You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by ta...@apache.org on 2017/09/27 13:17:22 UTC

svn commit: r1809846 - in /ofbiz/ofbiz-framework/trunk: README.md build.gradle

Author: taher
Date: Wed Sep 27 13:17:21 2017
New Revision: 1809846

URL: http://svn.apache.org/viewvc?rev=1809846&view=rev
Log:
Improved: upgraded and cleaned the implementation for OWASP dependency checker

This commit achieves the following improvements to the OWASP gradle plugin for
dependency checks:
- Upgrade the version from 1.4.0 to 2.1.1
- Remove the dependency on MavenCentral and replace it with a custom link to
  the original source of work using a custom maven URL. Thus all dependencies
  are downloaded from JCenter to avoid duplication of library downloads.
- Update README.md on how to use this task

Modified:
    ofbiz/ofbiz-framework/trunk/README.md
    ofbiz/ofbiz-framework/trunk/build.gradle

Modified: ofbiz/ofbiz-framework/trunk/README.md
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/README.md?rev=1809846&r1=1809845&r2=1809846&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/README.md (original)
+++ ofbiz/ofbiz-framework/trunk/README.md Wed Sep 27 13:17:21 2017
@@ -491,12 +491,10 @@ Xlint prints output of all warnings dete
 
 The below command activates a gradle plugin (OWASP) and Identifies
 and reports known vulnerabilities (CVEs) in OFBiz library dependencies.
-This command takes a long time to execute because it needs to download
-all plugin dependencies and the CVE identification process is also
-time consuming. But it's the only way to check OFBiz does not use
-vulnerable libraries.
+The task takes time to complete, and once done, a report will be generated in
+$OFBIZ_HOME/build/reports/dependency-check-report.html
 
-`gradlew -PenableOwasp dependencyCheck`
+`gradlew -PenableOwasp dependencyCheckAnalyze`
 
 #### Setup eclipse project for OFBiz
 

Modified: ofbiz/ofbiz-framework/trunk/build.gradle
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/build.gradle?rev=1809846&r1=1809845&r2=1809846&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/build.gradle (original)
+++ ofbiz/ofbiz-framework/trunk/build.gradle Wed Sep 27 13:17:21 2017
@@ -283,15 +283,17 @@ tasks.eclipse.dependsOn(cleanEclipse)
  * gradle will download required dependencies and
  * activate Gradle's OWASP plugin and its related tasks.
  *
- * Syntax: gradlew -PenableOwasp dependencyCheck
+ * Syntax: gradlew -PenableOwasp dependencyCheckAnalyze
  */
 buildscript {
     if (project.hasProperty('enableOwasp')) {
         repositories {
-            mavenCentral()
+            maven {
+                url "https://plugins.gradle.org/m2/"
+            }
         }
         dependencies {
-            classpath 'org.owasp:dependency-check-gradle:1.4.0'
+            classpath 'org.owasp:dependency-check-gradle:2.1.1'
         }
     }
 }