Details
-
Type:
Task
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: Build Resources 1.6.8, POMs 38
-
Component/s: Poms
-
Labels:None
-
Epic Link:
-
Sprint:6.2 Ramp-up 19, 6.2 Ramp-up 20
-
Story Points:8
Description
- implement suppressions (false-positives), likely through plugin configuration in parent POMs
- provide a default suppressionFile in build-resources module
- also configure a project-specific location, so that projects can add more suppressions, without requiring parent pom re-release
- let's not bind the check goal to any phase yet
- for local run: mvn dependency-check:check, typically mostly relevant in webapps
- for CI runs: add a separate pipeline step to magnoliaPacksPipeline I believe, invoking the mvn command above
- add a report configuration for site-generation, using the aggregate goal on module parent (nice to have)
- estimate load on CI from vulnerability database updates
Initial research goal (fulfilled): estimate initial effort to discard false positives such as the one mentioned on the CVE scans research log.
=> suppressions may not be that hard, and upon second look amount of false-positives seems manageable.
Checklists
Acceptance criteria
Attachments
Issue Links
- is cloned by
-
BLOSSOM-268 Enable OWASP Dependency Check on Blossom samples
-
- Selected
-
-
MGNLEE-603 DXCore - Implement OWASP Dependency Check for selected webapps
-
- Closed
-
- relates to
-
MGNLEE-600 Align jBPM version in magnolia dx core weblogic webapp
-
- Closed
-
- Wiki Page
-
Wiki Page Loading...
(1 Wiki Page)
1.
|
Manage three last libraries in dx-core CVE report |
|
Closed | Dai Ha |
|