You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apex.apache.org by pr...@apache.org on 2017/12/01 15:11:38 UTC
[apex-core] branch master updated: APEXCORE-790 Enforce dependency
analysis for CVE in CI builds
This is an automated email from the ASF dual-hosted git repository.
pramod pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apex-core.git
The following commit(s) were added to refs/heads/master by this push:
new b6e4333 APEXCORE-790 Enforce dependency analysis for CVE in CI builds
b6e4333 is described below
commit b6e4333c2ed60364071906ac3b07c6630e3664cb
Author: Vlad Rozov <vr...@apache.org>
AuthorDate: Tue Oct 17 08:24:31 2017 -0700
APEXCORE-790 Enforce dependency analysis for CVE in CI builds
---
.travis.yml | 2 +-
dependency-check-whitelist.xml | 23 +++++++++++++++++++++++
pom.xml | 37 ++++++++++++++++++++++++++++++++++---
3 files changed, 58 insertions(+), 4 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index fbae091..17d63e4 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -18,7 +18,7 @@ language: java
jdk:
- openjdk7
-script: mvn apache-rat:check verify -Dlicense.skip=false -Dtravis=true
+script: mvn apache-rat:check verify -Dlicense.skip=false -Dtravis=true && mvn dependency-check:check -Ddependency.check.showSummary=false
notifications:
slack:
diff --git a/dependency-check-whitelist.xml b/dependency-check-whitelist.xml
new file mode 100644
index 0000000..700c986
--- /dev/null
+++ b/dependency-check-whitelist.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+-->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+</suppressions>
diff --git a/pom.xml b/pom.xml
index ff91946..a5ddc4b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -116,7 +116,9 @@
<license.skip>true</license.skip>
<findbugs.xmlOutput>true</findbugs.xmlOutput>
<findbugs.failOnError>false</findbugs.failOnError>
- <findbugs.skip>false</findbugs.skip>
+ <dependency.check.failBuildOnCVSS>8</dependency.check.failBuildOnCVSS>
+ <dependency.check.showSummary>true</dependency.check.showSummary>
+ <dependency.check.whitelist>${project.basedir}/../dependency-check-whitelist.xml</dependency.check.whitelist>
<postNoticeText>The initial developer of the original code is
DataTorrent, Inc. (http://www.datatorrent.com)
Copyright (c) 2012 - 2015. All Rights Reserved.</postNoticeText>
</properties>
@@ -260,17 +262,24 @@
<includeTests>true</includeTests>
<xmlOutput>${findbugs.xmlOutput}</xmlOutput>
<failOnError>${findbugs.failOnError}</failOnError>
- <skip>${findbugs.skip}</skip>
</configuration>
<executions>
<execution>
- <phase></phase>
+ <phase/>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <inherited>false</inherited>
+ <configuration>
+ <skip>true</skip>
+ </configuration>
+ </plugin>
</plugins>
<pluginManagement>
<plugins>
@@ -455,6 +464,28 @@
</execution>
</executions>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>3.0.2</version>
+ <configuration>
+ <failBuildOnCVSS>${dependency.check.failBuildOnCVSS}</failBuildOnCVSS>
+ <showSummary>${dependency.check.showSummary}</showSummary>
+ <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
+ <skipProvidedScope>true</skipProvidedScope>
+ <skipRuntimeScope>true</skipRuntimeScope>
+ <skipSystemScope>true</skipSystemScope>
+ <suppressionFiles>${dependency.check.whitelist}</suppressionFiles>
+ </configuration>
+ <executions>
+ <execution>
+ <phase/>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
</plugins>
</pluginManagement>
<extensions>
--
To stop receiving notification emails like this one, please contact
['"commits@apex.apache.org" <co...@apex.apache.org>'].