You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@iotdb.apache.org by qi...@apache.org on 2019/11/30 15:46:27 UTC
[incubator-iotdb] branch master updated: Revert "Revert "Move the
vulnera-checks section into the apache-release profile (#590)" (#599)"
(#604)
This is an automated email from the ASF dual-hosted git repository.
qiaojialin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-iotdb.git
The following commit(s) were added to refs/heads/master by this push:
new 0d544ad Revert "Revert "Move the vulnera-checks section into the apache-release profile (#590)" (#599)" (#604)
0d544ad is described below
commit 0d544ad7fe89db2be13a26cb6daceb7a904a0b39
Author: Jialin Qiao <qj...@mails.tsinghua.edu.cn>
AuthorDate: Sat Nov 30 23:46:21 2019 +0800
Revert "Revert "Move the vulnera-checks section into the apache-release profile (#590)" (#599)" (#604)
This reverts commit 094aefd454c05885fa197b495db0e8bd39addaf8.
---
pom.xml | 160 ++++++++++++++++++++++++++++++++--------------------------------
1 file changed, 80 insertions(+), 80 deletions(-)
diff --git a/pom.xml b/pom.xml
index a29906d..b8771b9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -518,86 +518,6 @@
</pluginManagement>
<plugins>
<!--
- Strange things usually happen if you run with a too low Java version.
- This plugin not only checks the minimum java version of 1.8, but also
- checks all dependencies (and transitive dependencies) for reported CVEs.
- -->
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-enforcer-plugin</artifactId>
- <version>3.0.0-M2</version>
- <!--$NO-MVN-MAN-VER$-->
- <executions>
- <!-- Ensure we're not mixing dependency versions -->
- <execution>
- <id>enforce-version-convergence</id>
- <configuration>
- <rules>
- <dependencyConvergence/>
- </rules>
- </configuration>
- <goals>
- <goal>enforce</goal>
- </goals>
- </execution>
- <!--
- Fails the build if classes are included from multiple
- artifacts and these are not identical.
- -->
- <!--execution>
- <id>enforce-ban-duplicate-classes</id>
- <goals>
- <goal>enforce</goal>
- </goals>
- <configuration>
- <rules>
- <banDuplicateClasses>
- <scopes>
- <scope>compile</scope>
- <scope>provided</scope>
- </scopes>
- <findAllDuplicates>true</findAllDuplicates>
- <ignoreWhenIdentical>true</ignoreWhenIdentical>
- </banDuplicateClasses>
- </rules>
- <fail>true</fail>
- </configuration>
- </execution-->
- <!-- Make sure no dependencies are used for which known vulnerabilities exist. -->
- <execution>
- <id>vulnerability-checks</id>
- <phase>validate</phase>
- <goals>
- <goal>enforce</goal>
- </goals>
- <configuration>
- <!-- Just generate warnings for now -->
- <fail>false</fail>
- <rules>
- <requireJavaVersion>
- <version>1.8.0</version>
- </requireJavaVersion>
- <!-- Disabled for now as it breaks the ability to build single modules -->
- <!--reactorModuleConvergence/-->
- <banVulnerable implementation="org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies"/>
- </rules>
- </configuration>
- </execution>
- </executions>
- <dependencies>
- <dependency>
- <groupId>org.sonatype.ossindex.maven</groupId>
- <artifactId>ossindex-maven-enforcer-rules</artifactId>
- <version>1.0.0</version>
- </dependency>
- <dependency>
- <groupId>org.codehaus.mojo</groupId>
- <artifactId>extra-enforcer-rules</artifactId>
- <version>1.2</version>
- </dependency>
- </dependencies>
- </plugin>
- <!--
Even if Maven transitively pulls in dependencies, relying on these can
quite often cause hard to find problems. So it's a good practice to make
sure everything directly required is also directly added as a dependency.
@@ -1035,6 +955,86 @@
</execution>
</executions>
</plugin>
+ <!--
+ Strange things usually happen if you run with a too low Java version.
+ This plugin not only checks the minimum java version of 1.8, but also
+ checks all dependencies (and transitive dependencies) for reported CVEs.
+ -->
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-enforcer-plugin</artifactId>
+ <version>3.0.0-M2</version>
+ <!--$NO-MVN-MAN-VER$-->
+ <executions>
+ <!-- Ensure we're not mixing dependency versions -->
+ <execution>
+ <id>enforce-version-convergence</id>
+ <configuration>
+ <rules>
+ <dependencyConvergence/>
+ </rules>
+ </configuration>
+ <goals>
+ <goal>enforce</goal>
+ </goals>
+ </execution>
+ <!--
+ Fails the build if classes are included from multiple
+ artifacts and these are not identical.
+ -->
+ <!--execution>
+ <id>enforce-ban-duplicate-classes</id>
+ <goals>
+ <goal>enforce</goal>
+ </goals>
+ <configuration>
+ <rules>
+ <banDuplicateClasses>
+ <scopes>
+ <scope>compile</scope>
+ <scope>provided</scope>
+ </scopes>
+ <findAllDuplicates>true</findAllDuplicates>
+ <ignoreWhenIdentical>true</ignoreWhenIdentical>
+ </banDuplicateClasses>
+ </rules>
+ <fail>true</fail>
+ </configuration>
+ </execution-->
+ <!-- Make sure no dependencies are used for which known vulnerabilities exist. -->
+ <execution>
+ <id>vulnerability-checks</id>
+ <phase>validate</phase>
+ <goals>
+ <goal>enforce</goal>
+ </goals>
+ <configuration>
+ <!-- Just generate warnings for now -->
+ <fail>false</fail>
+ <rules>
+ <requireJavaVersion>
+ <version>1.8.0</version>
+ </requireJavaVersion>
+ <!-- Disabled for now as it breaks the ability to build single modules -->
+ <!--reactorModuleConvergence/-->
+ <banVulnerable implementation="org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies"/>
+ </rules>
+ </configuration>
+ </execution>
+ </executions>
+ <dependencies>
+ <dependency>
+ <groupId>org.sonatype.ossindex.maven</groupId>
+ <artifactId>ossindex-maven-enforcer-rules</artifactId>
+ <version>1.0.0</version>
+ </dependency>
+ <dependency>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>extra-enforcer-rules</artifactId>
+ <version>1.2</version>
+ </dependency>
+ </dependencies>
+ </plugin>
</plugins>
</build>
</profile>