Add Vulnerabilities Checking into the build (pom, build.gradle) #6329
Overview of the issue
Dependencies (Maven, NPM) may have security vulnerabilities.
Motivation for or Use Case
Improve the security quality of the JHipster application (backend and frontend).
Suggest a Fix
You may add the OWASP reporting plugin into the pom.xml (https://www.owasp.org)
The report (mvn clean site) is in target/site/dependency-check-report.html
You may add also the Node Security Platform command (https://nodesecurity.io/opensource) for checking the package.json dependencies.
npm install nsp --global
Then, I often have "vulnerability reports" for the generator, saying that it has the permissions to write on your filesystem. I agree it can be worrying that the generator can read/write on your filesystem, and that's why we provide the Devbox, the Docker image, and JHipster Online... Then, if you install it locally, it perfectly normal that it writes on your filesystem, as it's the whole point of the generator in the first place. Sometimes I wonder what security researchers think...
I have used the owasp dependency checker and I don't think we should add it to JHipster because in order to get a no-error report after project generation, we should add some exclusions for false positives. Real life example: excluding groovy because by transitivity it is included for test only not production. As a result if one of our users then decide to use groovy in production, it may not get any vulnerability warning.
So it seems to me that a code generator cannot take decisions about security without knowing business context, it's the responsibility of the generated project owner.
Add to this that this is a trivial change and so should be against our policy #2