You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@pekko.apache.org by "mdedetrich (via GitHub)" <gi...@apache.org> on 2023/04/15 10:12:12 UTC

[GitHub] [incubator-pekko] mdedetrich opened a new pull request, #289: Add sbt-dependency-check

mdedetrich opened a new pull request, #289:
URL: https://github.com/apache/incubator-pekko/pull/289

   This PR adds sbt-dependency-check which scans the entire dependency tree of Pekko against OWASP to scan for any potential CVE's. This PR does a pretty basic addition of the plugin but there is future room for improvement, i.e. since this is a standard sbt plugin its possible to run `dependencyCheckAggregate` along with `sourceDistGenerate` when making a release. Another notable setting is `dependencyCheckFailBuildOnCVSS` which would cause the project to automatically fail if it finds a dependency with a certain security level.
   
   The contents of both the generated report and the surpression file are located in the `dependency` folder (this can be renamed if needed). This also means that the report will be contained in the source dist distribution.
   
   Note that the report has actually picked up `HIGH` CVE's from our dependency list which we should look into, i.e. 
   ![image](https://user-images.githubusercontent.com/2337269/232207685-2a4806b6-90a7-4584-8aee-165612a15aaf.png)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] mdedetrich commented on pull request #289: Add sbt-dependency-check

Posted by "mdedetrich (via GitHub)" <gi...@apache.org>.
mdedetrich commented on PR #289:
URL: https://github.com/apache/incubator-pekko/pull/289#issuecomment-1536073504

   In that case let me spend a few minutes today trying to automate this considering I already did it for `sbt-license-report`, I will ping when I update the PR.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] He-Pin commented on pull request #289: Add sbt-dependency-check

Posted by "He-Pin (via GitHub)" <gi...@apache.org>.
He-Pin commented on PR #289:
URL: https://github.com/apache/incubator-pekko/pull/289#issuecomment-1509852667

   Or a weekly action can do too?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] mdedetrich commented on pull request #289: Add sbt-dependency-check

Posted by "mdedetrich (via GitHub)" <gi...@apache.org>.
mdedetrich commented on PR #289:
URL: https://github.com/apache/incubator-pekko/pull/289#issuecomment-1509851354

   > do we really need to commit the html file?
   
   I don't know? The primary point of the plugin is to create this file. One thing to note is that the generation of this file takes a **looong** amount of time. This is due to the fact that it downloads the entire OWASP database locally, does some processing on it and then scans all of your dependencies. You can think of it as similar to compiled game assets, i.e. theoretically speaking you shouldn't commit these into git but because they are expensive to generate and rarely change its done for pragmatic/practical reasons.
   
   I would also presume that having this committed in git would make Apache review/release process of Pekko a lot easier (you just need to open the file) and since the report (at least currently) is in the source dist package its a nice QOL feature for Pekko users. As stated before we would make sure that the report is in sync when a release is made but this also can be automated.
   
   Also incase you haven't opened the file, I would recommend do so because its actually interactive (i.e. its not a static text). i.e. it gives you the ability to direct to the original OWASP vulnerability and you can also use the generated html file to add suppressions, i.e.
   
   ![image](https://user-images.githubusercontent.com/2337269/232229838-842f9981-0e8e-4715-b1b0-1995387b081e.png)
   
   Ultimately I have no problem with removing it from git but then we kind of need to ascertain what the goals are here. At least from my experience in working with companies for legal/license/CVE's, a report is always the best way to handle this and thats why these plugins generally make reports. This plugin is also just a wrapper for the well known https://github.com/jeremylong/DependencyCheck whos entire point is also just to generate reports.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] mdedetrich commented on a diff in pull request #289: Add sbt-dependency-check

Posted by "mdedetrich (via GitHub)" <gi...@apache.org>.
mdedetrich commented on code in PR #289:
URL: https://github.com/apache/incubator-pekko/pull/289#discussion_r1186321417


##########
project/Paradox.scala:
##########
@@ -90,13 +91,32 @@ object Paradox {
 
   val parsingSettings = Seq(Compile / paradoxParsingTimeout := 5.seconds)
 
+  val sourceGeneratorSettings = Seq(
+    Compile / paradoxMarkdownToHtml / sourceGenerators += Def.taskDyn {
+      val targetFile = (Compile / paradox / sourceManaged).value / "security" / "dependency-check-report.md"
+      val sourceFile = (LocalRootProject / dependencyCheckOutputDirectory).value.get / "dependency-check-report.html"
+
+      (LocalRootProject / dependencyCheckAggregate).map { _ =>
+        val data = IO.readLines(sourceFile)

Review Comment:
   There are probably better/more performant ways to do this but we can also look into this later



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] pjfanning commented on pull request #289: Add sbt-dependency-check

Posted by "pjfanning (via GitHub)" <gi...@apache.org>.
pjfanning commented on PR #289:
URL: https://github.com/apache/incubator-pekko/pull/289#issuecomment-1536072190

   If we remove the html file and possibly add the filename to .gitignore, I think we can merge this. We could do a 2nd PR that automates the publishing of the HTML.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] mdedetrich commented on pull request #289: Add sbt-dependency-check

