Replace NVD with Sonatype OSS Index#8186
Conversation
Looks like a new CVE backing that better understands maven coordinates and so the suppressions we maintained previously should no longer be needed. Ported from open-telemetry/opentelemetry-java-instrumentation#16445
| // Skip OWASP dependencyCheck task on test module | ||
| dependencyCheck { | ||
| skip = true | ||
| } |
There was a problem hiding this comment.
Is there no analog for this? Or is it no longer applicable?
There was a problem hiding this comment.
Maybe this is what you referred to with the suppressions no longer being needed.
There was a problem hiding this comment.
we're using a different plugin altogether now
There was a problem hiding this comment.
I get that. But we skipped OWASP on testing-internal because it had dependencies that triggered OWASP. And now we're not doing that. That means the new plugin either doesn't consider the testing dependencies problematic or somehow automatically excludes testing modules like this or something equivalent.
Just curious if you already know the answer.
There was a problem hiding this comment.
oh, good point, I'll check this
|
Ran into an issue, let's wait for upstream fix: sonatype-nexus-community/scan-gradle-plugin#204 |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #8186 +/- ##
============================================
- Coverage 90.30% 90.30% -0.01%
- Complexity 7651 7654 +3
============================================
Files 843 843
Lines 23061 23071 +10
Branches 2310 2311 +1
============================================
+ Hits 20826 20835 +9
- Misses 1516 1517 +1
Partials 719 719 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
2 participants
Looks like a new CVE backing that better understands maven coordinates and so the suppressions we maintained previously should no longer be needed.
Ported from open-telemetry/opentelemetry-java-instrumentation#16445