playframework / play1

Play framework
https://www.playframework.com/documentation/1.4.x/home
Other
1.58k stars 683 forks source link

Enable dependency vulnerability scanning #1421

Open Fraserhardy opened 2 years ago

Fraserhardy commented 2 years ago

In order to ensure the framework is using libraries that do not contain vulnerabilities, it would help to have the framework scanned automatically.

Due to the non-standard nature of dependency handling in Play 1 this is more difficult, however I have found that its possible with Snyk using their "scan unmanaged jar" feature: https://docs.snyk.io/snyk-cli/test-for-vulnerabilities/scan-all-unmanaged-jar-files

cies commented 2 months ago

When we at RePlay upload to OSSHR (Maven Central) we get a vulnerability scan on the dependencies by SonaType for free by email (with a link to see the details). I think this is based on the JAR, not on the dependency specification; you could ask the Play1 devs if they also get this report and if they can publish it or share it with you.

Since the RePlay project uses Gradle, instead of the "ivy2-situation" Play1 has, we can also do dependency vulnerability scans based on that.