[PR] build: remove tests module from owasp check [bookkeeper]

Sun, 26 May 2024 08:13:48 -0700 


shoothzj opened a new pull request, #4391:
URL: https://github.com/apache/bookkeeper/pull/4391

   ### Motivation
   
   `integrate-tests` module depends on `arquillian-cube`, which are updates 
infrequently. Lastly release was in 2018, and it depends on a lot of dependency 
with CVEs, like `bcprov-jdk15on-1.64.jar` etc. But it still merging code 
frequently, my team will trying to ask for new release, I think we can remove 
tests module from owasp check for now.
   
   I run the check locally, fix 7 error, and no new errors generated compared 
to daily build result.
   
   #### Local Result
   
   ```
   [ERROR] amqp-client-5.5.3.jar: CVE-2023-46120(7.5)
   [ERROR] jetcd-core-0.7.7.jar: CVE-2020-15113(7.1)
   [ERROR] jetcd-grpc-0.7.7.jar: CVE-2023-44487(7.5), CVE-2017-8359(9.8), 
CVE-2023-33953(7.5), CVE-2020-15113(7.1), CVE-2020-7768(9.8), 
CVE-2017-7861(9.8), CVE-2017-9431(9.8), CVE-2017-7860(9.8)
   [ERROR] okio-3.2.0.jar: CVE-2023-3635(7.5)
   ```
   
   #### Daily build result 
   
   ```
   Error:  amqp-client-5.5.3.jar: CVE-2023-46120(7.5)
   Error:  bcprov-jdk15on-1.64.jar: CVE-2024-29857(7.5), 
CVE-2024-34447(7.699999809265137)
   Error:  jetcd-core-0.7.7.jar: 
CVE-2020-151[13](https://github.com/apache/bookkeeper/actions/runs/9239112134/job/25417858696#step:5:14)(7.1)
   Error:  jetcd-grpc-0.7.7.jar: CVE-2023-44487(7.5), CVE-2017-8359(9.8), 
CVE-2023-33953(7.5), CVE-2020-15113(7.1), CVE-2020-7768(9.8), 
CVE-2017-7861(9.8), CVE-2017-9431(9.8), CVE-2017-7860(9.8)
   Error:  okio-3.2.0.jar: CVE-2023-3635(7.5)
   Error:  plexus-cipher-2.0.jar: CVE-2022-4244(7.5)
   Error:  plexus-classworlds-2.7.0.jar: CVE-2022-4244(7.5)
   Error:  plexus-component-annotations-2.1.0.jar: CVE-2022-4244(7.5)
   Error:  plexus-interpolation-1.26.jar: CVE-2022-4244(7.5)
   Error:  plexus-sec-dispatcher-2.0.jar: CVE-2022-4244(7.5)
   Error:  snakeyaml-1.19.jar: 
CVE-20[17](https://github.com/apache/bookkeeper/actions/runs/9239112134/job/25417858696#step:5:18)-18640(7.5),
 CVE-2022-25857(7.5)
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to