release version 1.0.0 about vulndb-data-mirror HOT 7 CLOSED

1.0.0 released

from vulndb-data-mirror.

This project was blocked due to an issue with VulnDB that the vendor has just recently fixed. The fix has been implemented, not tested, and the project still is not feature complete - still lacking update synchronization. I likely won't be releasing 1.0.0 until mid-2019 at the earliest.

If you're not using VulnDB however, none of the code in this library will ever be called. In fact, if a vulndb directory doesn't exist in the dependency-track data directory, this library can likely be manually omitted.

from vulndb-data-mirror.

Also: refer to https://github.com/DependencyTrack/dependency-track/blob/master/src/main/java/org/dependencytrack/tasks/VulnDbSyncTask.java#L71

from vulndb-data-mirror.

my main concern is not the exact number of the project itself but that's it's a SNAPSHOT dependency which may change with every build.

Is it possible to decrease the version and go for < 1.0.0 releases, to indicate it's not feature-complete project?

from vulndb-data-mirror.

-SNAPSHOT already indicates its not complete. No need to alter versions which would be seriously problematic for organizations already using this library.

from vulndb-data-mirror.

by always depending on on a -SNAPSHOT dependency in release-builds I can't be sure that I get the same version each time I'm building my source.

By this release builds from the same source are not getting the same result which is far more problematic (since it's hard to go back on a previous SNAPSHOT). There is a reason the maven-release-plugin is forbidding SNAPSHOT dependencies.

from vulndb-data-mirror.

If reproducibility is what you're after, why don't you just pin to a specific version of a snapshot.

Current:
1.0.0-20180524.022156-17

from vulndb-data-mirror.