You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "Chesnay Schepler (JIRA)" <ji...@apache.org> on 2019/04/06 12:33:00 UTC

[jira] [Commented] (FLINK-12119) Add OWASP Dependency Check to Flink Build

    [ https://issues.apache.org/jira/browse/FLINK-12119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16811568#comment-16811568 ] 

Chesnay Schepler commented on FLINK-12119:
------------------------------------------

Sounds good to me, we can run this in a weekly cron job (see the bottom for why other options wouldn't work). Since we don't have to compile anything this should be relatively light-weight I hope, since we do have to run it against the scala/hadoop matrix.
All modules that are either a) deployed to maven central or b) included in flink-dist should be checked. Since the main CI will not be affected it shouldn't be necessary to make any other exclusions.
In addition to {{system}} and {{provided}} dependencies we can also exclude {{test}} dependencies.

Why a weekly cron job?
Conceptually we could ojust add it as an optional plugin to generate a report on-demand, but this would rarely be used, if at all. At the same time, running it on CI without failing the build would just waste resources (since  no one would look at it) and additionally introduces more failure points. Finally, running it on CI and failing the build will just wreck the CI, potentially for prolonged time.

> Add OWASP Dependency Check to Flink Build
> -----------------------------------------
>
>                 Key: FLINK-12119
>                 URL: https://issues.apache.org/jira/browse/FLINK-12119
>             Project: Flink
>          Issue Type: Improvement
>          Components: Build System
>            Reporter: Konstantin Knauf
>            Assignee: Konstantin Knauf
>            Priority: Major
>
> In order to obtain some visibility on the current known security vulnerabilities in Flink's dependencies. It would be useful to include the OWASP dependency check plugin [1] into our Maven build.
> By including it into flink-parent, we can get summary of all dependencies of all child projects by running
> {{mvn clean org.owasp:dependency-check-maven:5.0.0-M2:aggregate}}
> We should probably exclude some modules from the dependency-check. These could be:
>  * flink-dist
>  * flink-docs
>  * flink-examples
>  * flink-tests
>  * flink-shaded-yarn-tests
>  * flink-end-to-end-tests
>  * flink-fs-tests
>  * flink-test-utils-parent
>  * flink-yarn-tests
>  * flink-contrib
> Anything else? What about flink-python/flink-streaming-python?**
> In addition I propose to exclude all dependencies in the *system* or *provided* scope.
> At least initially, the build would never fails because of vulnerabilities.
>  [1] [https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)