Consider running dependency check as an action rather than integrated in the maven build

eclipse-cbi / macos-notarization-service

REST Service to notarize macOS application bundles and DMG

Eclipse Public License 2.0

5 stars 3 forks source link

Consider running dependency check as an action rather than integrated in the maven build #262

Open netomi opened 10 months ago

netomi commented 10 months ago

The dependency check is rather slow as it downloads all cve everytime it is run.

Consider using an action instead that comes with a pre-build image of cve's so that not all of them have to be downloaded again and again.

mbarbero commented 10 months ago

Agreed. Also, with proper dependabot config and dependency graph feeding, dependency-check is less useful. I've configured dependency-check here more to get a feeling about what it could provide.

netomi commented 9 months ago

In PR #274 I have moved the dependency check to a separate profile that is not enabled by default in the ci builds.

mbarbero commented 9 months ago

Should we close this one then? Or do you want to create a workflow that will run with this profile separately?

netomi commented 9 months ago

We should add an action to run the dependency check on a regular basis using a schedule and then we can compare the results with dependabot. I see that as experimenting with existing tools to understand their strengths and weaknesses.