[BUILD-384] Sites link to CVE scan report also when not available Created: 27/Mar/20  Updated: 14/May/20  Resolved: 10/Apr/20

Status: Closed
Project: Build
Component/s: Poms
Affects Version/s: POMs 38
Fix Version/s: Site Skin 1.3.2, POMs 39

Type: Bug Priority: Neutral
Reporter: Federico Grilli Assignee: Dai Ha
Resolution: Fixed Votes: 0
Labels: maintenance
Remaining Estimate: 3h
Time Spent: 4d
Original Estimate: Not Specified

Attachments: PNG File Screenshot 2020-03-27 at 09.43.43.png    
Template:
Acceptance criteria:
Empty
Date of First Response:
Epic Link: Security
Sprint: 6.2.1 Ramp-up 21
Story Points: 1

 Description   

For instance, https://nexus.magnolia-cms.com/content/sites/magnolia.public.sites/ui/6.2/dependency-check-report.html



 Comments   
Comment by Mikaël Geljić [ 27/Mar/20 ]

We don't run CVE scans for anything else than DX Core, but since parent pom plugin config is there, it always generates the empty section.

We don't run scans on modules because usually they are built against old compatibility baselines so there would be no way of getting green reports.
Maybe that's less the case for main and UI (though they usually stick to the BOM major baseline too), could be worth considering.

Comment by Dai Ha [ 30/Mar/20 ]

Another option is adding a dependency-check-report.html (with some detail/guideline) to maven-site-skin. This file will be unpacked during site generating and replace with actual report when dependency-check:aggregate kicked in.

Generated at Sun Feb 11 23:41:25 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.