yetus-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YETUS-441) Add a precommit check for known CVEs from dependencies
Date Tue, 24 Jul 2018 18:07:00 GMT

    [ https://issues.apache.org/jira/browse/YETUS-441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16554607#comment-16554607
] 

Allen Wittenauer commented on YETUS-441:
----------------------------------------

since I know that we'd like to get this into o8o, I've taken the liberty to update Sean's
patch with some changes after a significant amount of playing:

-004:
* add bouncy castle to the build for JDK9, since from my tests it appears to be required
* update the bits to 3.3.0
* set the default filter to Low
* set the default target to aggregate instead of check
* add code to show log files and vote -1 in case of maven failures
* add code to show the html log in qbt mode
* change the downloader to use some safer code to determine the absolute path of things
* fix the BUILDMODEMSG in test-patch
* change the 'which' to a 'command -v', which is now preferred according to shellcheck
* fix the typo that [~sekikn] found


> Add a precommit check for known CVEs from dependencies
> ------------------------------------------------------
>
>                 Key: YETUS-441
>                 URL: https://issues.apache.org/jira/browse/YETUS-441
>             Project: Yetus
>          Issue Type: New Feature
>          Components: Test Patch
>            Reporter: Sean Busbey
>            Assignee: Sean Busbey
>            Priority: Major
>         Attachments: YETUS-441.0.patch, YETUS-441.004.patch, YETUS-441.1.patch, YETUS-441.2.patch,
YETUS-441.3.patch, dependency-check-suppression.xml
>
>
> Add in a precommit test that makes use of [The OWASP Dependency Check|https://www.owasp.org/index.php/OWASP_Dependency_Check]
to look for known bad dependencies.
> there's a maven plugin, ant task, and command line tool. So we should be able to build
similar support to what we have for RAT.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message