You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@inlong.apache.org by GitBox <gi...@apache.org> on 2022/05/25 04:09:51 UTC
[GitHub] [incubator-inlong] dockerzhang opened a new pull request, #4372: [WIP] add a workflow to Scan InLong common vulnerabilities
dockerzhang opened a new pull request, #4372:
URL: https://github.com/apache/incubator-inlong/pull/4372
### Title Name: [INLONG-XYZ][component] Title of the pull request
where *XYZ* should be replaced by the actual issue number.
Fixes #2440
### Motivation
*Explain here the context, and why you're making that change. What is the problem you're trying to solve?*
### Modifications
*Describe the modifications you've done.*
### Verifying this change
*(Please pick either of the following options)*
- [ ] This change is a trivial rework/code cleanup without any test coverage.
- [ ] This change is already covered by existing tests, such as:
*(please describe tests)*
- [ ] This change added tests and can be verified as follows:
*(example:)*
- *Added integration tests for end-to-end deployment with large payloads (10MB)*
- *Extended integration test for recovery after broker failure*
### Documentation
- Does this pull request introduce a new feature? (yes / no)
- If yes, how is the feature documented? (not applicable / docs / JavaDocs / not documented)
- If a feature is not applicable for documentation, explain why?
- If a feature is not documented yet in this PR, please create a follow-up issue for adding the documentation
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] shink commented on a diff in pull request #4372: [WIP] add a workflow to Scan InLong common vulnerabilities
Posted by GitBox <gi...@apache.org>.
shink commented on code in PR #4372:
URL: https://github.com/apache/incubator-inlong/pull/4372#discussion_r892056289
##########
.github/workflows/ci_codeql.yml:
##########
@@ -24,8 +24,6 @@ jobs:
name: Analyze by CodeQL
runs-on: ubuntu-latest
permissions:
- actions: read
- contents: read
Review Comment:
> @shink do you know how to avoid the high severity security vulnerabilities temporarily, these vulnerabilities will be fixed in the future. we need to keep the workflow runs passed now, and to prevent new vulnerabilities appears.
The default value is false, but it cannot meet your need. I just try it.
##########
.github/workflows/ci_codeql.yml:
##########
@@ -24,8 +24,6 @@ jobs:
name: Analyze by CodeQL
runs-on: ubuntu-latest
permissions:
- actions: read
- contents: read
Review Comment:
> @shink do you know how to avoid the high severity security vulnerabilities temporarily, these vulnerabilities will be fixed in the future. we need to keep the workflow runs passed now, and to prevent new vulnerabilities appears.
@dockerzhang The default value is false, but it cannot meet your need. I just try it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] shink commented on a diff in pull request #4372: [WIP] add a workflow to Scan InLong common vulnerabilities
Posted by GitBox <gi...@apache.org>.
shink commented on code in PR #4372:
URL: https://github.com/apache/incubator-inlong/pull/4372#discussion_r885167485
##########
.github/workflows/codeql-analysis.yml:
##########
@@ -0,0 +1,73 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name: InLong Vulnerabilities Scan
+
+on:
+ push:
+ branches: [ master, 'INLONG-*' ]
+ pull_request:
+ branches: [ master, 'INLONG-*' ]
+
+jobs:
+ analyze:
+ name: Analyze by CodeQL
+ runs-on: ubuntu-latest
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+
+ strategy:
+ fail-fast: false
+ matrix:
+ language: [ 'java' ]
+
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
Review Comment:
Now, the latest checkout action version is `v3`.
```suggestion
- name: Checkout
uses: actions/checkout@v3
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] shink commented on pull request #4372: [WIP] add a workflow to Scan InLong common vulnerabilities
Posted by GitBox <gi...@apache.org>.
shink commented on PR #4372:
URL: https://github.com/apache/incubator-inlong/pull/4372#issuecomment-1149428628
@dockerzhang Unfortunately, there should be at least one query. Please see this [check](https://github.com/apache/incubator-inlong/runs/6786713924?check_suite_focus=true).
```
Error: Did not detect any queries to run for java. Please make sure that the default queries are enabled, or you are specifying queries to run.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [inlong] dockerzhang merged pull request #4372: [INLONG-2440][CI] Add a workflow to Scan InLong common vulnerabilities
Posted by GitBox <gi...@apache.org>.
dockerzhang merged PR #4372:
URL: https://github.com/apache/inlong/pull/4372
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] shink commented on a diff in pull request #4372: [WIP] add a workflow to Scan InLong common vulnerabilities
Posted by GitBox <gi...@apache.org>.
shink commented on code in PR #4372:
URL: https://github.com/apache/incubator-inlong/pull/4372#discussion_r885167761
##########
.github/workflows/codeql-analysis.yml:
##########
@@ -0,0 +1,73 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name: InLong Vulnerabilities Scan
+
+on:
+ push:
+ branches: [ master, 'INLONG-*' ]
+ pull_request:
+ branches: [ master, 'INLONG-*' ]
+
+jobs:
+ analyze:
+ name: Analyze by CodeQL
+ runs-on: ubuntu-latest
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+
+ strategy:
+ fail-fast: false
+ matrix:
+ language: [ 'java' ]
+
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ # Initializes the CodeQL tools for scanning.
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v1
+ with:
+ languages: ${{ matrix.language }}
Review Comment:
Now, the latest codeql-action version is v2.
