You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2020/02/09 23:33:04 UTC

[GitHub] [druid] ccaominh opened a new pull request #9340: Change security vulnerability scan to cron job

ccaominh opened a new pull request #9340: Change security vulnerability scan to cron job
URL: https://github.com/apache/druid/pull/9340
 
 
   ### Description
   
   Previously, when new CVEs were reported, the security vulnerability scan would unfortunately block PRs that did not modify any dependencies. To prevent this issue, the security scan is now run as a Travis cron job that runs on master and notifies the druid dev list if it fails. The security scan has also been added to the "apache-release" maven profile, to ensure that it passes before a release.
   
   Also adjusted some Travis CI job failure help messages to not be folded in the Travis CI job logs.
   
   After this PR is merged, I'll update the Apache Druid Travis CI settings to run a daily cronjob on master (which will run just the security scan job).
   
   <hr>
   
   This PR has:
   - [x] been self-reviewed.
   - [x] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
   - [x] been manually tested in my fork: https://github.com/ccaominh/druid
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] suneet-s commented on a change in pull request #9340: Change security vulnerability scan to cron job

Posted by GitBox <gi...@apache.org>.
suneet-s commented on a change in pull request #9340: Change security vulnerability scan to cron job
URL: https://github.com/apache/druid/pull/9340#discussion_r377843921
 
 

 ##########
 File path: pom.xml
 ##########
 @@ -1907,6 +1911,26 @@
                             </execution>
                         </executions>
                     </plugin>
+                    <plugin>
+                      <groupId>org.owasp</groupId>
+                      <artifactId>dependency-check-maven</artifactId>
+                      <version>${dependency-check-maven.version}</version>
+                      <configuration>
+                          <cveValidForHours>24</cveValidForHours>
+                          <failBuildOnCVSS>${dependency-check-maven.failBuildOnCVSS}</failBuildOnCVSS>
+                          <skipProvidedScope>true</skipProvidedScope>
+                          <skipSystemScope>true</skipSystemScope>  <!-- avoid error when processing jdk.tools:jdk.tools:jar:1.8:system -->
+                          <suppressionFile>owasp-dependency-check-suppressions.xml</suppressionFile>
+                      </configuration>
 
 Review comment:
   This can be omitted. It looks like the plugin will pick up the configuration of the `dependency-check-maven` plugin described above so we don't need to duplicate this in the pom

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] ccaominh merged pull request #9340: Change security vulnerability scan to cron job

Posted by GitBox <gi...@apache.org>.
ccaominh merged pull request #9340: Change security vulnerability scan to cron job
URL: https://github.com/apache/druid/pull/9340
 
 
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] ccaominh commented on issue #9340: Change security vulnerability scan to cron job

Posted by GitBox <gi...@apache.org>.
ccaominh commented on issue #9340: Change security vulnerability scan to cron job
URL: https://github.com/apache/druid/pull/9340#issuecomment-584868600
 
 
   Added a daily cron job to travis for running the security scan:
   
   ![image](https://user-images.githubusercontent.com/9208416/74282245-a26c3680-4cd4-11ea-8181-5ad8c951e219.png)
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org