+1 to the OWASP-failure patch.
I applied the patch and ran "gradlew -PenableOwasp dependencyCheckAnalyze" on Windows 10, JDK 8, "BUILD SUCCESSFUL in 23m 16s".
-----邮件原件-----
发件人: Mathieu Lirzin [mailto:
[hidden email]]
发送时间: 2019年3月3日 18:39
收件人:
[hidden email]
主题: Re: [REMOVE?] OWASP Dependency Check feature (Gradle plugin)
Hello Jacques,
Jacques Le Roux <
[hidden email]> writes:
> I added the OWASP Dependency Check feature before we switched to
> Gradle. It was then really useful, but it's no disputable as explained
> at
>
https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check:>
> Since OFBiz uses Gradle, all dependent libraries (ie also
> dependencies from the libraries OFBiz uses and recursively) are
> loaded by Gradle and analysed by the OWASP Dependency Check
> plugin. So it's materially impossible to check all the possible
> vulnerabilities. I decided to only check the higher ones, currently
> (2017-09-29) we have only already know ones:
>
> So one option could be to completely remove this feature, what do you
> think? (see more at OFBIZ-10700)
I am not familiar with OWASP dependency check, but since it doesn't work
on my machine (See OFBIZ-10700) I can hardly see any reason to keep it.
--
Mathieu Lirzin
GPG: F2A3 8D7E EB2B 6640 5761 070D 0ADE E100 9460 4D37
Locked
