-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Add configuration for running OWASP Dependency Check for all modules #10288
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Example report: mvn -Pskip-all,core-modules,owasp-dependency-check -pl distribution/server verify
/pulsarbot run-failure-checks |
/pulsarbot run-failure-checks |
3 similar comments
/pulsarbot run-failure-checks |
/pulsarbot run-failure-checks |
/pulsarbot run-failure-checks |
@aahmed-se please review |
merlimat
approved these changes
Apr 21, 2021
lhotari
added a commit
to lhotari/pulsar
that referenced
this pull request
Jun 3, 2021
…ll modules (apache#10288) * Add owasp dependency check config Example report: mvn -Pskip-all,core-modules,owasp-dependency-check -pl distribution/server verify * Make it possible to skip shading * Make it possible to skip nar file creation * Skip license and rat checks in skip-all profile * Skip Docker too * Skip tests completely * Skip requirement of tar.gz dependency in presto-distribution * Add bash function for running the dependency check * Remove leftover from experiment
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
OWASP Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies.
This PR adds basic configuration for
org.owasp:dependency-check-maven
maven plugin and makes it operational in the apache/pulsar project. This a starting point. Later on, it's possible to improve this further and introduce a scheduled job to automate the checking and fail the job if a new critical or high vulnerability is detected.Modifications
Add necessary maven profiles and configuration so that it's possible to run the dependency-check independently for all projects.
This is the way to run the dependency check for manual inspection: