[
https://issues.apache.org/jira/browse/MNG-6487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17625697#comment-17625697
]
ASF GitHub Bot commented on MNG-6487:
-------------------------------------
AbdelHajou opened a new pull request, #858:
URL: https://github.com/apache/maven/pull/858
JIRA issue: https://issues.apache.org/jira/browse/MNG-6487
This plugin checks dependencies for CVE vulnerabilities using Sonatype's
vulnerability database. The build will fail when CVSS scores of >7.0 (HIGH) are
found in any of the sub-modules. As discussed in MPOM-210, the OSS plugin is
chosen in favour of OWASP Dependency-Check because the latter reports a lot of
false positives and produces noise.
Only compile-time dependencies are included, because these are risky for
Maven users and should be resolved before releasing.
- [ ] I hereby declare this contribution to be licenced under the [Apache
License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0)
- [ ] In any other case, please file an [Apache Individual Contributor
License Agreement](https://www.apache.org/licenses/icla.pdf).
[core-its]: https://maven.apache.org/core-its/core-it-suite/
> Adding CVE Checks via OWASP
> ---------------------------
>
> Key: MNG-6487
> URL: https://issues.apache.org/jira/browse/MNG-6487
> Project: Maven
> Issue Type: Improvement
> Reporter: Karl Heinz Marbaise
> Priority: Critical
>
> {{mvn compile org.sonatype.ossindex.maven:ossindex-maven-plugin:audit}}
> Result on all modules is a CVSS-score threshold: 0.0
> In contrast: IIRC the owasp dependency plugin gave several false positives.
> We should consider to add this to the maven-parent to get early notifications
> on known CVEs.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
