You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by GitBox <gi...@apache.org> on 2023/01/18 14:25:08 UTC

[GitHub] [solr] risdenk commented on a diff in pull request #1299: SOLR-16625: Upgrade OWASP Dependency Check to 8.0.1

risdenk commented on code in PR #1299:
URL: https://github.com/apache/solr/pull/1299#discussion_r1073604042


##########
gradle/validation/owasp-dependency-check.gradle:
##########
@@ -26,9 +26,12 @@ configure(rootProject) {
   dependencyCheck {
     failBuildOnCVSS = propertyOrDefault("validation.owasp.threshold", 7) as Integer
     formats = ['ALL']
-    skipProjects = [':solr:solr-ref-guide']
+    skipProjects = [':solr:solr-ref-guide', ':solr-missing-doclet']

Review Comment:
   `solr-missing-doclet` is a build only dependency and keeps getting flagged as a Solr 1.0 version with lots of CVEs - this doesn't need to be checked.



##########
gradle/validation/owasp-dependency-check.gradle:
##########
@@ -26,9 +26,12 @@ configure(rootProject) {
   dependencyCheck {
     failBuildOnCVSS = propertyOrDefault("validation.owasp.threshold", 7) as Integer
     formats = ['ALL']
-    skipProjects = [':solr:solr-ref-guide']
+    skipProjects = [':solr:solr-ref-guide', ':solr-missing-doclet']
     skipConfigurations = ['unifiedClasspath', 'permitUnusedDeclared']
     suppressionFile = file("${resources}/exclusions.xml")
+    analyzers {
+      assemblyEnabled = false
+    }

Review Comment:
   I have some .Net projects locally and for some reason dependency check is picking this up and trying to scan the project. Since we don't use .Net - we can disable the .Net Assembly scanner. See details here: https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration.html



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org