You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@yetus.apache.org by "Allen Wittenauer (JIRA)" <ji...@apache.org> on 2018/07/23 18:14:00 UTC
[jira] [Commented] (YETUS-441) Add a precommit check for known CVEs
from dependencies
[ https://issues.apache.org/jira/browse/YETUS-441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16553195#comment-16553195 ]
Allen Wittenauer commented on YETUS-441:
----------------------------------------
Playing around with this again. I'm using:
{code}
test-patch.sh --basedir=(hadoop) --patch-dir=/tmp/yetus-work \
--project=hadoop --docker --plugins=maven,dependency_check \
--resetrepo --dockerfile=(hadoop's dockerfile) --empty-patch
{code}
The end result was a +0 with the only hint being the no reports message. That's less than ideal. :) Digging in and looking at the log, owasp wasn't able to download the database.
So ...
* When the maven goal doesn't generate output, a link to the log would be great.
* If one doesn't pre-download, there will be an attempt to download live. If maven fails to download, the patch should specifically call that out as a failing error.
* I'm not sure why maven can't download the DB file while inside Hadoop's docker container. (It works from start-build-env but not from test-patch) That might be specific to Hadoop, but something to look at.
* This really feels like dep check should be voting -1 here.
* If we're going to have really long test names, test-patch console code needs to be the smarter about line length. The patch is clearly overflowing the table size.
I'll play around with it some more because I really want to see this working. :)
> Add a precommit check for known CVEs from dependencies
> ------------------------------------------------------
>
> Key: YETUS-441
> URL: https://issues.apache.org/jira/browse/YETUS-441
> Project: Yetus
> Issue Type: New Feature
> Components: Test Patch
> Reporter: Sean Busbey
> Assignee: Sean Busbey
> Priority: Major
> Attachments: YETUS-441.0.patch, YETUS-441.1.patch, YETUS-441.2.patch, YETUS-441.3.patch, dependency-check-suppression.xml
>
>
> Add in a precommit test that makes use of [The OWASP Dependency Check|https://www.owasp.org/index.php/OWASP_Dependency_Check] to look for known bad dependencies.
> there's a maven plugin, ant task, and command line tool. So we should be able to build similar support to what we have for RAT.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)