[CALCITE-1989] Check dependencies for vulnerabilities each release Run maven with -Ppedantic to generate a vulnerability report.
Upgrade Apache Spark. Project: http://git-wip-us.apache.org/repos/asf/calcite/repo Commit: http://git-wip-us.apache.org/repos/asf/calcite/commit/d173640c Tree: http://git-wip-us.apache.org/repos/asf/calcite/tree/d173640c Diff: http://git-wip-us.apache.org/repos/asf/calcite/diff/d173640c Branch: refs/heads/master Commit: d173640c202238c8cb6bdb87d20ab4f3f9fcc88b Parents: 3e97cff Author: Julian Hyde <[email protected]> Authored: Mon Sep 18 18:00:16 2017 -0700 Committer: Julian Hyde <[email protected]> Committed: Mon Oct 2 11:13:42 2017 -0700 ---------------------------------------------------------------------- pom.xml | 34 +++++++++++++++++++++++++++++++++- site/_docs/howto.md | 3 +++ 2 files changed, 36 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/calcite/blob/d173640c/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 6b76026..f459a1c 100644 --- a/pom.xml +++ b/pom.xml @@ -51,6 +51,9 @@ limitations under the License. <version.major>1</version.major> <version.minor>14</version.minor> + <!-- Don't fail the build for vulnerabilities below this threshold. --> + <failBuildOnCVSS>8</failBuildOnCVSS> + <!-- This list is in alphabetical order. --> <airlift-tpch.version>0.1</airlift-tpch.version> <avatica.version>1.10.0</avatica.version> @@ -111,6 +114,7 @@ limitations under the License. <natty.version>0.13</natty.version> <opencsv.version>2.3</opencsv.version> <oracle-jdbc6-driver.version>11.2.0.2.0</oracle-jdbc6-driver.version> + <owasp-dependency-check.version>2.1.1</owasp-dependency-check.version> <pig.version>0.16.0</pig.version> <aggdesigner.version>6.0</aggdesigner.version> <postgresql.version>9.3-1102-jdbc3</postgresql.version> @@ -119,7 +123,7 @@ limitations under the License. <scott-data-hsqldb.version>0.1</scott-data-hsqldb.version> <servlet.version>3.0.1</servlet.version> <slf4j.version>1.7.13</slf4j.version> - <spark.version>1.6.1</spark.version> + <spark.version>1.6.3</spark.version> <sqlline.version>1.3.0</sqlline.version> <xalan.version>2.7.1</xalan.version> <xerces.version>2.9.1</xerces.version> @@ -840,6 +844,11 @@ limitations under the License. <version>${javacc-maven-plugin.version}</version> </plugin> <plugin> + <groupId>org.owasp</groupId> + <artifactId>dependency-check-maven</artifactId> + <version>${owasp-dependency-check.version}</version> + </plugin> + <plugin> <groupId>pl.project13.maven</groupId> <artifactId>git-commit-id-plugin</artifactId> <version>${git-commit-id-plugin.version}</version> @@ -1045,5 +1054,28 @@ limitations under the License. </plugins> </build> </profile> + <profile> + <!-- Extra checks that are disabled in the regular build, enabled for + releases and on demand. --> + <id>pedantic</id> + <build> + <plugins> + <plugin> + <groupId>org.owasp</groupId> + <artifactId>dependency-check-maven</artifactId> + <configuration> + <failBuildOnCVSS>${failBuildOnCVSS}</failBuildOnCVSS> + </configuration> + <executions> + <execution> + <goals> + <goal>check</goal> + </goals> + </execution> + </executions> + </plugin> + </plugins> + </build> + </profile> </profiles> </project> http://git-wip-us.apache.org/repos/asf/calcite/blob/d173640c/site/_docs/howto.md ---------------------------------------------------------------------- diff --git a/site/_docs/howto.md b/site/_docs/howto.md index 1a6b27e..26744dd 100644 --- a/site/_docs/howto.md +++ b/site/_docs/howto.md @@ -436,6 +436,9 @@ Before you start: * Make sure build and tests succeed, including with `-P it,it-oracle`. * Make sure that `mvn javadoc:javadoc javadoc:test-javadoc` succeeds (i.e. gives no errors; warnings are OK) +* Generate a report of vulnerabilities that occur among dependencies, + using `-Ppedantic`; if you like, run again with `-DfailBuildOnCVSS=8` to see + whether serious vulnerabilities exist. * Make sure that `mvn apache-rat:check` succeeds. (It will be run as part of the release, but it's better to trouble-shoot early.) * Decide the supported configurations of JDK, operating system and
