You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@flink.apache.org by "Chesnay Schepler (JIRA)" <ji...@apache.org> on 2019/04/17 14:21:00 UTC

[jira] [Updated] (FLINK-12119) Add OWASP Dependency Check

     [ https://issues.apache.org/jira/browse/FLINK-12119?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Chesnay Schepler updated FLINK-12119:
-------------------------------------
    Summary: Add OWASP Dependency Check  (was: Add OWASP Dependency Check to Flink Build)

> Add OWASP Dependency Check
> --------------------------
>
>                 Key: FLINK-12119
>                 URL: https://issues.apache.org/jira/browse/FLINK-12119
>             Project: Flink
>          Issue Type: Improvement
>          Components: Build System
>            Reporter: Konstantin Knauf
>            Assignee: Konstantin Knauf
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> In order to obtain some visibility on the current known security vulnerabilities in Flink's dependencies. It would be useful to include the OWASP dependency check plugin [1] into our Maven build.
> By including it into flink-parent, we can get summary of all dependencies of all child projects by running
> {{mvn clean org.owasp:dependency-check-maven:5.0.0-M2:aggregate}}
> We should probably exclude some modules from the dependency-check. These could be:
>  * flink-docs
>  * flink-fs-tests
>  * flink-yarn-tests
>  * flink-contrib
> Anything else? What about flink-python/flink-streaming-python?**
> In addition I propose to exclude all dependencies in the *system* or *provided* scope.
> At least initially, the build would never fails because of vulnerabilities.
>  [1] [https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)