Status: In Progress
Affects Version/s: Trunk
Fix Version/s: None
We want to check from time to time if we need to update the dependencies.
It's easily done with the gradle-versions-plugin which analyzes the dependencies and checks if there are newer versions available.
Running the check with
We get a list of dependencies to update. This is an umbrella task for action tasks.
We have problems with a number of libs, see
OFBIZ-10922 for details. Some have been fixed since, notably Lucene+Solr
It then good to run OWASP dependency check to get a report about the security situation. Note though that all dependent libraries (ie also dependencies from the libraries OFBiz uses and recursively) are loaded by Gradle and analysed by the OWASP Dependency Check plugin. So it's materially impossible to check all the possible vulnerabilities. You can refer to this wiki page: About OWASP Dependency Check.
Check the lastest subtask(/s) in the list before updating libs. Some can't be updated. I think I'll rather keep this list updated here...