playframework
Outputting a pom.xml from dependencies.yml
We'd like to improve the security of our application by scanning dependencies. The majority of tooling is only able to scan a Pom.xml file for dependencies to build up a BOM.
I have looked into this and it seems this would need changes to the play dependencies module. Does anyone know if this is possible directly within ivy settings without changes to Play?
Also it would be helpful to have dependency checking of Play framework itself as at the moment it's difficult to know if Play is using vulnerable dependencies.
I do know that RePlay (a fork of Play1) gives you "just a Gradle project" (no funky/clunky Python, and old Ivy2 stuff).
Yeah I like what the team on RePlay did. I'm not sure how easy it is to port an existing app to RePlay though?
@Fraserhardy It depends on how heavily your project uses Play enhancers (automated generation of JPA methods, getters/setters etc.)
In our project, it was not easy. We did the migration step-by-step:
- disabled PropertyEnhancer,
- added getters/setters for public fields
- replaced fields accesses by getters/setters
- made fields private
- etc.
Tanks @asolntsev , We have been actively removing any play specific features from our codebase over the last couple of years, however there are still a number of them in place still. I think the biggest barrier would be the changes required to controllers as your documentation mentions needing to return Result instead.
@Fraserhardy No, I believe it's optional. Controller still can throw a result. Returning the result was just a new better alternative.
Oh good to know.. that might make it easier then. I'll find some time to do a POC with our app and see how it goes.