You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@impala.apache.org by "Csaba Ringhofer (Jira)" <ji...@apache.org> on 2021/02/23 21:07:01 UTC

[jira] [Created] (IMPALA-10543) Add tool to check for CVEs among dependencies

Csaba Ringhofer created IMPALA-10543:
----------------------------------------

             Summary: Add tool to check for CVEs among dependencies
                 Key: IMPALA-10543
                 URL: https://issues.apache.org/jira/browse/IMPALA-10543
             Project: IMPALA
          Issue Type: Improvement
          Components: Infrastructure
            Reporter: Csaba Ringhofer


Tried dependency-check-maven and it seems very easy to use:
https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html

Most of the issues it found seemed false positive or irrelevant for Impala, but it can be still useful to run it after adding new dependencies in maven.

Integrating it could look like this:
1. add the plugin to java/pom.xml to make running it a one line command
2. add a suppressions.xml to suppress known issues
3. potentially create a job that runs it automatically



--
This message was sent by Atlassian Jira
(v8.3.4#803005)