problem-spring-web icon indicating copy to clipboard operation
problem-spring-web copied to clipboard
verified publisher icon zalando

Drop dependency check plugin

Open MALPI opened this issue 3 years ago • 3 comments

With dependabot being in place to bump dependencies I would suggest to drop the dependency check plugin as it's pointless to maintain the list of CVE supressions. All we can do anyways is upgrading the dependencies.

@danielrohe what do you think?

MALPI avatar Jan 06 '23 19:01 MALPI

yes we can remove the dependency check plugin.

danielrohe avatar Jan 09 '23 15:01 danielrohe

When it comes to vulnerabilities in dependencies, you have more than just 1 option though:

  1. Update
  2. Replace/rewrite (with a different or hand-written alternative)
  3. Suppress

CVE suppressions serve as a documentation. They give users an idea about the status and quality of the project. If you combine them with until, you can even give your future self a hint about re-evaluating a suppression.

whiskeysierra avatar Jan 09 '23 16:01 whiskeysierra

So what is your suggestion @whiskeysierra, from my point of view I don't see a huge benefit yet in maintaining a list of suppression to be honest?

MALPI avatar Jan 27 '23 15:01 MALPI