yetus-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YETUS-441) Add a precommit check for known CVEs from dependencies
Date Tue, 24 Jul 2018 18:38:00 GMT

    [ https://issues.apache.org/jira/browse/YETUS-441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16554653#comment-16554653
] 

Allen Wittenauer commented on YETUS-441:
----------------------------------------

Before I forget, one thing I didn't do but thought about was adding an entry to the test table
(the one that shows the specific tests that failed) that lists the specific bits that dep
check is complaining about.  We can either do that now or commit this and make that a followup.

> Add a precommit check for known CVEs from dependencies
> ------------------------------------------------------
>
>                 Key: YETUS-441
>                 URL: https://issues.apache.org/jira/browse/YETUS-441
>             Project: Yetus
>          Issue Type: New Feature
>          Components: Test Patch
>            Reporter: Sean Busbey
>            Assignee: Sean Busbey
>            Priority: Major
>         Attachments: YETUS-441.0.patch, YETUS-441.004.patch, YETUS-441.1.patch, YETUS-441.2.patch,
YETUS-441.3.patch, dependency-check-suppression.xml
>
>
> Add in a precommit test that makes use of [The OWASP Dependency Check|https://www.owasp.org/index.php/OWASP_Dependency_Check]
to look for known bad dependencies.
> there's a maven plugin, ant task, and command line tool. So we should be able to build
similar support to what we have for RAT.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message