apex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pramod Immaneni <pra...@datatorrent.com>
Subject Re: checking dependencies for known vulnerabilities
Date Fri, 08 Sep 2017 23:06:09 GMT
Can we build a way into CI to distinguish between these and a new
vulnerability that has come up in an unchanged dependency?

On Fri, Sep 8, 2017 at 3:44 PM, Thomas Weise <thw@apache.org> wrote:

> On Fri, Sep 8, 2017 at 3:36 PM, Pramod Immaneni <pramod@datatorrent.com>
> wrote:
>
> > Though I like the functionality of being able to detect if a new
> dependency
> > being added has vulnerabilities and prompting the search for a better
> > version, I am wary of tying a build strongly to vulnerability detection
> > i.e., the build failing when vulnerabilities are discovered in
> > dependencies. This immediately blocks our project till those
> > vulnerabilities are addressed as nothing can go in because builds are
> > failing. If details are suppressed and we have a summary warning but not
> > fail the build, that should be ok.
> >
> >
> I think that if a new problem is introduced, then it should be discovered
> in the CI and the PR that causes it not be merged until it is addressed.
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message