You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Apache maven project has EOLed Maven 3.6.3 in April 2023 and have their plugin policy updated to have plugins require maven 3.6.3 as the minimal maven version.
Currently the OWASP DependencyCheck maven-plugin lists the minimum required version of Maven as 3.1
Describe the solution you'd like
Update the maven-plugin to also follow the maven policy and abandon supporting compatibility with older Maven versions.
Describe alternatives you've considered
Keeping compatibility in with older maven versions as long as nothing breaks while even the Maven community has moved on to only support maven versions 3.6.3 and later in their native plugin ecosystem.
Additional context
Any software developer taking security seriously would've upgraded their maven stack to at least 3.8.1 which ensures by default that http (more susceptible to MITM attacks) may never be used to access artifact repositories, so the target audience of DependencyCheck should typically already be beyond the new minimal maven version (especially since the new minimal maven version is also already an EOLed version)
The text was updated successfully, but these errors were encountered:
This sounds reasonable because of the reasons listed above – I am not sure why Maven 3.6.3 was the baseline for the Maven team in their recent plugin updates, but I think it had at least partially to do with the resolver libraries, which might be relevant for Dependency-Check's Java analysis.
Not sure why they picked the EOL 3.6.3 and not its successor 3.8.1 as the baseline, but that's how they've done it for the native plugins.
I do know that they're also actively working (if not completed working on it) to erase dependencies on maven2 compatibility libraries in preparation of a smooth transition to Maven 4 in the future.
The Apache maven project has EOLed Maven 3.6.3 in April 2023 and have their plugin policy updated to have plugins require maven 3.6.3 as the minimal maven version.
https://maven.apache.org/developers/compatibility-plan.html
Currently the OWASP DependencyCheck maven-plugin lists the minimum required version of Maven as 3.1
Describe the solution you'd like
Update the maven-plugin to also follow the maven policy and abandon supporting compatibility with older Maven versions.
Describe alternatives you've considered
Keeping compatibility in with older maven versions as long as nothing breaks while even the Maven community has moved on to only support maven versions 3.6.3 and later in their native plugin ecosystem.
Additional context
Any software developer taking security seriously would've upgraded their maven stack to at least 3.8.1 which ensures by default that http (more susceptible to MITM attacks) may never be used to access artifact repositories, so the target audience of DependencyCheck should typically already be beyond the new minimal maven version (especially since the new minimal maven version is also already an EOLed version)
The text was updated successfully, but these errors were encountered: