Comments (4)
owasp produces a lot of false positives. while a couple of those like really old maven might be valid, there is not much we can do about it given any upgrade basically blocks maven 3.1.1+ usage. Others like groovy, lombok are wrong. If you look at the physical report it has a column for confidence. If it's low, it's almost always a false positive. I know that project is working on trying to clear some of those issues but suspect there will always be some issues.
from spotbugs-maven-plugin.
Then is it better to remove dependency-check-maven
from site generation phase? It will shorten time to build.
from spotbugs-maven-plugin.
I would leave it.
from spotbugs-maven-plugin.
It's just a matter of knowing what is or is not vulnerable based on the results. The false positives are not really the tools fault but rather NVD isn't very good on what is reported a lot of times. So there will always be false positives but it's important to have that insite. What you can do is go into the project though and configure it to stop reporting the false postive ones we have reviewed. I've never bothered in doing that given that could always change.
from spotbugs-maven-plugin.
Related Issues (20)
- Uses deprecated maven components HOT 8
- Does spotbugs report plugin support aggregation HOT 2
- Review replacing usage of 'ant'
- FindBugsAntBuildLogic 3.7 generates invalid findbugs_report.xml file HOT 2
- java 22 support will be in groovy 4.0.16 which isn't out yet HOT 2
- plugin build setting HOT 9
- makeConcatWithConstants + apply classes needed for analysis were missing HOT 1
- check does not fail if called as defaultGoal of profile HOT 4
- Build repeats "Unable to create Maven project for" warning and fails HOT 6
- NOTICE: Maven support will be moved to 3.6.3 as minimum on next release HOT 1
- Sporadic spotbugs failure HOT 1
- Spotbugs Maven Plugin 4.8.4 waiting on groovy! HOT 1
- Support the `chooseVisitors` option
- Is there a way to configure an accepted number of errors in order to introduce spotbugs into existing projects HOT 2
- All documentation descriptions are empty HOT 1
- After recent updates in core libraries ad plugin `verify` and `spotbugs:check` works differently
- Plugin tries to fetch latest snapshot version HOT 7
- GHA - remove the duplicate codeql file HOT 1
- Release 4.8.6.0 suddenly requires Java 11 HOT 2
- outputDirectory default value is invalid. HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spotbugs-maven-plugin.