yetus-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <>
Subject [jira] [Commented] (YETUS-441) Add a precommit check for known CVEs from dependencies
Date Mon, 23 Jul 2018 18:14:00 GMT


Allen Wittenauer commented on YETUS-441:

Playing around with this again. I'm using:

{code} --basedir=(hadoop) --patch-dir=/tmp/yetus-work \
                      --project=hadoop --docker --plugins=maven,dependency_check \
                      --resetrepo --dockerfile=(hadoop's dockerfile) --empty-patch

The end result was a +0 with the only hint being the no reports message.  That's less than
ideal. :)  Digging in and looking at the log, owasp wasn't able to download the database.

So ...
* When the maven goal doesn't generate output, a link to the log would be great.
* If one doesn't pre-download, there will be an attempt to download live.  If maven fails
to download, the patch should specifically call that out as a failing error.
* I'm not sure why maven can't download the DB file while inside Hadoop's docker container.
(It works from start-build-env but not from test-patch)  That might be specific to Hadoop,
but something to look at.
* This really feels like dep check should be voting -1 here. 
* If we're going to have really long test names, test-patch console code needs to be the smarter
about line length.  The patch is clearly overflowing the table size.

I'll play around with it some more because I really want to see this working. :)

> Add a precommit check for known CVEs from dependencies
> ------------------------------------------------------
>                 Key: YETUS-441
>                 URL:
>             Project: Yetus
>          Issue Type: New Feature
>          Components: Test Patch
>            Reporter: Sean Busbey
>            Assignee: Sean Busbey
>            Priority: Major
>         Attachments: YETUS-441.0.patch, YETUS-441.1.patch, YETUS-441.2.patch, YETUS-441.3.patch,
> Add in a precommit test that makes use of [The OWASP Dependency Check|]
to look for known bad dependencies.
> there's a maven plugin, ant task, and command line tool. So we should be able to build
similar support to what we have for RAT.

This message was sent by Atlassian JIRA

View raw message