Please refer to history for information on released and older trunk versions |
OWASP Dependency Check is a tool for checking the Java libraries you use have no security issues. We use it through a Gradle plugin.
Once the CVEs references the Gradle dependencies are up to date, as of 2016/09/05, it takes 3,5 minutes on a standard machine to check the dependencies (it was 2+ minutes before Gradle)
Here is the Gradle command line to use to start the check:
gradlew -PenableOwasp dependencyCheck
There is also the tools\security folder with some information in OFBiz trunk repo...
Since OFBiz uses Gradle, all dependent libraries (ie also dependencie from the libraries OFBiz uses and recursively) are loaded by Gradle and analysed by the OWASP Dependency Check plugin. So it's materially impossible to check all the possible vulnerabilities. I decided to only check the higher ones.
Here is the last report file for the trunk
Here is the previous report file for the trunk (before Gradle insertion)