You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by GitBox <gi...@apache.org> on 2019/12/25 00:39:07 UTC
[GitHub] [lucene-solr] janhoy opened a new pull request #1121: SOLR-11207:
Add OWASP dependency checker to gradle build
janhoy opened a new pull request #1121: SOLR-11207: Add OWASP dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121
PR against gradle-master branch to add owasp dependency checker plugin.
See https://issues.apache.org/jira/browse/SOLR-11207
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] dweiss commented on a change in pull request #1121:
SOLR-11207: Add OWASP dependency checker to gradle build
Posted by GitBox <gi...@apache.org>.
dweiss commented on a change in pull request #1121: SOLR-11207: Add OWASP dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121#discussion_r370278321
##########
File path: gradle/validation/dependency-check.gradle
##########
@@ -0,0 +1,14 @@
+// This adds OWASP vulnerability validation of project dependencies
+// Not part of 'check' task by default, must be called explicitly, e.g. gradlew dependencyCheckAnalyze
+// Start build with -Pvalidation.owasp.fail=true to fail build on owasp errors (CVSS >= 7)
+// Start build with -Pvalidation.owasp.skip=true to skip OWASP checks during 'check' phase
+
+dependencyCheck {
Review comment:
You can try to run gradlew -p lucene/core ... and see what happens. :)
If it's just applicable to the root project (which it may be) then I'd wrap it in a configure(rootProject) { ... } closure so that it's explicit in the code.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] janhoy commented on issue #1121: SOLR-11207: Add
OWASP dependency checker to gradle build
Posted by GitBox <gi...@apache.org>.
janhoy commented on issue #1121: SOLR-11207: Add OWASP dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121#issuecomment-578346092
Documentation added to workflow.txt
File renamed to owasp-dependency-check
Task included in 'check' by default, but skipped since property `-Pvalidation.owasp=[true|false]` defaults to false for now.
Caller can choose to override cvss threshold with `-Pvalidation.owasp.threshold=<int>`
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] risdenk commented on a change in pull request #1121:
SOLR-11207: Add OWASP dependency checker to gradle build
Posted by GitBox <gi...@apache.org>.
risdenk commented on a change in pull request #1121: SOLR-11207: Add OWASP dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121#discussion_r361818552
##########
File path: gradle/validation/dependency-check.gradle
##########
@@ -0,0 +1,12 @@
+// This adds OWASP vulnerability validation of project dependencies
+
+// This should be false only for debugging.
+def failOnError = true
Review comment:
It might make sense to set this to false to get this into the gradle-master build and then once merged to master change the default.
I personally find failing the build on OWASP errors can be really frustrating with new CVEs out all the time. I like to see the warnings/errors but not fail the build. This depends on the severity of the CVE as well sometimes.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] dweiss commented on a change in pull request #1121:
SOLR-11207: Add OWASP dependency checker to gradle build
Posted by GitBox <gi...@apache.org>.
dweiss commented on a change in pull request #1121: SOLR-11207: Add OWASP dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121#discussion_r370273915
##########
File path: gradle/validation/dependency-check.gradle
##########
@@ -0,0 +1,14 @@
+// This adds OWASP vulnerability validation of project dependencies
+// Not part of 'check' task by default, must be called explicitly, e.g. gradlew dependencyCheckAnalyze
+// Start build with -Pvalidation.owasp.fail=true to fail build on owasp errors (CVSS >= 7)
+// Start build with -Pvalidation.owasp.skip=true to skip OWASP checks during 'check' phase
+
+dependencyCheck {
Review comment:
Does it automatically hook to all projects or is it configured for root project only?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] dweiss commented on a change in pull request #1121:
SOLR-11207: Add OWASP dependency checker to gradle build
Posted by GitBox <gi...@apache.org>.
dweiss commented on a change in pull request #1121: SOLR-11207: Add OWASP dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121#discussion_r370273536
##########
File path: build.gradle
##########
@@ -58,6 +59,7 @@ apply from: file('gradle/validation/versions-props-sorted.gradle')
apply from: file('gradle/validation/validate-source-patterns.gradle')
apply from: file('gradle/validation/config-file-sanity.gradle')
apply from: file('gradle/validation/rat-sources.gradle')
+apply from: file('gradle/validation/dependency-check.gradle')
Review comment:
Perhaps change the name to "owasp-dependency-check" so that it's distinctly different from other dependency checks (there are some -- checksums, licenses, etc.)?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] dweiss commented on issue #1121: SOLR-11207: Add
OWASP dependency checker to gradle build
Posted by GitBox <gi...@apache.org>.
dweiss commented on issue #1121: SOLR-11207: Add OWASP dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121#issuecomment-568923921
This looks good to me, Jan. The only question is whether we want to include it now or later -- the dependencies is something still being worked on?....
