You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Guanghao Zhang (JIRA)" <ji...@apache.org> on 2019/02/13 03:18:00 UTC

[jira] [Updated] (HBASE-20553) Add dependency CVE checking to nightly tests

     [ https://issues.apache.org/jira/browse/HBASE-20553?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Guanghao Zhang updated HBASE-20553:
-----------------------------------
    Fix Version/s:     (was: 2.2.0)
                   2.3.0

> Add dependency CVE checking to nightly tests
> --------------------------------------------
>
>                 Key: HBASE-20553
>                 URL: https://issues.apache.org/jira/browse/HBASE-20553
>             Project: HBase
>          Issue Type: Umbrella
>          Components: dependencies
>    Affects Versions: 3.0.0
>            Reporter: Sean Busbey
>            Assignee: Sakthi
>            Priority: Major
>             Fix For: 3.0.0, 2.3.0
>
>
> We should proactively work to flag dependencies with known CVEs so that we can then update them early in our development instead of near a release.
> YETUS-441 is working to add a plugin for this, we should grab a copy early to make sure it works for us.
> Rough outline:
> 1. [install yetus locally|http://yetus.apache.org/downloads/]
> 2. [install the dependency-check cli|https://www.owasp.org/index.php/OWASP_Dependency_Check] (homebrew instructions on right hand margin)
> 3. Get a local copy of the OWASP datafile ({{dependency-check --updateonly --data /some/local/path/to/dir}})
> 4. Run {{hbase_nightly_yetus.sh}} using matching environment variables from the “yetus general check” (currently [line #126 in our nightly Jenkinsfile|https://github.com/apache/hbase/blob/master/dev-support/Jenkinsfile#L126])
> 5. Grab the plugin definition and suppression file from from YETUS-441
> 6. put the plugin definition either in a directory of dev-support or into the hbase-personality.sh directly
> 7. Re-run {{hbase_nightly_yetus.sh}} to verify that the plugin results show up. (Probably this will involve adding new pointers for “where is the suppression file”, “where is the OWASP datafile” and pointing them somewhere locally.)
> Once all of that is in place we’ll get the changes needed into a branch that we can test out. Over in YETUS-441 I’ll need to add a jenkins job that’ll handle periodically updating a copy of the datafile for the OWASP dependency checker. Presuming I have that in place by the time we have a nightly branch to check this out, then we’ll also need to update our nightly Jenkinsfile to fetch the data file from that job.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)