I think that configuring dependabot on the various jqa respositories would help keeping dependencies up-to-date, and limit known security issues in transitive dependencies.
I'd like to have continuous OWASP checks, but currently we get false positives that would need to be managed in several repositories. After merging them back into one we should activate these checks
The main contributor to jQA dependencies is the embedded Neo4j database. I'd like to keep the versions that we manage as consistent as possible with the ones provided by the database. Luckily Neo4j itself provides regular updates with CVE related fixes.
Bug Description
I use the OWASP Dependency Check Gradle Plugin (org.owasp.dependencycheck:6.2.2, https://owasp.org/www-project-dependency-check/) to scan all my dependencies for known security issues.
Usually it reports none but after applying the following ones in version 1.10.0,
I get a ton of security issues reported:
I don't know if false positives are among them but maybe you care enough to check the dependency tree for old versions.
Expected Behaviour
No reported CVE
Your Environment
How can we reproduce the bug?
Add this and then run
./gradlew dependencyCheckAnalyze