szpak / gradle-pitest-plugin

Gradle plugin for PIT Mutation Testing
http://gradle-pitest-plugin.solidsoft.info/
221 stars 58 forks source link

Add owasp dependency check to the pipeline #348

Open sigee opened 1 year ago

sigee commented 1 year ago

Implemeted the following feature request: https://github.com/szpak/gradle-pitest-plugin/issues/85

szpak commented 1 year ago

Thanks @sigee. It is a good base to build.

However, the scan itself does not immediately bring much value. Yes, we know, there are some potential vulnerabilities (14) and maybe some of them could be even exploitable in our case. We would need to go though them and detect false positives (and things are cannot easily change - e.g. groovy version which is taken from Gradle). In addition, having the state where 0 active vulnerabilities are found, we should probably fail the build, if there is any new detected (especially in the PRs). What's more, the check itself takes >3m. We could reduce it to just one selected pipeline version.

That's said, currently I don't have a good vision, which of the following should be made and in what form. Therefore, I propose, I will think it over and we will discuss it to reach the merge'able state of that PR.