[Bug 62582] Please add OWASP Dependency Check to the build for all Tomcat componets

https://bz.apache.org/bugzilla/show_bug.cgi?id=62582 --- Comment #8 from Christopher Schultz --- (In reply to mgrigorov from comment #4) > As Mark explained there is not much to check anyway because Tomcat doesn't > have dependencies. Well... that's not entirely true. Tomcat does rely on: 1. co

[Bug 62582] Please add OWASP Dependency Check to the build for all Tomcat componets

https://bz.apache.org/bugzilla/show_bug.cgi?id=62582 --- Comment #7 from Christopher Schultz --- For those interested, here is the dependency-check target I knocked-up in a few minutes. you can throw it onto the end of your build.xml in Tomcat and run it. You are responsible for downloading the "

[Bug 62582] Please add OWASP Dependency Check to the build for all Tomcat componets

https://bz.apache.org/bugzilla/show_bug.cgi?id=62582 --- Comment #6 from Christopher Schultz --- (In reply to ABakerIII from comment #3) > Mark Thomas : I have seen several yr old, known vulnerabilities in many open > source projects. Many of those could be detected by OWASP D.C. and culled. > I

[Bug 62582] Please add OWASP Dependency Check to the build for all Tomcat componets

https://bz.apache.org/bugzilla/show_bug.cgi?id=62582 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|---

[Bug 62582] Please add OWASP Dependency Check to the build for all Tomcat componets

https://bz.apache.org/bugzilla/show_bug.cgi?id=62582 --- Comment #4 from mgrigorov --- I have the same experience as Chris - the Maven plugin slowed down the build of our application so much that we had to find out how to tell Teamcity not to time it out. As Mark explained there is not much to c

[Bug 62582] Please add OWASP Dependency Check to the build for all Tomcat componets

https://bz.apache.org/bugzilla/show_bug.cgi?id=62582 --- Comment #3 from ABakerIII --- Mark Thomas : I have seen several yr old, known vulnerabilities in many open source projects. Many of those could be detected by OWASP D.C. and culled. I have seen new exploitation mechanisms be used that find

[Bug 62582] Please add OWASP Dependency Check to the build for all Tomcat componets

https://bz.apache.org/bugzilla/show_bug.cgi?id=62582 --- Comment #2 from Mark Thomas --- I'm not convinced of the value of this for the Tomcat builds. Which dependencies are we expecting it to catch problems in? Vulnerabilities in compile only dependencies are not a concern. Vulnerabilities in

[Bug 62582] Please add OWASP Dependency Check to the build for all Tomcat componets

https://bz.apache.org/bugzilla/show_bug.cgi?id=62582 --- Comment #1 from Christopher Schultz --- FWIW, I use this tool for our builds. It has one unfortunate requirement: period downloads of every CVE ever filed. Ever. And it doesn't bother retaining the CVE databases from previous years which ar