You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@calcite.apache.org by jh...@apache.org on 2017/10/02 21:00:05 UTC
[05/15] calcite git commit: [CALCITE-1989] Check dependencies for
vulnerabilities each release
[CALCITE-1989] Check dependencies for vulnerabilities each release
Run maven with -Ppedantic to generate a vulnerability report.
Upgrade Apache Spark.
Project: http://git-wip-us.apache.org/repos/asf/calcite/repo
Commit: http://git-wip-us.apache.org/repos/asf/calcite/commit/d173640c
Tree: http://git-wip-us.apache.org/repos/asf/calcite/tree/d173640c
Diff: http://git-wip-us.apache.org/repos/asf/calcite/diff/d173640c
Branch: refs/heads/master
Commit: d173640c202238c8cb6bdb87d20ab4f3f9fcc88b
Parents: 3e97cff
Author: Julian Hyde <jh...@apache.org>
Authored: Mon Sep 18 18:00:16 2017 -0700
Committer: Julian Hyde <jh...@apache.org>
Committed: Mon Oct 2 11:13:42 2017 -0700
----------------------------------------------------------------------
pom.xml | 34 +++++++++++++++++++++++++++++++++-
site/_docs/howto.md | 3 +++
2 files changed, 36 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/calcite/blob/d173640c/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 6b76026..f459a1c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -51,6 +51,9 @@ limitations under the License.
<version.major>1</version.major>
<version.minor>14</version.minor>
+ <!-- Don't fail the build for vulnerabilities below this threshold. -->
+ <failBuildOnCVSS>8</failBuildOnCVSS>
+
<!-- This list is in alphabetical order. -->
<airlift-tpch.version>0.1</airlift-tpch.version>
<avatica.version>1.10.0</avatica.version>
@@ -111,6 +114,7 @@ limitations under the License.
<natty.version>0.13</natty.version>
<opencsv.version>2.3</opencsv.version>
<oracle-jdbc6-driver.version>11.2.0.2.0</oracle-jdbc6-driver.version>
+ <owasp-dependency-check.version>2.1.1</owasp-dependency-check.version>
<pig.version>0.16.0</pig.version>
<aggdesigner.version>6.0</aggdesigner.version>
<postgresql.version>9.3-1102-jdbc3</postgresql.version>
@@ -119,7 +123,7 @@ limitations under the License.
<scott-data-hsqldb.version>0.1</scott-data-hsqldb.version>
<servlet.version>3.0.1</servlet.version>
<slf4j.version>1.7.13</slf4j.version>
- <spark.version>1.6.1</spark.version>
+ <spark.version>1.6.3</spark.version>
<sqlline.version>1.3.0</sqlline.version>
<xalan.version>2.7.1</xalan.version>
<xerces.version>2.9.1</xerces.version>
@@ -840,6 +844,11 @@ limitations under the License.
<version>${javacc-maven-plugin.version}</version>
</plugin>
<plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>${owasp-dependency-check.version}</version>
+ </plugin>
+ <plugin>
<groupId>pl.project13.maven</groupId>
<artifactId>git-commit-id-plugin</artifactId>
<version>${git-commit-id-plugin.version}</version>
@@ -1045,5 +1054,28 @@ limitations under the License.
</plugins>
</build>
</profile>
+ <profile>
+ <!-- Extra checks that are disabled in the regular build, enabled for
+ releases and on demand. -->
+ <id>pedantic</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <configuration>
+ <failBuildOnCVSS>${failBuildOnCVSS}</failBuildOnCVSS>
+ </configuration>
+ <executions>
+ <execution>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
</profiles>
</project>
http://git-wip-us.apache.org/repos/asf/calcite/blob/d173640c/site/_docs/howto.md
----------------------------------------------------------------------
diff --git a/site/_docs/howto.md b/site/_docs/howto.md
index 1a6b27e..26744dd 100644
--- a/site/_docs/howto.md
+++ b/site/_docs/howto.md
@@ -436,6 +436,9 @@ Before you start:
* Make sure build and tests succeed, including with `-P it,it-oracle`.
* Make sure that `mvn javadoc:javadoc javadoc:test-javadoc` succeeds
(i.e. gives no errors; warnings are OK)
+* Generate a report of vulnerabilities that occur among dependencies,
+ using `-Ppedantic`; if you like, run again with `-DfailBuildOnCVSS=8` to see
+ whether serious vulnerabilities exist.
* Make sure that `mvn apache-rat:check` succeeds. (It will be run as part of
the release, but it's better to trouble-shoot early.)
* Decide the supported configurations of JDK, operating system and