You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apex.apache.org by pr...@apache.org on 2017/12/01 15:11:38 UTC

[apex-core] branch master updated: APEXCORE-790 Enforce dependency analysis for CVE in CI builds

This is an automated email from the ASF dual-hosted git repository.

pramod pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apex-core.git


The following commit(s) were added to refs/heads/master by this push:
     new b6e4333  APEXCORE-790 Enforce dependency analysis for CVE in CI builds
b6e4333 is described below

commit b6e4333c2ed60364071906ac3b07c6630e3664cb
Author: Vlad Rozov <vr...@apache.org>
AuthorDate: Tue Oct 17 08:24:31 2017 -0700

    APEXCORE-790 Enforce dependency analysis for CVE in CI builds
---
 .travis.yml                    |  2 +-
 dependency-check-whitelist.xml | 23 +++++++++++++++++++++++
 pom.xml                        | 37 ++++++++++++++++++++++++++++++++++---
 3 files changed, 58 insertions(+), 4 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index fbae091..17d63e4 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -18,7 +18,7 @@ language: java
 jdk:
   - openjdk7
 
-script: mvn apache-rat:check verify -Dlicense.skip=false -Dtravis=true
+script: mvn apache-rat:check verify -Dlicense.skip=false -Dtravis=true && mvn dependency-check:check -Ddependency.check.showSummary=false
 
 notifications:
   slack:
diff --git a/dependency-check-whitelist.xml b/dependency-check-whitelist.xml
new file mode 100644
index 0000000..700c986
--- /dev/null
+++ b/dependency-check-whitelist.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+-->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+</suppressions>
diff --git a/pom.xml b/pom.xml
index ff91946..a5ddc4b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -116,7 +116,9 @@
     <license.skip>true</license.skip>
     <findbugs.xmlOutput>true</findbugs.xmlOutput>
     <findbugs.failOnError>false</findbugs.failOnError>
-    <findbugs.skip>false</findbugs.skip>
+    <dependency.check.failBuildOnCVSS>8</dependency.check.failBuildOnCVSS>
+    <dependency.check.showSummary>true</dependency.check.showSummary>
+    <dependency.check.whitelist>${project.basedir}/../dependency-check-whitelist.xml</dependency.check.whitelist>
     <postNoticeText>The initial developer of the original code is&#xA;DataTorrent, Inc. (http://www.datatorrent.com)&#xA;Copyright (c) 2012 - 2015. All Rights Reserved.</postNoticeText>
   </properties>
 
@@ -260,17 +262,24 @@
           <includeTests>true</includeTests>
           <xmlOutput>${findbugs.xmlOutput}</xmlOutput>
           <failOnError>${findbugs.failOnError}</failOnError>
-          <skip>${findbugs.skip}</skip>
         </configuration>
         <executions>
           <execution>
-            <phase></phase>
+            <phase/>
             <goals>
               <goal>check</goal>
             </goals>
           </execution>
         </executions>
       </plugin>
+      <plugin>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-maven</artifactId>
+        <inherited>false</inherited>
+        <configuration>
+          <skip>true</skip>
+        </configuration>
+      </plugin>
     </plugins>
     <pluginManagement>
       <plugins>
@@ -455,6 +464,28 @@
             </execution>
           </executions>
         </plugin>
+        <plugin>
+          <groupId>org.owasp</groupId>
+          <artifactId>dependency-check-maven</artifactId>
+          <version>3.0.2</version>
+          <configuration>
+            <failBuildOnCVSS>${dependency.check.failBuildOnCVSS}</failBuildOnCVSS>
+            <showSummary>${dependency.check.showSummary}</showSummary>
+            <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
+            <skipProvidedScope>true</skipProvidedScope>
+            <skipRuntimeScope>true</skipRuntimeScope>
+            <skipSystemScope>true</skipSystemScope>
+            <suppressionFiles>${dependency.check.whitelist}</suppressionFiles>
+          </configuration>
+          <executions>
+            <execution>
+              <phase/>
+              <goals>
+                <goal>check</goal>
+              </goals>
+            </execution>
+          </executions>
+        </plugin>
       </plugins>
     </pluginManagement>
     <extensions>

-- 
To stop receiving notification emails like this one, please contact
['"commits@apex.apache.org" <co...@apex.apache.org>'].