szpak
commented
1 year ago Thanks @sigee. It is a good base to build.
However, the scan itself does not immediately bring much value. Yes, we know, there are some potential vulnerabilities (14) and maybe some of them could be even exploitable in our case. We would need to go though them and detect false positives (and things are cannot easily change - e.g. groovy version which is taken from Gradle). In addition, having the state where 0 active vulnerabilities are found, we should probably fail the build, if there is any new detected (especially in the PRs). What's more, the check itself takes >3m. We could reduce it to just one selected pipeline version.
That's said, currently I don't have a good vision, which of the following should be made and in what form. Therefore, I propose, I will think it over and we will discuss it to reach the merge'able state of that PR.
Implemeted the following feature request: https://github.com/szpak/gradle-pitest-plugin/issues/85