[
https://issues.apache.org/jira/browse/SOLR-17571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17900171#comment-17900171
]
Christos Malliaridis commented on SOLR-17571:
---------------------------------------------
According to an observation, the OWASP dependency check stopped working and the
last successful build is more than 4 months old. OWASP dependency check's main
task is to generate reports about vulnerabilities found in dependencies used in
our project.
Question is, can and should dependabot replace OWASP dependency check
completely by enabling the "Dependabot security updates" feature on GitHub?
> Introduce dependabot
> --------------------
>
> Key: SOLR-17571
> URL: https://issues.apache.org/jira/browse/SOLR-17571
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: main (10.0)
> Reporter: Christos Malliaridis
> Assignee: Christos Malliaridis
> Priority: Major
> Labels: pull-request-available
> Time Spent: 1h
> Remaining Estimate: 0h
>
> With the migration to Version Catalogs in SOLR-17406, The solrbot stopped
> working and requires to be updated.
> Because we now use Gradle Version Catalogs, dependabot is also an option we
> can consider. It comes with better GitHub integration and more features
> related to security. It should be possible to adopt a similar behavior with
> our current bot by fine-tuning dependabot.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
