You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@calcite.apache.org by jh...@apache.org on 2017/10/02 21:00:05 UTC

[05/15] calcite git commit: [CALCITE-1989] Check dependencies for vulnerabilities each release

[CALCITE-1989] Check dependencies for vulnerabilities each release

Run maven with -Ppedantic to generate a vulnerability report.

Upgrade Apache Spark.


Project: http://git-wip-us.apache.org/repos/asf/calcite/repo
Commit: http://git-wip-us.apache.org/repos/asf/calcite/commit/d173640c
Tree: http://git-wip-us.apache.org/repos/asf/calcite/tree/d173640c
Diff: http://git-wip-us.apache.org/repos/asf/calcite/diff/d173640c

Branch: refs/heads/master
Commit: d173640c202238c8cb6bdb87d20ab4f3f9fcc88b
Parents: 3e97cff
Author: Julian Hyde <jh...@apache.org>
Authored: Mon Sep 18 18:00:16 2017 -0700
Committer: Julian Hyde <jh...@apache.org>
Committed: Mon Oct 2 11:13:42 2017 -0700

----------------------------------------------------------------------
 pom.xml             | 34 +++++++++++++++++++++++++++++++++-
 site/_docs/howto.md |  3 +++
 2 files changed, 36 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/calcite/blob/d173640c/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 6b76026..f459a1c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -51,6 +51,9 @@ limitations under the License.
     <version.major>1</version.major>
     <version.minor>14</version.minor>
 
+    <!-- Don't fail the build for vulnerabilities below this threshold. -->
+    <failBuildOnCVSS>8</failBuildOnCVSS>
+
     <!-- This list is in alphabetical order. -->
     <airlift-tpch.version>0.1</airlift-tpch.version>
     <avatica.version>1.10.0</avatica.version>
@@ -111,6 +114,7 @@ limitations under the License.
     <natty.version>0.13</natty.version>
     <opencsv.version>2.3</opencsv.version>
     <oracle-jdbc6-driver.version>11.2.0.2.0</oracle-jdbc6-driver.version>
+    <owasp-dependency-check.version>2.1.1</owasp-dependency-check.version>
     <pig.version>0.16.0</pig.version>
     <aggdesigner.version>6.0</aggdesigner.version>
     <postgresql.version>9.3-1102-jdbc3</postgresql.version>
@@ -119,7 +123,7 @@ limitations under the License.
     <scott-data-hsqldb.version>0.1</scott-data-hsqldb.version>
     <servlet.version>3.0.1</servlet.version>
     <slf4j.version>1.7.13</slf4j.version>
-    <spark.version>1.6.1</spark.version>
+    <spark.version>1.6.3</spark.version>
     <sqlline.version>1.3.0</sqlline.version>
     <xalan.version>2.7.1</xalan.version>
     <xerces.version>2.9.1</xerces.version>
@@ -840,6 +844,11 @@ limitations under the License.
           <version>${javacc-maven-plugin.version}</version>
         </plugin>
         <plugin>
+          <groupId>org.owasp</groupId>
+          <artifactId>dependency-check-maven</artifactId>
+          <version>${owasp-dependency-check.version}</version>
+        </plugin>
+        <plugin>
           <groupId>pl.project13.maven</groupId>
           <artifactId>git-commit-id-plugin</artifactId>
           <version>${git-commit-id-plugin.version}</version>
@@ -1045,5 +1054,28 @@ limitations under the License.
         </plugins>
       </build>
     </profile>
+    <profile>
+      <!-- Extra checks that are disabled in the regular build, enabled for
+      releases and on demand. -->
+      <id>pedantic</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <configuration>
+              <failBuildOnCVSS>${failBuildOnCVSS}</failBuildOnCVSS>
+            </configuration>
+            <executions>
+              <execution>
+                <goals>
+                  <goal>check</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
   </profiles>
 </project>

http://git-wip-us.apache.org/repos/asf/calcite/blob/d173640c/site/_docs/howto.md
----------------------------------------------------------------------
diff --git a/site/_docs/howto.md b/site/_docs/howto.md
index 1a6b27e..26744dd 100644
--- a/site/_docs/howto.md
+++ b/site/_docs/howto.md
@@ -436,6 +436,9 @@ Before you start:
 * Make sure build and tests succeed, including with `-P it,it-oracle`.
 * Make sure that `mvn javadoc:javadoc javadoc:test-javadoc` succeeds
   (i.e. gives no errors; warnings are OK)
+* Generate a report of vulnerabilities that occur among dependencies,
+  using `-Ppedantic`; if you like, run again with `-DfailBuildOnCVSS=8` to see
+  whether serious vulnerabilities exist.
 * Make sure that `mvn apache-rat:check` succeeds. (It will be run as part of
   the release, but it's better to trouble-shoot early.)
 * Decide the supported configurations of JDK, operating system and