You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by Patrick Hunt <ph...@apache.org> on 2019/02/02 19:48:40 UTC
Re: OWASP task failing again ! but is CI lying ?
FYI I updated master with ZOOKEEPER-3262 PR and the job is green again:
https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/260/
As I noted on the PR the patch only applies to master, please submit prs
for 3.5/3.4.
Thanks!
Patrick
On Thu, Jan 31, 2019 at 12:08 AM Enrico Olivelli <eo...@gmail.com>
wrote:
> Il giorno gio 31 gen 2019, 00:42 Patrick Hunt <ph...@apache.org> ha
> scritto:
>
> > On Wed, Jan 30, 2019 at 3:13 PM Enrico Olivelli <eo...@gmail.com>
> > wrote:
> >
> > > Il giorno mer 30 gen 2019, 21:41 Patrick Hunt <ph...@apache.org> ha
> > > scritto:
> > >
> > > > Note the owasp job has been failing since the upgrade to dependency
> > > checker
> > > > 4 due to
> > > > "Target "dependency-check-update" does not exist in the project
> > > > "ZooKeeper""
> > > > the jenkins job was explicitly running the update (which seems to not
> > > exist
> > > > after the upgrade).
> > > >
> > >
> > > Maybe I tried to force the update by changing the job and I left such
> > > command in the configuration.
> > > The good way to force the update is changing build.xml as we have
> > > committed.
> > > Using Maven there is a specific mojo.
> > > I apologize if I had broken the configuration, I will check the history
> > of
> > > configurations of the job
> > >
> > >
> > No worries at all. Easy enough to address once it was noticed.
> >
> >
> > > A little off topic:
> > > We could keep jenkins jobs configuration on Zookeeper git repo, this
> way
> > > jobs configuration will be subject to the review-then-commit policy
> > >
> > >
> > I literally removed a single target from the "ant ..." command in the
> > jenkins job ant build spec. There isn't much that could go into git
> unless
> > we wrap ant with a bash script or something... which would not be optimal
> > imo. Better would be to define jenkins jobs via DSL, but afaik apache
> > jenkins doesn't support that yet (?).
> >
>
> It is exactly what I meant.
> In bookkeeper we have Jenkins jobs committed inside the repo
>
> https://github.com/apache/bookkeeper/tree/master/.test-infra/jenkins
>
>
> We can do the same for Zookeeper
>
> Enrico
>
>
>
> > Patrick
> >
> >
> > > Cheers
> > > Enrico
> > >
> > >
> > >
> > > > I updated the job targets however it's now failing due to CVEs in
> netty
> > > and
> > > > some deps:
> > > >
> > > >
> > >
> >
> https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/255/
> > > > agree we should clear these out...
> > > >
> > > > Patrick
> > > >
> > > >
> > > > On Sat, Jan 26, 2019 at 3:54 AM Enrico Olivelli <eolivelli@gmail.com
> >
> > > > wrote:
> > > >
> > > > > I have forced the download of pattern and now the results are
> > > > > consistent with the ones on my laptop
> > > > >
> > > > > see the results:
> > > > > https://builds.apache.org/job/ZooKeeper-trunk-owasp/250/console
> > > > >
> > > > > In patch:
> > > > > https://github.com/apache/zookeeper/pull/788
> > > > >
> > > > > I have added the fix to force the download of patterns at every
> run.
> > > > >
> > > > > IMHO it is better to merge the patch soon
> > > > >
> > > > > Enrico
> > > > >
> > > > > Il giorno sab 26 gen 2019 alle ore 11:44 Enrico Olivelli
> > > > > <eo...@gmail.com> ha scritto:
> > > > > >
> > > > > > Hi Zookeepers,
> > > > > > while working on the migration of OWASP task to the Maven build I
> > > > > > found that currently the CI Job
> > > > > > (https://builds.apache.org/job/ZooKeeper-trunk-owasp/) is not
> > > working
> > > > > > properly.
> > > > > >
> > > > > > On my laptop both the ant task and the maven one are reporting
> > > several
> > > > > > issues, due to dependencies updated/introduced recently, like
> Netty
> > > > > > 4.1.29 (which is not the latest and greatest released version)
> > > > > >
> > > > > > I have attached my logs in JIRA
> > > > > > https://issues.apache.org/jira/browse/ZOOKEEPER-3256
> > > > > >
> > > > > > This is the patch to add OWASP to Maven build
> > > > > > https://github.com/apache/zookeeper/pull/788
> > > > > >
> > > > > > My proposal:
> > > > > > 1) commit PR #788 to all the active branches
> > > > > > 2) create an issue to address the new issues and upgrade all the
> > deps
> > > > > > and/or add suppressions
> > > > > > 3) add OWASP job to the new Maven CI pre-commit/post-commit
> > > > > >
> > > > > > As soon as we commit the plugin configuration I will setup the CI
> > Job
> > > > > for OWASP.
> > > > > >
> > > > > > Please anyone try out my patch and/or the ant task and confirm my
> > > > > findings.
> > > > > > I am trying to understand why CI jobs is not reporting the same
> > > > > > results as on my laptop. Actually my best guess is that it is not
> > > > > > re-downloading CVE patterns from NIST and so it is working with
> > stale
> > > > > > information.
> > > > > >
> > > > > > Regards
> > > > > > Enrico
> > > > >
> > > >
> > >
> >
>