You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ws.apache.org by Rob Leland <th...@gmail.com> on 2022/02/12 23:09:49 UTC

Should WSS4J fail release builds for High CVE findings ?

I noticed that the wss4J build mainly uses the OWASP
dependency-check-plugin for generating a report, but those are easy to
forget to review.
Similar to the PMD and Checkstyle enforcement would it be useful to add a
maven profile to fail the build if there is a CVE/CVSS score above a
certain level ?

This could be enforced  just for releases, snapshots or both.

I'll be happy to prepare PR.

-Rob

Re: Should WSS4J fail release builds for High CVE findings ?

Posted by Colm O hEigeartaigh <co...@apache.org>.

Hi Rob,

Yes please prepare a PR and I'll review. If you could add an empty
file as well so that we can easily add false positives, that would be
great.

Colm.

On Sat, Feb 12, 2022 at 11:10 PM Rob Leland <th...@gmail.com> wrote:
>
> I noticed that the wss4J build mainly uses the OWASP dependency-check-plugin for generating a report, but those are easy to forget to review.
> Similar to the PMD and Checkstyle enforcement would it be useful to add a maven profile to fail the build if there is a CVE/CVSS score above a certain level ?
>
> This could be enforced  just for releases, snapshots or both.
>
> I'll be happy to prepare PR.
>
> -Rob
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org