Date: Fri, 30 Mar 2018 20:28:41 +0200 From: Andreas Sommer <andreas.sommer87@googlemail.com> To: freebsd-ports@freebsd.org Subject: Committer needed for security/owasp-dependency-check Message-ID: <27f7911e-ca35-7b8c-13da-710e0a79e280@googlemail.com>
next in thread | raw e-mail | index | archive | help
Hi all, [New port] security/owasp-dependency-check: Detects publicly disclosed vulnerabilities in project dependencies https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226206 Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It searches several databases for CVEs and other issues and creates a report based on the dependencies found for a project (example: package.json for a nodejs/npm/yarn-based project). With machine-readable output options, it is easy to integrate with CI and can be used to audit software vulnerabilities automatically. The tool is also under constant development under the patronage of OWASP. The committer would benefit from familiarity with Java/Maven, but it's not too hard... I'm a ports beginner and could figure it out: for the fetch phase, a maven repository (incl. all dependencies) is created (would have to be uploaded to distfiles for each update of the port; simple script can be provided) and the application and all its dependencies are bundled into a JAR for packaging it standalone. I took the idea from archivers/snappy-java. Thank you, Andreas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?27f7911e-ca35-7b8c-13da-710e0a79e280>