[BUILD-384] Sites link to CVE scan report also when not available Created: 27/Mar/20 Updated: 14/May/20 Resolved: 10/Apr/20 |
|
| Status: | Closed |
| Project: | Build |
| Component/s: | Poms |
| Affects Version/s: | POMs 38 |
| Fix Version/s: | Site Skin 1.3.2, POMs 39 |
| Type: | Bug | Priority: | Neutral |
| Reporter: | Federico Grilli | Assignee: | Dai Ha |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | maintenance | ||
| Remaining Estimate: | 3h | ||
| Time Spent: | 4d | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
| Template: |
|
| Acceptance criteria: |
Empty
|
| Date of First Response: | |
| Epic Link: | Security |
| Sprint: | 6.2.1 Ramp-up 21 |
| Story Points: | 1 |
| Description |
|
For instance, https://nexus.magnolia-cms.com/content/sites/magnolia.public.sites/ui/6.2/dependency-check-report.html |
| Comments |
| Comment by Mikaël Geljić [ 27/Mar/20 ] |
|
We don't run CVE scans for anything else than DX Core, but since parent pom plugin config is there, it always generates the empty section. We don't run scans on modules because usually they are built against old compatibility baselines so there would be no way of getting green reports. |
| Comment by Dai Ha [ 30/Mar/20 ] |
|
Another option is adding a dependency-check-report.html (with some detail/guideline) to maven-site-skin. This file will be unpacked during site generating and replace with actual report when dependency-check:aggregate kicked in. |