jeremylong
commented
3 years ago I'd take a look at incorporating tools that exist in most of the ecosystems already:
- https://github.com/ben-manes/gradle-versions-plugin
- https://www.mojohaus.org/versions-maven-plugin/dependency-updates-report-mojo.html
While I don't think you can break the build with these - they can be useful.
Hello,
first, thank you for the great tools you provide, I used it on a lot of projects and it's really usefull.
I have a question : do you have a plugin or a way to declare an internally developped library as containing a vulnerabilty.
The context is the following : in big organisations, they used internal libraries with their own version and lifecylce. We would introduce a way in for the development teams in the CI/CD to be warned they use old version of our libraries and they would upgrade them.
Is it possible or we need to develop an internal extent of owaspDependencyChecker. I saw an old issue on that topic (https://github.com/jeremylong/DependencyCheck/issues/22) but it's still open and the Nexus solution is not really suitable in my context :-(.
thank you for your answer,