I need advise - direction with CVE.
My Current situation is that we are about 20 developers building our API Microservice Services (REST/Kotlin/Springboot/Gradle/Jenkins). We have a central project which manages all dependencies for consistency across both inhouse libraries and external (e.g. CXF, logging, Spring...).
- Once the CVE has been addressed, i.e either whitelisted or upgrade as per recommended, the central plugin is merged to master and tagged. All new project can now us it.
- All project while being developed will have to bypass CVE check locally. Once new version is available, All project in development are updated and all is well until next time.
As part of build, local or on Pipeline, before the artefact is published to our common nexus repo, The CVE check is done to ensure that we do not have any CVE related issues. The issues are as follows.
- All project that are not in development since we have over 60 microservices all need a manual update of the central project and go through governance process to get into production. This is both time consuming and stupid work. It's only 60 service now, that number in nest 6 month will easily be doubled.
- The Business does not pay for it as they say it's technical asset and it's up to IT to maintain (I guess this is right)
How do others manage this CVE work and minimize touch to make updated?
FYI, currently, I am making changes such that the projects will automatically get the latest central project with re-run of CI pipeline.