OWASP Dependency Checker

[jonathanaustin]

The OWASP dependency check adds a lot of time to the build and is brittle due to updates always being provided. Many projects disable the checker.

Possible improvements:-

• Make the OWASP checker run in its own maven profile so it can be run as a seperate process.
• Increase the check update interval to prevent too many downloads.
• Report errors and not fail by default

[ricksbrown]

The best security scanner is the one that runs.

The current implementation:

• adds significant time to the build.
• makes the build extremely brittle.

It will be eventually turned off by every project that uses it.

Force them? For a while maybe.
Too bad, their problem? Is that really the best we can do?

The best would be to not have this as part of the build at all, handle scanning elsewhere.

At the extreme I'd allow it 30 seconds but I think even then it will be turned off by most. They'll just "disable it for now" which will be permanently.

Was a good idea in theory...

If it is not on by default there is no incentive other than good will to run it - and even with good will one has to remember.

If a project using this as an ancestor in their POM chain chooses to disable it then that is up to the individual project and the project chooses to wear the risk. We should not make the checks un-switch-off-able but they should be on by default with reasonable default config. I believe "Too bad their problem" is, actually, the best we can do in this type of inheritance structure and is the most appropriate way forwards. Or do we propose attempting to mandate all our other preferred code standards?