zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Hunt <ph...@apache.org>
Subject Re: OWASP task failing again ! but is CI lying ?
Date Wed, 30 Jan 2019 20:41:00 GMT
Note the owasp job has been failing since the upgrade to dependency checker
4 due to
"Target "dependency-check-update" does not exist in the project "ZooKeeper""
the jenkins job was explicitly running the update (which seems to not exist
after the upgrade).

I updated the job targets however it's now failing due to CVEs in netty and
some deps:
https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/255/
agree we should clear these out...

Patrick


On Sat, Jan 26, 2019 at 3:54 AM Enrico Olivelli <eolivelli@gmail.com> wrote:

> I have forced the download of pattern and now the results are
> consistent with the ones on my laptop
>
> see the results:
> https://builds.apache.org/job/ZooKeeper-trunk-owasp/250/console
>
> In patch:
> https://github.com/apache/zookeeper/pull/788
>
> I have added the fix to force the download of patterns at every run.
>
> IMHO it is better to merge the patch soon
>
> Enrico
>
> Il giorno sab 26 gen 2019 alle ore 11:44 Enrico Olivelli
> <eolivelli@gmail.com> ha scritto:
> >
> > Hi Zookeepers,
> > while working on the migration of OWASP task to the Maven build I
> > found that currently the CI Job
> > (https://builds.apache.org/job/ZooKeeper-trunk-owasp/) is not working
> > properly.
> >
> > On my laptop both the ant task and the maven one are reporting several
> > issues, due to dependencies updated/introduced recently, like Netty
> > 4.1.29 (which is not the latest and greatest released version)
> >
> > I have attached my logs in JIRA
> > https://issues.apache.org/jira/browse/ZOOKEEPER-3256
> >
> > This is the patch to add OWASP to Maven build
> > https://github.com/apache/zookeeper/pull/788
> >
> > My proposal:
> > 1) commit PR #788 to all the active branches
> > 2) create an issue to address the new issues and upgrade all the deps
> > and/or add suppressions
> > 3) add OWASP job to the new Maven CI pre-commit/post-commit
> >
> > As soon as we commit the plugin configuration I will setup the CI Job
> for OWASP.
> >
> > Please anyone try out my patch and/or the ant task and confirm my
> findings.
> > I am trying to understand why CI jobs is not reporting the same
> > results as on my laptop. Actually my best guess is that it is not
> > re-downloading CVE patterns from NIST and so it is working with stale
> > information.
> >
> > Regards
> > Enrico
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message