yetus-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <>
Subject [jira] [Commented] (YETUS-441) Add a precommit check for known CVEs from dependencies
Date Tue, 24 Jul 2018 18:07:00 GMT


Allen Wittenauer commented on YETUS-441:

since I know that we'd like to get this into o8o, I've taken the liberty to update Sean's
patch with some changes after a significant amount of playing:

* add bouncy castle to the build for JDK9, since from my tests it appears to be required
* update the bits to 3.3.0
* set the default filter to Low
* set the default target to aggregate instead of check
* add code to show log files and vote -1 in case of maven failures
* add code to show the html log in qbt mode
* change the downloader to use some safer code to determine the absolute path of things
* fix the BUILDMODEMSG in test-patch
* change the 'which' to a 'command -v', which is now preferred according to shellcheck
* fix the typo that [~sekikn] found

> Add a precommit check for known CVEs from dependencies
> ------------------------------------------------------
>                 Key: YETUS-441
>                 URL:
>             Project: Yetus
>          Issue Type: New Feature
>          Components: Test Patch
>            Reporter: Sean Busbey
>            Assignee: Sean Busbey
>            Priority: Major
>         Attachments: YETUS-441.0.patch, YETUS-441.004.patch, YETUS-441.1.patch, YETUS-441.2.patch,
YETUS-441.3.patch, dependency-check-suppression.xml
> Add in a precommit test that makes use of [The OWASP Dependency Check|]
to look for known bad dependencies.
> there's a maven plugin, ant task, and command line tool. So we should be able to build
similar support to what we have for RAT.

This message was sent by Atlassian JIRA

View raw message