Committer needed for security/owasp-dependency-check
Andreas Sommer
andreas.sommer87 at googlemail.com
Fri Mar 30 18:28:46 UTC 2018
Hi all,
[New port] security/owasp-dependency-check: Detects publicly disclosed vulnerabilities in project dependencies
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226206
Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It searches several databases for CVEs and other issues and creates a report based on the dependencies found for a project (example: package.json for a nodejs/npm/yarn-based project). With machine-readable output options, it is easy to integrate with CI and can be used to audit software vulnerabilities automatically. The tool is also under constant development under the patronage of OWASP.
The committer would benefit from familiarity with Java/Maven, but it's not too hard... I'm a ports beginner and could figure it out: for the fetch phase, a maven repository (incl. all dependencies) is created (would have to be uploaded to distfiles for each update of the port; simple script can be provided) and the application and all its dependencies are bundled into a JAR for packaging it standalone. I took the idea from archivers/snappy-java.
Thank you,
Andreas
More information about the freebsd-ports
mailing list