Open timtebeek opened 4 months ago
cc @mike-solomon (but enjoy your holiday first!)
This has proven to be slightly problematic to document due to the fact that I can't get Gradle projects to generate data tables. Not entirely sure what I'm doing wrong as it seems like others may not have that issue 🤷
I'll come back to this in the future and see if I can figure it out. Jumping over to other doc issues for now, though.
What problem are you trying to solve?
Folks might not be aware that we are able to confidently solve vulnerabilities using OpenRewrite recipes, and also bump transitive dependencies.
Describe the solution you'd like
Guide folks towards the Find and fix vulnerable dependencies recipe, and educate them on
overrideTransitive: true
to get MavendependencyManagement
or Gradle constraints added a. and explain how 80% of vulnerabilities are in transitive dependencies, otherwise missed by other toolspatch
versions, to the vulnerability recommended version-Drewrite.exportDatatables=true
, and the minor/major/no fix insights that givesUpgradeDependencyVersion
andUpgradeTransitiveDependencyVersion
forminor
version bumps, b. or the framework migration recipes for Spring, Micronaut and Quarkus for major version bumps.Additional context
Came up in our OSS Slack.