Query about new DependencyCheck dependencies #8443
Replies: 3 comments 7 replies
-
What is your methodology for concluding that this dependency is needed as a user? This is used when building the plugin but I do not see it in the runtime dependency tree. Perhaps I am missing something specific to the Maven plugin. (this is off current
It should be irrelevant to users, but it seems the project was moved to a new github org and new maven coordinates at https://github.com/git-commit-id/git-commit-id-maven-plugin We'll need to migrate - but as above, shouldn't be relevant to users.
The change was specifically to move from a totally unmaintained to a slightly-more-maintained variant: #8245 so this is a net positive from earlier ODC versions because the very dead This is used for analyzing Windows binary DLLs. The library is small and low risk, and it's open source - feel free to review its source.
I'm not quire sure what kind of response you are looking for, however the latter dependency is part of the software that you use to scan dependencies; for free. :-) This is open source, so you can review the changelog to see for what reason any dependency changes were made and make judgments as an org about the discipline and responsibility of the maintainers. Eventually software supply chain is about trust - or at least trust-but-verify.
This seems like some hypothetical enterprise "security" fishing mission, and that question is a bit of a trap. If your organisation wishes to have complete piece of mind as to their entire software supply chain, to the individual dependency level with articulation as to reasonably for an entire SBOM, perhaps they are better to pay for commercially-supported software. Would love to have that for ODC myself (hence working on things like #8312), but there are only so many hours in the day to do free work companies don't pay for (and for other OSS folks and individuals, it is true). Otherwise you explain what you mentioned above - that stable doesn't mean buggy or insecure - and that appropriately licensed open source means that if there is a need to patch software to fix an urgent issue, then anyone can fork it and do so including your own company, the maintainers here, or anyone with Internet access.
I'm not trying to be flippant - but it's a serious point - if that's not good enough for the org; considering using commercially supported software. (I'm not arguing that proprietary or closed or commercial software is actually more secure, or better quality - just that some orgs need providers that can handhold them via commercial support or they are otherwise placing burdens or expectations on open source that are expressly denied by licenses) |
Beta Was this translation helpful? Give feedback.
-
|
Regarding:
... a further small apology! I have just shifted teams and am juggling a little too much, so I rushed this original post a little. When I first ran: It broke, requiring pecoff4j. Later in the day, wanting to be sure I'd got all the dependencies that I could require, I had meant to run: While juggling meetings, I instead ran, from within a checked-out repo of DependencyCheck: ... and so came up with
^^^ I love this & will definitely be using it in future discussions. |
Beta Was this translation helpful? Give feedback.
-
|
It seems #8444 (migrating the Git commit ID plugin) was triggered by this discussion. @ch-tstrickland Anything else that needs discussing or can this be closed now? |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
When I run the Maven dependency-check plugin, it requires a couple of dependencies that we need to get into our system, one of which is:
https://mvnrepository.com/artifact/pl.project13.maven/git-commit-id-plugin/4.9.10
... which does not seem to have been updated in a while and does not seem to have a homepage.
The other:
https://github.com/kichik/pecoff4j
Does not seem to be heavily maintained.
I know that stable code often does not need to be updated. I also know that when I ask to add these dependencies to our artefact store I'm going to be asked about this, so I'm asking here. Apologies if this is the wrong forum.
When I'm asked: why are these new dependencies necessary and is it OK that they do not seem to be heavily maintained, what should I say?
Beta Was this translation helpful? Give feedback.
All reactions