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] janhoy commented on a change in pull request #1121:
SOLR-11207: Add OWASP dependency checker to gradle build
Posted by GitBox <gi...@apache.org>.
janhoy commented on a change in pull request #1121: SOLR-11207: Add OWASP dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121#discussion_r370888355
##########
File path: gradle/validation/dependency-check.gradle
##########
@@ -0,0 +1,14 @@
+// This adds OWASP vulnerability validation of project dependencies
+// Not part of 'check' task by default, must be called explicitly, e.g. gradlew dependencyCheckAnalyze
+// Start build with -Pvalidation.owasp.fail=true to fail build on owasp errors (CVSS >= 7)
+// Start build with -Pvalidation.owasp.skip=true to skip OWASP checks during 'check' phase
+
+dependencyCheck {
Review comment:
> Task 'dependencyCheckAnalyze' not found in project ':lucene:core'.
Will wrap it
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] janhoy commented on issue #1121: SOLR-11207: Add
OWASP dependency checker to gradle build
Posted by GitBox <gi...@apache.org>.
janhoy commented on issue #1121: SOLR-11207: Add OWASP dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121#issuecomment-577445219
Updated the PR for master.
I have not enabled OWASP as part of 'check' yet, mainly due to the large initial download that it must do, and the fact that we should first exclude false positives and fix real vulnerabilities first, so that warnings actually flag something developers should look into.
So you run it with `gradlew dependencyCheckAnalyze` for a report. Supported gradle properties are: `validation.owasp.fail=true` to fail the build on a CVSS score >= 7. This is for Jenkins to use. `validation.owasp.skip=true` to skip the task. This will only make sense when we make it part of check task by default, as a way to disable owasp since it requires internet access and is heavy.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] dweiss commented on a change in pull request #1121:
SOLR-11207: Add OWASP dependency checker to gradle build
Posted by GitBox <gi...@apache.org>.
dweiss commented on a change in pull request #1121: SOLR-11207: Add OWASP dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121#discussion_r361869978
##########
File path: gradle/validation/dependency-check.gradle
##########
@@ -0,0 +1,12 @@
+// This adds OWASP vulnerability validation of project dependencies
+
+// This should be false only for debugging.
+def failOnError = true
Review comment:
It can be a property. Then you can only warn on default builds but have it fail the build if requested ("-Pvalidation.failOn=owasp,..."). A CI job could run these so that we get a warning.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] janhoy commented on a change in pull request #1121:
SOLR-11207: Add OWASP dependency checker to gradle build
Posted by GitBox <gi...@apache.org>.
janhoy commented on a change in pull request #1121: SOLR-11207: Add OWASP dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121#discussion_r369871709
##########
File path: gradle/validation/dependency-check.gradle
##########
@@ -0,0 +1,12 @@
+// This adds OWASP vulnerability validation of project dependencies
+
+// This should be false only for debugging.
+def failOnError = true
Review comment:
It is now configurable with -Pvalidation.owasp.fail=true (default not fail)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] dweiss commented on a change in pull request #1121:
SOLR-11207: Add OWASP dependency checker to gradle build
Posted by GitBox <gi...@apache.org>.
dweiss commented on a change in pull request #1121: SOLR-11207: Add OWASP dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121#discussion_r361869974
##########
File path: gradle/validation/dependency-check.gradle
##########
@@ -0,0 +1,12 @@
+// This adds OWASP vulnerability validation of project dependencies
+
+// This should be false only for debugging.