Posted by "mdedetrich (via GitHub)" <gi...@apache.org>.
mdedetrich commented on PR #289:
URL: https://github.com/apache/incubator-pekko/pull/289#issuecomment-1657174808

   Closing this PR since https://github.com/apache/incubator-pekko/pull/366 is already solving this problem in a more simple way.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] mdedetrich commented on pull request #289: Add sbt-dependency-check

Posted by "mdedetrich (via GitHub)" <gi...@apache.org>.
mdedetrich commented on PR #289:
URL: https://github.com/apache/incubator-pekko/pull/289#issuecomment-1536022461

   So I plan on changing this so it just gets included in the docs. I have similar work with sbt-license-report which I have yet to submit.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] mdedetrich commented on pull request #289: Add sbt-dependency-check

Posted by "mdedetrich (via GitHub)" <gi...@apache.org>.
mdedetrich commented on PR #289:
URL: https://github.com/apache/incubator-pekko/pull/289#issuecomment-1536022385

   So I plan on changing this so it just gets included in the docs. I have similar work with sbt-license-report which I have yet to submit.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] mdedetrich closed pull request #289: Add sbt-dependency-check

Posted by "mdedetrich (via GitHub)" <gi...@apache.org>.
mdedetrich closed pull request #289: Add sbt-dependency-check
URL: https://github.com/apache/incubator-pekko/pull/289


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] mdedetrich commented on pull request #289: Add sbt-dependency-check

Posted by "mdedetrich (via GitHub)" <gi...@apache.org>.
mdedetrich commented on PR #289:
URL: https://github.com/apache/incubator-pekko/pull/289#issuecomment-1509853605

   > Or a weekly action can do too?
   
   We can do this, but the point is still where do we persist the file? I guess we can upload it as part of pekko docs and then rsync it/commit it to git. @pjfanning would you prefer this?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] pjfanning commented on pull request #289: Add sbt-dependency-check

Posted by "pjfanning (via GitHub)" <gi...@apache.org>.
pjfanning commented on PR #289:
URL: https://github.com/apache/incubator-pekko/pull/289#issuecomment-1509719597

   do we really need to commit the html file?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] mdedetrich commented on pull request #289: Add sbt-dependency-check

Posted by "mdedetrich (via GitHub)" <gi...@apache.org>.
mdedetrich commented on PR #289:
URL: https://github.com/apache/incubator-pekko/pull/289#issuecomment-1509718520

   So I just checked the netty dependency which has the `CRITICAL` level but there isn't anything that can be done about it since there isn't a new proper release that solves it (see https://mvnrepository.com/artifact/io.netty/netty).
   
   @pjfanning I can add this netty version into `suppression.xml` since there isn't anything we can do about it, just let me know if you want me to update the PR for this.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] pjfanning commented on pull request #289: Add sbt-dependency-check

Posted by "pjfanning (via GitHub)" <gi...@apache.org>.
pjfanning commented on PR #289:
URL: https://github.com/apache/incubator-pekko/pull/289#issuecomment-1509858313

   We could rsync it to nightlies site.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] kw217 commented on pull request #289: Add sbt-dependency-check

Posted by "kw217 (via GitHub)" <gi...@apache.org>.
kw217 commented on PR #289:
URL: https://github.com/apache/incubator-pekko/pull/289#issuecomment-1536020497

   I agree, having the report pre-generated is really useful for consumers (esp. corporate). But we shouldn't have big generated artifacts in git (it slows down clones, for one thing). It should go on the nightlies site, or near the docs.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] mdedetrich commented on pull request #289: Add sbt-dependency-check

Posted by "mdedetrich (via GitHub)" <gi...@apache.org>.
mdedetrich commented on PR #289:
URL: https://github.com/apache/incubator-pekko/pull/289#issuecomment-1536289760

   So I did some work on this but due to the amount of time it takes to get the NVD database I have some concerns about how nicely it would work with github actions especially when integrated with paradox so I opened up an issue upstream at https://github.com/albuch/sbt-dependency-check/issues/305


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

[GitHub] [incubator-pekko] mdedetrich commented on pull request #289: Add sbt-dependency-check

Posted by "mdedetrich (via GitHub)" <gi...@apache.org>.
mdedetrich commented on PR #289:
URL: https://github.com/apache/incubator-pekko/pull/289#issuecomment-1536539047

   Good news is that after finally managing to get the NVD database to download onto my system I managed to integrate sbt-dependency-check directly into our paradox docs
   
   ![image](https://user-images.githubusercontent.com/2337269/236520942-a1d131aa-e954-47f3-ae80-8b03128ea5cb.png)
   
   The bad news is that as you can tell, since I am inlining the html the styling doesn't look the best. Unfortunately sbt-dependency-check doesn't have markdown as a supported output format which leaves us with 2 options
   
   * Use a much more strict/data orientated format such as JSON/XML, parse it and then convert it into markdown so that it renders better
   * Try to find a css stylesheet and wrap the raw block in a div as documented here https://developer.lightbend.com/docs/paradox/current/directives/css-friendliness.html#raw-text-in-fenced-blocks so that it doesn't look so bad.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org