You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/10/28 13:07:00 UTC
[jira] [Commented] (MNG-6487) Adding CVE Checks via OWASP
[ https://issues.apache.org/jira/browse/MNG-6487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17625697#comment-17625697 ]
ASF GitHub Bot commented on MNG-6487:
-------------------------------------
AbdelHajou opened a new pull request, #858:
URL: https://github.com/apache/maven/pull/858
JIRA issue: https://issues.apache.org/jira/browse/MNG-6487
This plugin checks dependencies for CVE vulnerabilities using Sonatype's vulnerability database. The build will fail when CVSS scores of >7.0 (HIGH) are found in any of the sub-modules. As discussed in MPOM-210, the OSS plugin is chosen in favour of OWASP Dependency-Check because the latter reports a lot of false positives and produces noise.
Only compile-time dependencies are included, because these are risky for Maven users and should be resolved before releasing.
- [ ] I hereby declare this contribution to be licenced under the [Apache License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0)
- [ ] In any other case, please file an [Apache Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf).
[core-its]: https://maven.apache.org/core-its/core-it-suite/
> Adding CVE Checks via OWASP
> ---------------------------
>
> Key: MNG-6487
> URL: https://issues.apache.org/jira/browse/MNG-6487
> Project: Maven
> Issue Type: Improvement
> Reporter: Karl Heinz Marbaise
> Priority: Critical
>
> {{mvn compile org.sonatype.ossindex.maven:ossindex-maven-plugin:audit}}
> Result on all modules is a CVSS-score threshold: 0.0
> In contrast: IIRC the owasp dependency plugin gave several false positives.
> We should consider to add this to the maven-parent to get early notifications on known CVEs.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)