Check feature before we switched to
> Gradle. It was then really useful, but it's no disputable as explained
> at
> https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check:
>
>    Since OFBiz uses Gradle, all dependent libraries (ie also
>    dependencies from the libraries OFBiz uses and recursively) are
>    loaded by Gradle and analysed by the OWASP Dependency Check
>    plugin. So it's materially impossible to check all the possible
>    vulnerabilities. I decided to only check the higher ones, currently
>    (2017-09-29) we have only already know ones:
>
> So one option could be to completely remove this feature, what do you
> think? (see more at OFBIZ-10700)

I am not familiar with OWASP dependency check, but since it doesn't work
on my machine (See OFBIZ-10700) I can hardly see any reason to keep it.

--
Mathieu Lirzin
GPG: F2A3 8D7E EB2B 6640 5761  070D 0ADE E100 9460 4D37
Reply | Threaded
Open this post in threaded view
|

Re: [REMOVE?] OWASP Dependency Check feature (Gradle plugin)

Jacques Le Roux
Administrator
In reply to this post by Jacques Le Roux
Le 03/03/2019 à 10:53, Jacques Le Roux a écrit :
> but it's no disputable as explained
now

Reply | Threaded
Open this post in threaded view
|

Re: [REMOVE?] OWASP Dependency Check feature (Gradle plugin)

Shi Jinghai-3
In reply to this post by Jacques Le Roux
+1 to the OWASP-failure patch.

I applied the patch and ran "gradlew -PenableOwasp dependencyCheckAnalyze" on Windows 10, JDK 8, "BUILD SUCCESSFUL in 23m 16s".


-----邮件原件-----
发件人: Mathieu Lirzin [mailto:[hidden email]]
发送时间: 2019年3月3日 18:39
收件人: [hidden email]
主题: Re: [REMOVE?] OWASP Dependency Check feature (Gradle plugin)

Hello Jacques,

Jacques Le Roux <[hidden email]> writes:

> I added the OWASP Dependency Check feature before we switched to
> Gradle. It was then really useful, but it's no disputable as explained
> at
> https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check:
>
>    Since OFBiz uses Gradle, all dependent libraries (ie also
>    dependencies from the libraries OFBiz uses and recursively) are
>    loaded by Gradle and analysed by the OWASP Dependency Check
>    plugin. So it's materially impossible to check all the possible
>    vulnerabilities. I decided to only check the higher ones, currently
>    (2017-09-29) we have only already know ones:
>
> So one option could be to completely remove this feature, what do you
> think? (see more at OFBIZ-10700)

I am not familiar with OWASP dependency check, but since it doesn't work
on my machine (See OFBIZ-10700) I can hardly see any reason to keep it.

--
Mathieu Lirzin
GPG: F2A3 8D7E EB2B 6640 5761  070D 0ADE E100 9460 4D37
Reply | Threaded
Open this post in threaded view
|

Re: [REMOVE?] OWASP Dependency Check feature (Gradle plugin)

Jacques Le Roux
Administrator
Done at revision 1854818.

Le 04/03/2019 à 11:14, Shi Jinghai a écrit :

> +1 to the OWASP-failure patch.
>
> I applied the patch and ran "gradlew -PenableOwasp dependencyCheckAnalyze" on Windows 10, JDK 8, "BUILD SUCCESSFUL in 23m 16s".
>
>
> -----邮件原件-----
> 发件人: Mathieu Lirzin [mailto:[hidden email]]
> 发送时间: 2019年3月3日 18:39
> 收件人: [hidden email]
> 主题: Re: [REMOVE?] OWASP Dependency Check feature (Gradle plugin)
>
> Hello Jacques,
>
> Jacques Le Roux <[hidden email]> writes:
>
>> I added the OWASP Dependency Check feature before we switched to
>> Gradle. It was then really useful, but it's no disputable as explained
>> at
>> https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check:
>>
>>     Since OFBiz uses Gradle, all dependent libraries (ie also
>>     dependencies from the libraries OFBiz uses and recursively) are
>>     loaded by Gradle and analysed by the OWASP Dependency Check
>>     plugin. So it's materially impossible to check all the possible
>>     vulnerabilities. I decided to only check the higher ones, currently
>>     (2017-09-29) we have only already know ones:
>>
>> So one option could be to completely remove this feature, what do you
>> think? (see more at OFBIZ-10700)
> I am not familiar with OWASP dependency check, but since it doesn't work
> on my machine (See OFBIZ-10700) I can hardly see any reason to keep it.
>