You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@yetus.apache.org by "Allen Wittenauer (JIRA)" <ji...@apache.org> on 2018/07/23 18:14:00 UTC

[jira] [Commented] (YETUS-441) Add a precommit check for known CVEs from dependencies

    [ https://issues.apache.org/jira/browse/YETUS-441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16553195#comment-16553195 ] 

Allen Wittenauer commented on YETUS-441:
----------------------------------------

Playing around with this again. I'm using:

{code}
test-patch.sh --basedir=(hadoop) --patch-dir=/tmp/yetus-work \
                      --project=hadoop --docker --plugins=maven,dependency_check \
                      --resetrepo --dockerfile=(hadoop's dockerfile) --empty-patch
{code}

The end result was a +0 with the only hint being the no reports message.  That's less than ideal. :)  Digging in and looking at the log, owasp wasn't able to download the database.

So ...
* When the maven goal doesn't generate output, a link to the log would be great.
* If one doesn't pre-download, there will be an attempt to download live.  If maven fails to download, the patch should specifically call that out as a failing error.
* I'm not sure why maven can't download the DB file while inside Hadoop's docker container. (It works from start-build-env but not from test-patch)  That might be specific to Hadoop, but something to look at.
* This really feels like dep check should be voting -1 here. 
* If we're going to have really long test names, test-patch console code needs to be the smarter about line length.  The patch is clearly overflowing the table size.

I'll play around with it some more because I really want to see this working. :)

> Add a precommit check for known CVEs from dependencies
> ------------------------------------------------------
>
>                 Key: YETUS-441
>                 URL: https://issues.apache.org/jira/browse/YETUS-441
>             Project: Yetus
>          Issue Type: New Feature
>          Components: Test Patch
>            Reporter: Sean Busbey
>            Assignee: Sean Busbey
>            Priority: Major
>         Attachments: YETUS-441.0.patch, YETUS-441.1.patch, YETUS-441.2.patch, YETUS-441.3.patch, dependency-check-suppression.xml
>
>
> Add in a precommit test that makes use of [The OWASP Dependency Check|https://www.owasp.org/index.php/OWASP_Dependency_Check] to look for known bad dependencies.
> there's a maven plugin, ant task, and command line tool. So we should be able to build similar support to what we have for RAT.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)