+def failOnError = true
Review comment:
It can be a property. Then you can only warn on default builds but have it fail the build if requested ("-Pvalidation.failOn=owasp,..."). A CI job could run these so that we get a warning.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] dweiss commented on issue #1121: SOLR-11207: Add
OWASP dependency checker to gradle build
Posted by GitBox <gi...@apache.org>.
dweiss commented on issue #1121: SOLR-11207: Add OWASP dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121#issuecomment-577800416
I think it should just fail if enabled. Then it'd be a single property: "validation.owasp=[true|false]?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] janhoy commented on a change in pull request #1121:
SOLR-11207: Add OWASP dependency checker to gradle build
Posted by GitBox <gi...@apache.org>.
janhoy commented on a change in pull request #1121: SOLR-11207: Add OWASP dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121#discussion_r370276649
##########
File path: gradle/validation/dependency-check.gradle
##########
@@ -0,0 +1,14 @@
+// This adds OWASP vulnerability validation of project dependencies
+// Not part of 'check' task by default, must be called explicitly, e.g. gradlew dependencyCheckAnalyze
+// Start build with -Pvalidation.owasp.fail=true to fail build on owasp errors (CVSS >= 7)
+// Start build with -Pvalidation.owasp.skip=true to skip OWASP checks during 'check' phase
+
+dependencyCheck {
Review comment:
I don’t know. Have not tested other than root.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] dweiss commented on a change in pull request #1121:
SOLR-11207: Add OWASP dependency checker to gradle build
Posted by GitBox <gi...@apache.org>.
dweiss commented on a change in pull request #1121: SOLR-11207: Add OWASP dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121#discussion_r361869978
##########
File path: gradle/validation/dependency-check.gradle
##########
@@ -0,0 +1,12 @@
+// This adds OWASP vulnerability validation of project dependencies
+
+// This should be false only for debugging.
+def failOnError = true
Review comment:
It can be a property. Then you can only warn on default builds but have it fail the build if requested ("-Pvalidation.failOn=owasp,..."). A CI job could run these so that we get a warning.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] janhoy commented on issue #1121: SOLR-11207: Add
OWASP dependency checker to gradle build
Posted by GitBox <gi...@apache.org>.
janhoy commented on issue #1121: SOLR-11207: Add OWASP dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121#issuecomment-577786859
We could have a validation.owasp.threshold as alternative to the “fail” prop, to decide on what CVSS score to fail the build. Now it is hard coded to 7.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] janhoy commented on issue #1121: SOLR-11207: Add
OWASP dependency checker to gradle build
Posted by GitBox <gi...@apache.org>.
janhoy commented on issue #1121: SOLR-11207: Add OWASP dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121#issuecomment-578446398
Thanks Dawid.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] risdenk commented on a change in pull request #1121:
SOLR-11207: Add OWASP dependency checker to gradle build
Posted by GitBox <gi...@apache.org>.
risdenk commented on a change in pull request #1121: SOLR-11207: Add OWASP dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121#discussion_r361818500
##########
File path: gradle/validation/dependency-check.gradle
##########
@@ -0,0 +1,12 @@
+// This adds OWASP vulnerability validation of project dependencies
+
+// This should be false only for debugging.
+def failOnError = true
+
+dependencyCheck {
+ autoUpdate=false
Review comment:
Why not `autoUpdate=true`? I think this is for auto updating the definitions.
From https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration.html
```
Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false.
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] dweiss merged pull request #1121: SOLR-11207: Add
OWASP dependency checker to gradle build
Posted by GitBox <gi...@apache.org>.
dweiss merged pull request #1121: SOLR-11207: Add OWASP dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] janhoy commented on issue #1121: SOLR-11207: Add
OWASP dependency checker to gradle build
Posted by GitBox <gi...@apache.org>.
janhoy commented on issue #1121: SOLR-11207: Add OWASP dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121#issuecomment-568924313
Sure, we can include it closer to master merge.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org
[GitHub] [lucene-solr] dweiss commented on issue #1121: SOLR-11207: Add
OWASP dependency checker to gradle build
Posted by GitBox <gi...@apache.org>.
dweiss commented on issue #1121: SOLR-11207: Add OWASP dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121#issuecomment-578443878
Thanks Jan. I'll merge it in tomorrow, have a day off.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org