You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pulsar.apache.org by Nicolò Boschi <bo...@gmail.com> on 2021/12/22 15:05:19 UTC
OWASP dependencies check on active branches
Hello everyone,
I created a couple of pull requests in order to run a periodic check on
Pulsar active branches. In this way we can proactively update dependencies
whenever is needed (for fixing CVE's purpose)
The first one [0] is to make the check pass on branch-2.8
The second one [1] is to make the check pass on master and branch-2.9
The third one [2] is to make the periodic job running against master,
branch-2.8 and branch-2.9.
We also have to port this PR [3] to branch-2.9
I left out 2.7 branch because I have the impression (please confirm it) we
are no longer cherry-picking dependency upgrades. Also the check doesn't
exist at all in that branch.
Let me know what you think.
Thanks,
Nicolò Boschi
[0] https://github.com/apache/pulsar/pull/13455
[1] https://github.com/apache/pulsar/pull/13451
[2] https://github.com/apache/pulsar/pull/13366
[3] https://github.com/apache/pulsar/pull/13364
Re: OWASP dependencies check on active branches
Posted by Michael Marshall <mm...@apache.org>.
+1 - This is a great addition, thanks Nicolò.
I updated our Release Process wiki page so that Release Managers will
know to add new release branches to this GitHub workflow [0].
- Michael
[0] https://github.com/apache/pulsar/wiki/Release-process#1-create-the-release-branch
On Wed, Dec 22, 2021 at 10:08 AM Lari Hotari <La...@hotari.net> wrote:
>
> Good work Nicolò! It's great to have OWASP dependency check handled for all
> active branches.
>
> -Lari
>
> On Wed, Dec 22, 2021 at 5:05 PM Nicolò Boschi <bo...@gmail.com> wrote:
>
> > Hello everyone,
> >
> > I created a couple of pull requests in order to run a periodic check on
> > Pulsar active branches. In this way we can proactively update dependencies
> > whenever is needed (for fixing CVE's purpose)
> >
> > The first one [0] is to make the check pass on branch-2.8
> > The second one [1] is to make the check pass on master and branch-2.9
> > The third one [2] is to make the periodic job running against master,
> > branch-2.8 and branch-2.9.
> >
> > We also have to port this PR [3] to branch-2.9
> >
> > I left out 2.7 branch because I have the impression (please confirm it) we
> > are no longer cherry-picking dependency upgrades. Also the check doesn't
> > exist at all in that branch.
> >
> > Let me know what you think.
> >
> > Thanks,
> > Nicolò Boschi
> >
> > [0] https://github.com/apache/pulsar/pull/13455
> > [1] https://github.com/apache/pulsar/pull/13451
> > [2] https://github.com/apache/pulsar/pull/13366
> > [3] https://github.com/apache/pulsar/pull/13364
> >
Re: OWASP dependencies check on active branches
Posted by Lari Hotari <La...@hotari.net>.
Good work Nicolò! It's great to have OWASP dependency check handled for all
active branches.
-Lari
On Wed, Dec 22, 2021 at 5:05 PM Nicolò Boschi <bo...@gmail.com> wrote:
> Hello everyone,
>
> I created a couple of pull requests in order to run a periodic check on
> Pulsar active branches. In this way we can proactively update dependencies
> whenever is needed (for fixing CVE's purpose)
>
> The first one [0] is to make the check pass on branch-2.8
> The second one [1] is to make the check pass on master and branch-2.9
> The third one [2] is to make the periodic job running against master,
> branch-2.8 and branch-2.9.
>
> We also have to port this PR [3] to branch-2.9
>
> I left out 2.7 branch because I have the impression (please confirm it) we
> are no longer cherry-picking dependency upgrades. Also the check doesn't
> exist at all in that branch.
>
> Let me know what you think.
>
> Thanks,
> Nicolò Boschi
>
> [0] https://github.com/apache/pulsar/pull/13455
> [1] https://github.com/apache/pulsar/pull/13451
> [2] https://github.com/apache/pulsar/pull/13366
> [3] https://github.com/apache/pulsar/pull/13364
>