You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pulsar.apache.org by Andrey Yegorov <an...@datastax.com> on 2022/01/31 20:33:26 UTC
[PR] CI workflow to check dependencies with OWASP
Hello,
As a final step in the series of PRs to upgrade old dependencies with
various CVEs (by Nicolo and I) I added a PR that introduces extra check on
pom.xml files changes: it will run OWASP dependency check and fail if any
CVE level >= 7 is detected.
Please review this PR https://github.com/apache/pulsar/pull/13972 an one
more pending fix from Nicolo: https://github.com/apache/pulsar/pull/13943
There is an existing workflow that runs daily but it has limited visibility
at the moment:
https://github.com/apache/pulsar/actions/workflows/ci-owasp-dependency-check.yaml
As a next step we can work on making it email the dev list when it fails
but the check on PR when pom files change will be more immediately visible.
Similar changes are pending for BookKeeper.
--
Andrey Yegorov
Re: [PR] CI workflow to check dependencies with OWASP
Posted by Michael Marshall <mm...@apache.org>.
Thank you for improving our process for vulnerable dependencies.
> As a next step we can work on making it email the dev list when it fails
+1 - I like this proposal. It will ensure that we have enough
visibility to remediate vulnerabilities quickly.
Thanks,
Michael
On Mon, Jan 31, 2022 at 3:07 PM Enrico Olivelli <eo...@gmail.com> wrote:
>
> Great idea
>
> I will review the PRs
>
> Thanks
> Enrico
>
>
> Il Lun 31 Gen 2022, 21:33 Andrey Yegorov <an...@datastax.com> ha
> scritto:
>
> > Hello,
> >
> > As a final step in the series of PRs to upgrade old dependencies with
> > various CVEs (by Nicolo and I) I added a PR that introduces extra check on
> > pom.xml files changes: it will run OWASP dependency check and fail if any
> > CVE level >= 7 is detected.
> >
> > Please review this PR https://github.com/apache/pulsar/pull/13972 an one
> > more pending fix from Nicolo: https://github.com/apache/pulsar/pull/13943
> >
> > There is an existing workflow that runs daily but it has limited visibility
> > at the moment:
> >
> > https://github.com/apache/pulsar/actions/workflows/ci-owasp-dependency-check.yaml
> > As a next step we can work on making it email the dev list when it fails
> > but the check on PR when pom files change will be more immediately visible.
> >
> > Similar changes are pending for BookKeeper.
> >
> > --
> > Andrey Yegorov
> >
Re: [PR] CI workflow to check dependencies with OWASP
Posted by Enrico Olivelli <eo...@gmail.com>.
Great idea
I will review the PRs
Thanks
Enrico
Il Lun 31 Gen 2022, 21:33 Andrey Yegorov <an...@datastax.com> ha
scritto:
> Hello,
>
> As a final step in the series of PRs to upgrade old dependencies with
> various CVEs (by Nicolo and I) I added a PR that introduces extra check on
> pom.xml files changes: it will run OWASP dependency check and fail if any
> CVE level >= 7 is detected.
>
> Please review this PR https://github.com/apache/pulsar/pull/13972 an one
> more pending fix from Nicolo: https://github.com/apache/pulsar/pull/13943
>
> There is an existing workflow that runs daily but it has limited visibility
> at the moment:
>
> https://github.com/apache/pulsar/actions/workflows/ci-owasp-dependency-check.yaml
> As a next step we can work on making it email the dev list when it fails
> but the check on PR when pom files change will be more immediately visible.
>
> Similar changes are pending for BookKeeper.
>
> --
> Andrey Yegorov
>