There is the problem of missing CPE/maven-coordinates mappings.
owasp,dependency check can work around that only with crude heuristics.
Therefore it would be at least nice if we can add a CPE to the POM (or define
an official mapping to CPEs, but last time I tried to address that on different
l
using a plugin like OWASP Dependency-Check (or any other tool like it), and
its dedicated security issues storage and update workflow, avoid adding a new
management nightmare at every level of Maven
Regards,
Hervé
Le mercredi 14 mars 2018, 13:27:53 CET Jochen Wiedmann a écrit :
> Hi,
>
> rece
IMHO, in this case, the dependency should be defined in the profile in the
consumer POM, with resolved property of the profile.
I don't know if flatten-maven-plugin currently detects such a situation and is
able to move the parametrized dependency in main section to non-parametrized
dependency
Le mercredi 14 mars 2018, 09:10:20 CET Robert Scholte a écrit :
> The more I think about this, the more I believe we should approach this a
> little bit different.
>
> There are discussions which parts should be part and which shouldn't. But
> is this up to us/Maven?
I don't get the intend here
>
Hi,
recently I had an issue, where a security problem was claimed, because
a published POM was using a jar version, for which a CVE exists. The
reporter requested to upgrade to a current version, and publish an
updated POM.
As you know, we cannot update the POM. We only publish new POM's, so
the
Am Mon, 12 Mar 2018 01:12:52 +0100 schrieb Hervé BOUTEMY:
[snip]
>> > Why is required for consumers? I'm not aware how profiles
>> > of a dependency ever play(ed) a role in my "dependent" project?
>> I can remember we had a discussion about that..my first reaction would
>> be saying no profiles
The more I think about this, the more I believe we should approach this a
little bit different.
There are discussions which parts should be part and which shouldn't. But
is this up to us/Maven?
How about removing those bits that are useless, i.e build and reporting
and I tend to agree on di
