OWASP Dependency Check is a tool for checking the Java libraries you use have no security issues. The current version is the 1.3.6 version.We use it through the Gradle plugin.
Once the CVEs references the Gradle dependencies are up to date and, as of 2016/0409/1505, it takes 2+ 3,5 minutes on a standart standard machine to check the dependencies .(it was 2+ minutes before Gradle)
Since it often reports false positives or issues not really needing attention, you need to maintain a suppression file.
...
The idea is that you can use it as a basis on your project and (if possible) help to keep it up to date. This can be done by sharing your experience here as a comment, or by updating this page as a Confluence contributor (as explained in the top banner you can ask on the OFBiz user ML else).
Here is the Gradle command line I to use on Windows to start the check (I used the OWASP Dependency Check command line option on Windows):
Warning | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
This is still a WIP, the .gradle\caches may contain external jars unrelated to OFBiz. Notably Eclipse jars if you use the Gradle Eclipse task and more if you use Gradle for other reasons than OFBiz. I need to have another look at
|
:
gradlew -PenableOwasp dependencyCheck
This is the old way and I have still to check how to use suppress with the Gradle plugin
dependency-check -project OFBiz -scan C:\Users\Jacques\.gradle\caches --suppression C:\projectsASF\ofbiz\tools\security\dependency-check\suppress.xml --out C:\projectsASF\ofbiz\tools\security\dependency-check\
...