Google Git
Sign in
apache / ofbiz-framework / 0a9ee32539a6abe1c3e5d2805fb03df1e8d98144^! / .
commit0a9ee32539a6abe1c3e5d2805fb03df1e8d98144[log] [tgz]
authorJacques Le Roux <jacques.le.roux@les7arts.com>Tue Jun 25 10:07:51 2024 +0200
committerJacques Le Roux <jacques.le.roux@les7arts.com>Tue Jun 25 10:07:51 2024 +0200
tree25965074bf64d33c5cef9718700a6b1643529f68
parentc2cb522b54a73f3ea596ab4c289a067eac08ad55 [diff]
Improved: Abandon the  Gradle Owasp dependencycheck task (OFBIZ-13121)

We have abandoned this feature for years as it was no longer usable
(too much false positive in large numbers).
https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check

The last time I tried to use it was after the last commit for
https://issues.apache.org/jira/browse/OFBIZ-10700
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/build.gradle?r1=1854818&r2=1854817&pathrev=1854818

I just tried and got this:
C:\projectsASF\Git\ofbiz-framework>gradlew -PenableOwasp dependencyCheckAnalyze
Starting a Gradle Daemon (subsequent builds will be faster)
[...]
> Task :dependencyCheckAnalyze
Verifying dependencies for project ofbiz
Checking for updates and analyzing dependencies for vulnerabilities
An NVD API Key was not provided - it is highly recommended to use an NVD API key as the update can take a VERY long time without an API Key

Actually nothing happens in a reasonable time and I bet it would be mostly unusable.
You though may try to follow the NVD API key way, whatever it is.

I forgot to remove this information in the main README files
(actually in all OFBiz versions supported). You see the README trunk version GH repo.

Thanks: Sumesh Acharya for his question on user ML

diff --git a/README.adoc b/README.adoc
index d484853..553198a 100644
--- a/README.adoc
+++ b/README.adoc

@@ -640,16 +640,6 @@
 
 `gradlew -PXlint:none build`
 
-[[run-owasp-tool-to-identify-dependency-vulnerabilities-cves]]
-==== Run OWASP tool to identify dependency vulnerabilities (CVEs)
-
-The below command activates a gradle plugin (OWASP) and Identifies and reports
-known vulnerabilities (CVEs) in OFBiz library dependencies. The task takes time
-to complete, and once done, a report will be generated in
-$OFBIZ_HOME/build/reports/dependency-check-report.html
-
-`gradlew -PenableOwasp dependencyCheckAnalyze`
-
 [[setup-eclipse-project-for-ofbiz]]
 ==== Setup eclipse project for OFBiz
 

diff --git a/build.gradle b/build.gradle
index 0df79ed..d5d20c6 100644
--- a/build.gradle
+++ b/build.gradle

@@ -39,18 +39,6 @@
     id "com.github.node-gradle.node" version '7.0.2' apply false
 }
 
-/* OWASP plugin
- *
- * If project property "enableOwasp" is flagged then
- * gradle will download required dependencies and
- * activate Gradle's OWASP plugin and its related tasks.
- *
- * Syntax: gradlew -PenableOwasp dependencyCheckAnalyze
- */
-if (project.hasProperty('enableOwasp')) {
-    apply plugin: 'org.owasp.dependencycheck'
-}
-
 /* DependencyUpdates plugin
  *
  * If project property "enableDependencyUpdates" is flagged then