This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new 6d9bd037a4 Improved: Abandon the Gradle Owasp dependencycheck task
(OFBIZ-13121)
6d9bd037a4 is described below
commit 6d9bd037a47035dfbc40040cfedb6277adb1a5eb
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Tue Jun 25 10:18:05 2024 +0200
Improved: Abandon the Gradle Owasp dependencycheck task (OFBIZ-13121)
We have abandoned this feature for years as it was no longer usable
(too much false positive in large numbers).
https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check
The last time I tried to use it was after the last commit for
https://issues.apache.org/jira/browse/OFBIZ-10700
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/build.gradle?r1=1854818&r2=1854817&pathrev=1854818
I just tried and got this:
C:\projectsASF\Git\ofbiz-framework>gradlew -PenableOwasp
dependencyCheckAnalyze
Starting a Gradle Daemon (subsequent builds will be faster)
[...]
> Task :dependencyCheckAnalyze
Verifying dependencies for project ofbiz
Checking for updates and analyzing dependencies for vulnerabilities
An NVD API Key was not provided - it is highly recommended to use an NVD
API key as the update can take a VERY long time without an API Key
Actually nothing happens in a reasonable time and I bet it would be mostly
unusable.
You though may try to follow the NVD API key way, whatever it is.
I forgot to remove this information in the main README files
(actually in all OFBiz versions supported). You see the README trunk
version GH repo.
Thanks: Sumesh Acharya for his question on user ML
---
README.adoc | 10 ----------
build.gradle | 19 -------------------
2 files changed, 29 deletions(-)
diff --git a/README.adoc b/README.adoc
index 36dec67945..0a7797ccfa 100644
--- a/README.adoc
+++ b/README.adoc
@@ -619,16 +619,6 @@ want to silence them
`gradlew -PXlint:none build`
-[[run-owasp-tool-to-identify-dependency-vulnerabilities-cves]]
-==== Run OWASP tool to identify dependency vulnerabilities (CVEs)
-
-The below command activates a gradle plugin (OWASP) and Identifies and reports
-known vulnerabilities (CVEs) in OFBiz library dependencies. The task takes time
-to complete, and once done, a report will be generated in
-$OFBIZ_HOME/build/reports/dependency-check-report.html
-
-`gradlew -PenableOwasp dependencyCheckAnalyze`
-
[[setup-eclipse-project-for-ofbiz]]
==== Setup eclipse project for OFBiz
diff --git a/build.gradle b/build.gradle
index c78104958d..15111a590b 100644
--- a/build.gradle
+++ b/build.gradle
@@ -375,25 +375,6 @@ eclipse.classpath.file.whenMerged { classpath ->
}
tasks.eclipse.dependsOn(cleanEclipse)
-/* OWASP plugin
- *
- * If project property "enableOwasp" is flagged then
- * gradle will download required dependencies and
- * activate Gradle's OWASP plugin and its related tasks.
- *
- * Syntax: gradlew -PenableOwasp dependencyCheckAnalyze
- */
-buildscript {
- if (project.hasProperty('enableOwasp')) {
- dependencies {
- classpath 'org.owasp:dependency-check-gradle:3.0.2'
- }
- }
-}
-if (project.hasProperty('enableOwasp')) {
- apply plugin: 'org.owasp.dependencycheck'
-}
-
/* ========================================================
* Tasks
* ======================================================== */