```suggestion
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] shink commented on a diff in pull request #4372: [WIP] add a workflow to Scan InLong common vulnerabilities
Posted by GitBox <gi...@apache.org>.
shink commented on code in PR #4372:
URL: https://github.com/apache/incubator-inlong/pull/4372#discussion_r891895139
##########
.github/workflows/ci_codeql.yml:
##########
@@ -24,8 +24,6 @@ jobs:
name: Analyze by CodeQL
runs-on: ubuntu-latest
permissions:
- actions: read
- contents: read
Review Comment:
These two fields are only required for workflows in private repositories. So I deleted them.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] shink commented on pull request #4372: [WIP] add a workflow to Scan InLong common vulnerabilities
Posted by GitBox <gi...@apache.org>.
shink commented on PR #4372:
URL: https://github.com/apache/incubator-inlong/pull/4372#issuecomment-1144336881
@dockerzhang We can use an customed configuration file and then disable the default queries. Please check out https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#disabling-the-default-queries
But I don't test it. I can test it latter.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] shink commented on a diff in pull request #4372: [WIP] add a workflow to Scan InLong common vulnerabilities
Posted by GitBox <gi...@apache.org>.
shink commented on code in PR #4372:
URL: https://github.com/apache/incubator-inlong/pull/4372#discussion_r885168280
##########
.github/workflows/codeql-analysis.yml:
##########
@@ -0,0 +1,73 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name: InLong Vulnerabilities Scan
+
+on:
+ push:
+ branches: [ master, 'INLONG-*' ]
+ pull_request:
+ branches: [ master, 'INLONG-*' ]
+
+jobs:
+ analyze:
+ name: Analyze by CodeQL
+ runs-on: ubuntu-latest
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+
+ strategy:
+ fail-fast: false
+ matrix:
+ language: [ 'java' ]
+
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ # Initializes the CodeQL tools for scanning.
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v1
+ with:
+ languages: ${{ matrix.language }}
+
+ # build project
+ - name: Set up JDK
+ uses: actions/setup-java@v2
+ with:
+ java-version: 8
+ distribution: adopt
+
+ - name: Cache Maven packages
+ uses: actions/cache@v2
+ with:
+ path: |
+ ~/.m2/repository
+ !~/.m2/repository/org/apache/inlong
+ key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+ restore-keys: ${{ runner.os }}-m2
Review Comment:
Now, the latest cache action version is v3.
```suggestion
- name: Cache Maven packages
uses: actions/cache@v3
with:
path: |
~/.m2/repository
!~/.m2/repository/org/apache/inlong
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [inlong] shink commented on pull request #4372: [INLONG-2440][CI] Add a workflow to Scan InLong common vulnerabilities
Posted by GitBox <gi...@apache.org>.
shink commented on PR #4372:
URL: https://github.com/apache/inlong/pull/4372#issuecomment-1173007053
@dockerzhang Does this [dependency-review-action](https://github.com/actions/dependency-review-action) meet your need? This Action can detect vulnerable dependencies in PRs.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] shink commented on a diff in pull request #4372: [WIP] add a workflow to Scan InLong common vulnerabilities
Posted by GitBox <gi...@apache.org>.
shink commented on code in PR #4372:
URL: https://github.com/apache/incubator-inlong/pull/4372#discussion_r885168052
##########
.github/workflows/codeql-analysis.yml:
##########
@@ -0,0 +1,73 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name: InLong Vulnerabilities Scan
+
+on:
+ push:
+ branches: [ master, 'INLONG-*' ]
+ pull_request:
+ branches: [ master, 'INLONG-*' ]
+
+jobs:
+ analyze:
+ name: Analyze by CodeQL
+ runs-on: ubuntu-latest
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+
+ strategy:
+ fail-fast: false
+ matrix:
+ language: [ 'java' ]
+
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ # Initializes the CodeQL tools for scanning.
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v1
+ with:
+ languages: ${{ matrix.language }}
+
+ # build project
+ - name: Set up JDK
+ uses: actions/setup-java@v2
+ with:
+ java-version: 8
+ distribution: adopt
Review Comment:
Now, the latest setup-java action version is v3.
```suggestion
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: 8
distribution: adopt
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] shink commented on a diff in pull request #4372: [WIP] add a workflow to Scan InLong common vulnerabilities
Posted by GitBox <gi...@apache.org>.
shink commented on code in PR #4372:
URL: https://github.com/apache/incubator-inlong/pull/4372#discussion_r885172470
##########
.github/workflows/codeql-analysis.yml:
##########
@@ -0,0 +1,73 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name: InLong Vulnerabilities Scan
+
+on:
+ push:
+ branches: [ master, 'INLONG-*' ]
+ pull_request:
+ branches: [ master, 'INLONG-*' ]
Review Comment:
This check can be triggered on another branch, such as `release`. And we can add configuration in `.github/codeql/codeql-config.yml`. Please check out https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-a-custom-configuration-file
```suggestion
on: [ push, pull_request ]
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] dockerzhang commented on pull request #4372: [WIP] add a workflow to Scan InLong common vulnerabilities
Posted by GitBox <gi...@apache.org>.
dockerzhang commented on PR #4372:
URL: https://github.com/apache/incubator-inlong/pull/4372#issuecomment-1144334211
@shink do you know how to avoid the high severity security vulnerabilities temporarily, these vulnerabilities will be fixed in the future. we need to keep the workflow runs passed now, and to prevent new vulnerabilities appears.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] dockerzhang commented on a diff in pull request #4372: [WIP] add a workflow to Scan InLong common vulnerabilities
Posted by GitBox <gi...@apache.org>.
dockerzhang commented on code in PR #4372:
URL: https://github.com/apache/incubator-inlong/pull/4372#discussion_r891970157
##########
.github/workflows/ci_codeql.yml:
##########
@@ -24,8 +24,6 @@ jobs:
name: Analyze by CodeQL
runs-on: ubuntu-latest
permissions:
- actions: read
- contents: read
Review Comment:
change back to `disable-default-queries: false` ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org