You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hbase.apache.org by "Sean Busbey (JIRA)" <ji...@apache.org> on 2018/05/09 15:53:00 UTC

[jira] [Created] (HBASE-20553) Add dependency CVE checking to nightly tests

Sean Busbey created HBASE-20553:
-----------------------------------

             Summary: Add dependency CVE checking to nightly tests
                 Key: HBASE-20553
                 URL: https://issues.apache.org/jira/browse/HBASE-20553
             Project: HBase
          Issue Type: Umbrella
          Components: dependencies
    Affects Versions: 3.0.0
            Reporter: Sean Busbey
             Fix For: 3.0.0, 2.1.0


We should proactively work to flag dependencies with known CVEs so that we can then update them early in our development instead of near a release.

YETUS-441 is working to add a plugin for this, we should grab a copy early to make sure it works for us.

Rough outline:

1. [install yetus locally|http://yetus.apache.org/downloads/]
2. [install the dependency-check cli|https://www.owasp.org/index.php/OWASP_Dependency_Check] (homebrew instructions on right hand margin)
3. Get a local copy of the OWASP datafile ({{dependency-check --update-only --data /some/local/path/to/dir}})
4. Run {{hbase_nightly_yetus.sh}} using matching environment variables from the “yetus general check”  (currently [line #126 in our nightly Jenkinsfile|https://github.com/apache/hbase/blob/master/dev-support/Jenkinsfile#L126])
5. Grab the plugin definition and suppression file from from YETUS-441
6. put the plugin definition either in a directory of dev-support or into the hbase-personality.sh directly
7. Re-run {{hbase_nightly_yetus.sh}} to verify that the plugin results show up. (Probably this will involve adding new pointers for “where is the suppression file”, “where is the OWASP datafile” and pointing them somewhere locally.)

Once all of that is in place we’ll get the changes needed into a branch that we can test out. Over in YETUS-441 I’ll need to add a jenkins job that’ll handle periodically updating a copy of the datafile for the OWASP dependency checker. Presuming I have that in place by the time we have a nightly branch to check this out, then we’ll also need to update our nightly Jenkinsfile to fetch the data file from that job.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)