[jira] [Commented] (OFBIZ-7930) Load the OWASP dependency checker Gradle plugin efficiently

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-7930) Load the OWASP dependency checker Gradle plugin efficiently

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-7930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15448908#comment-15448908 ]

Jacques Le Roux commented on OFBIZ-7930:
----------------------------------------

Thanks Taher, much appreciated.

# https://github.com/jeremylong/dependency-check-gradle#what-if-my-project-includes-multiple-sub-project-how-can-i-use-this-plugin-for-each-of-them-including-the-root-project
# The purpose is two-fold.
## To inform our users about possible vulnerabilities in our external dependencies
## To fix them as much as possible before exposing them to public
Committers are more concerned, but everybody can help
# I put it here https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check It's actually reports from versions in the svn repo
I want to have a report for each releases and even for each supported branches, including trunk of course.
Once you have the report it's nice to publish it. But before it should be uised to fix possible vulnerabilities in our external dependencies.
Note that the suppress file is needed because OWASP-DC report a lot of false positive initially. AFAIK there is no other such free tools.

> Load the OWASP dependency checker Gradle plugin efficiently
> -----------------------------------------------------------
>
>                 Key: OFBIZ-7930
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-7930
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Minor
>             Fix For: Upcoming Branch
>
>
> As I warned at https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check it's currently difficult to separate the OFBiz jars from other jars in the .gradle\caches contains which may contain jars unrelated to OFBiz. Notably Eclipse jars if you use the Gradle Eclipse task and more if you use Gradle for other reasons than OFBiz.
> I did not find yet a way to avoid to have all external jars in .gradle\caches and I wonder if it's even possible. What I would like to have is the external jars mandatory for OFBiz to work in an isolated place. For instance a sub folder of the main Gradle build folder. I picked $buildDir/externalJars.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)