oodt-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lewis john mcgibbney <lewi...@apache.org>
Subject Re: CVEs etc
Date Mon, 11 Sep 2017 14:15:04 GMT
Hi Tom,
I was reading the Struts PMC Experian response this morning and it made me
come back t this thread.
A very good topic and worthy of some action IMHO.
OODT is jam packed with dependencies and we should be prudent about making
upgrades when they become available.
Why do you propose are action items here?

On Sat, Sep 9, 2017 at 6:03 AM, Tom Barber <tom@spicule.co.uk> wrote:

> Hi folks
>
> This isn't supposed to be an alarmist email, but quite enlightening all the
> same.
>
> I saw a link to a plugin on the Drill mailing list called Dependency Check
> Report so I wired it into  my OODT repo amongst others to see what was
> flagged up since the Struts fallout.
>
> Anyway, of course its unlikely but not out of the question to run OODT
> fronting on to the interwebs so I think this is decent food for thought as
> to why its useful to keep dependencies up to date as much as possible.
>
> Here's a selection of the output:
>
> https://www.dropbox.com/s/2ida8dk54yleedo/curator-webapp.html?dl=0
> https://www.dropbox.com/s/wgt1facgjhqiqkq/fmbrowser.html?dl=0
> https://www.dropbox.com/s/o8kqcaktplzjy4y/metadata.html?dl=0
> https://www.dropbox.com/s/cli4pj4jc564f16/pge.html?dl=0
>
> Of course there is a bunch of repetition in there and plenty that aren't
> over the top severe, some may also be false positives, but as we work
> through to OODT 2.0 with the new stuff and chopping out the old stuff,
> reducing these as much as possible I would posture.
>
> Tom
>



-- 
http://home.apache.org/~lewismc/
@hectorMcSpector
http://www.linkedin.com/in/lmcgibbney

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message