Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Add configuration for running OWASP Dependency Check for all modules #10288

Merged
merged 9 commits into from
Apr 21, 2021
Merged

[Security] Add configuration for running OWASP Dependency Check for all modules #10288

merged 9 commits into from
Apr 21, 2021

Conversation

lhotari
Copy link
Member

@lhotari lhotari commented Apr 20, 2021
edited

Motivation

OWASP Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies.

This PR adds basic configuration for org.owasp:dependency-check-maven maven plugin and makes it operational in the apache/pulsar project. This a starting point. Later on, it's possible to improve this further and introduce a scheduled job to automate the checking and fail the job if a new critical or high vulnerability is detected.

Modifications

Add necessary maven profiles and configuration so that it's possible to run the dependency-check independently for all projects.

This is the way to run the dependency check for manual inspection:

# run dependency check for all projects
./build/pulsar_ci_tool.sh dependency_check
# open the html report for all modules in a browser
open target/dependency-check-report.html
# open the html report for Pulsar server distribution (excluding Presto/Pulsar SQL) in a browser
open distribution/server/target/dependency-check-report.html

@lhotari
Copy link
Member Author

lhotari commented Apr 20, 2021

/pulsarbot run-failure-checks

@merlimat merlimat added this to the 2.8.0 milestone Apr 20, 2021
@lhotari
Copy link
Member Author

lhotari commented Apr 21, 2021

/pulsarbot run-failure-checks

3 similar comments
@lhotari
Copy link
Member Author

lhotari commented Apr 21, 2021

/pulsarbot run-failure-checks

@lhotari
Copy link
Member Author

lhotari commented Apr 21, 2021

/pulsarbot run-failure-checks

@lhotari
Copy link
Member Author

lhotari commented Apr 21, 2021

/pulsarbot run-failure-checks

@lhotari
Copy link
Member Author

lhotari commented Apr 21, 2021

@aahmed-se please review

@merlimat merlimat merged commit 350fdab into apache:master Apr 21, 2021
@lhotari lhotari mentioned this pull request Jun 2, 2021
Merged
lhotari added a commit to lhotari/pulsar that referenced this pull request Jun 3, 2021
@lhotari
[Security] Add configuration for running OWASP Dependency Check for a…
612275d 
…ll modules (apache#10288)

* Add owasp dependency check config

Example report:
mvn -Pskip-all,core-modules,owasp-dependency-check -pl distribution/server verify

* Make it possible to skip shading

* Make it possible to skip nar file creation

* Skip license and rat checks in skip-all profile

* Skip Docker too

* Skip tests completely

* Skip requirement of tar.gz dependency in presto-distribution

* Add bash function for running the dependency check

* Remove leftover from experiment
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@merlimat merlimat merlimat approved these changes

Assignees

@lhotari lhotari

Labels
area/security
Projects
None yet
Milestone
2.8.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@lhotari @merlimat