Detect vulnerabilities in maven using osv/osv.dev
Currently we rely on dependency-check-maven which uses the CVE databse and tries to match maven packages based on CPEs which is not realiable.
We often get false positives (e.g. a chrome extension with the same name as a maven package).
The proper way to track vulnerabilities is to use a proper detection process, which is the goal of OSV (the format) / osv.dev (the database, synced from different sources includes Github advisories, which announces main vulnerabilities in the maven ecosystem).
We can try to use https://github.com/G-Rath/osv-detector to check pom.xml file for known vulnerabilities in osv.dev.
Updated by Vincent MEMBRÉ about 1 year ago
- Target version changed from 6.1.20 to 6.1.21
Updated by Vincent MEMBRÉ 11 months ago
- Target version changed from 6.1.21 to old 6.1 issues to relocate
Updated by Alexis Mousset 6 months ago
- Status changed from New to Rejected
- Regression set to No
Tooling not ready for our pom.xml, we'll check again later.
Updated by Alexis Mousset 3 months ago
- Target version changed from old 6.1 issues to relocate to 6.2.21