You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Dejan Stojadinović (Jira)" <ji...@apache.org> on 2021/05/09 20:09:00 UTC
[jira] [Commented] (MNG-6487) Adding CVE Checks via OWASP
[ https://issues.apache.org/jira/browse/MNG-6487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17341599#comment-17341599 ]
Dejan Stojadinović commented on MNG-6487:
-----------------------------------------
[~khmarbaise] can I take this one ?
My schedule is packed, but I assume this is not a post-haste (looking at the ticket created/updated dates).
> Adding CVE Checks via OWASP
> ---------------------------
>
> Key: MNG-6487
> URL: https://issues.apache.org/jira/browse/MNG-6487
> Project: Maven
> Issue Type: Improvement
> Reporter: Karl Heinz Marbaise
> Priority: Critical
>
> {{mvn compile org.sonatype.ossindex.maven:ossindex-maven-plugin:audit}}
> Result on all modules is a CVSS-score threshold: 0.0
> In contrast: IIRC the owasp dependency plugin gave several false positives.
> We should consider to add this to the maven-parent to get early notifications on known CVEs.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)