You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@nutch.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/11/19 20:58:00 UTC
[jira] [Commented] (NUTCH-2668) Integrate OWASP dependency checks
as ant target
[ https://issues.apache.org/jira/browse/NUTCH-2668?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16692265#comment-16692265 ]
ASF GitHub Bot commented on NUTCH-2668:
---------------------------------------
sebastian-nagel closed pull request #401: NUTCH-2668 Integrate OWASP dependency checks as ant target
URL: https://github.com/apache/nutch/pull/401
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/build.xml b/build.xml
index e19179e12..928ffaa0e 100644
--- a/build.xml
+++ b/build.xml
@@ -612,6 +612,34 @@
</fail>
</target>
+ <!-- Check dependencies for security vulnerabilities -->
+ <!-- requires installation of OWASP dependency check tool, see -->
+ <!-- https://jeremylong.github.io/DependencyCheck/dependency-check-ant/index.html -->
+ <!-- get http://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-3.3.2-release.zip -->
+ <!-- and unzip in directory ./ivy/ -->
+ <property name="dependency-check.home" value="${ivy.dir}/dependency-check-ant/"/>
+ <path id="dependency-check.path">
+ <pathelement location="${dependency-check.home}/dependency-check-ant.jar"/>
+ <fileset dir="${dependency-check.home}/lib">
+ <include name="*.jar"/>
+ </fileset>
+ </path>
+ <taskdef resource="dependency-check-taskdefs.properties">
+ <classpath refid="dependency-check.path" />
+ </taskdef>
+ <target name="report-vulnerabilities" description="--> check dependencies for security vulnerabilities">
+ <dependency-check projectname="${name}"
+ reportoutputdirectory="${build.dir}"
+ reportformat="ALL">
+ <suppressionfile path="${dependency-check.home}/dependency-check-suppressions.xml" />
+ <retirejsFilter regex="copyright.*jeremy long" />
+ <fileset dir="${build.dir}">
+ <include name="lib/*.jar"/>
+ <include name="plugins/*/*.jar"/>
+ </fileset>
+ </dependency-check>
+ </target>
+
<!-- ================================================================== -->
<!-- Documentation -->
<!-- ================================================================== -->
diff --git a/ivy/dependency-check-ant/dependency-check-suppressions.xml b/ivy/dependency-check-ant/dependency-check-suppressions.xml
new file mode 100644
index 000000000..e7de8febb
--- /dev/null
+++ b/ivy/dependency-check-ant/dependency-check-suppressions.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+ <suppress>
+ <notes>only applies to tika-server < 1.18</notes>
+ <gav regex="true">^org\.(apache\.tika:tika-(core|parsers)|gagravarr:vorbis-java-tika):.*$</gav>
+ <cve>CVE-2018-1335</cve>
+ </suppress>
+</suppressions>
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
> Integrate OWASP dependency checks as ant target
> -----------------------------------------------
>
> Key: NUTCH-2668
> URL: https://issues.apache.org/jira/browse/NUTCH-2668
> Project: Nutch
> Issue Type: Improvement
> Components: build
> Affects Versions: 2.4, 1.16
> Reporter: Sebastian Nagel
> Priority: Major
> Fix For: 2.4, 1.16
>
> Attachments: 1x-dependency-check-report.html, 1x-dependency-check-vulnerability.html, 2x-dependency-check-report.html, 2x-dependency-check-vulnerability.html
>
>
> [OWASP|http://www.owasp.org/] provides the [ant tool "dependency-check"|https://jeremylong.github.io/DependencyCheck/dependency-check-ant/index.html] which lists potential vulnerabilities of library dependencies. We should integrate the generation of vulnerability reports into our build system as an optional task/target recommended to be run from time to time and especially shortly before releases are prepared.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)