This is an automated email from the ASF dual-hosted git repository.
kgyrtkirk pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push:
new 78828284bac Fix vuln-scan in cron-jobs (#18898)
78828284bac is described below
commit 78828284bacfad9fe438fa21847c056e62311f25
Author: Zoltan Haindrich <[email protected]>
AuthorDate: Thu Jan 15 16:06:40 2026 +0100
Fix vuln-scan in cron-jobs (#18898)
---
.github/workflows/cron-job-its.yml | 6 +++++-
licenses.yaml | 11 ++++++++++-
pom.xml | 5 ++---
3 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/.github/workflows/cron-job-its.yml
b/.github/workflows/cron-job-its.yml
index 1fb0c7a4fe7..063d4adddce 100644
--- a/.github/workflows/cron-job-its.yml
+++ b/.github/workflows/cron-job-its.yml
@@ -90,8 +90,12 @@ jobs:
run: mvn clean install -P dist -P skip-static-checks,skip-tests
-Dmaven.javadoc.skip=true -Dcyclonedx.skip=true -Dweb.console.skip=true
- name: security vulnerabilities check
+ env:
+ OSS_INDEX_USERNAME: ${{ secrets.OSS_INDEX_USERNAME }}
+ OSS_INDEX_PASSWORD: ${{ secrets.OSS_INDEX_PASSWORD }}
+ NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
run: |
- mvn dependency-check:purge dependency-check:check || { echo "
+ mvn -B dependency-check:purge dependency-check:check
-DnvdApiKey=$NVD_API_KEY -DossIndexUsername=$OSS_INDEX_USERNAME
-DossIndexPassword=$OSS_INDEX_PASSWORD || { echo "
The OWASP dependency check has found security vulnerabilities.
Please use a newer version
of the dependency that does not have vulnerabilities. To see a
report run
`mvn dependency-check:check`
diff --git a/licenses.yaml b/licenses.yaml
index 83cd8176f35..b94b27687c8 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -2466,11 +2466,20 @@ module: java-core
license_name: Apache License version 2.0
version: 1.8.1
libraries:
- - at.yawk.lz4: lz4-java
- org.lz4: lz4-java
---
+name: LZ4 Java
+license_category: binary
+module: java-core
+license_name: Apache License version 2.0
+version: 1.10.2
+libraries:
+ - at.yawk.lz4: lz4-java
+
+---
+
name: MapDB
license_category: binary
module: java-core
diff --git a/pom.xml b/pom.xml
index 8e8b988c507..b31dbab0d10 100644
--- a/pom.xml
+++ b/pom.xml
@@ -911,7 +911,7 @@
<dependency>
<groupId>at.yawk.lz4</groupId>
<artifactId>lz4-java</artifactId>
- <version>1.8.1</version>
+ <version>1.10.2</version>
</dependency>
<dependency>
<groupId>org.xerial.snappy</groupId>
@@ -1846,10 +1846,9 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
- <version>12.1.0</version>
+ <version>12.2.0</version>
<configuration>
<nvdApiKey>${nvdApiKey}</nvdApiKey>
- <ossIndexServerId>ossindex-credentials</ossIndexServerId>
<failBuildOnCVSS>7</failBuildOnCVSS>
<skipProvidedScope>true</skipProvidedScope>
<skipSystemScope>true</skipSystemScope> <!-- avoid error
when processing jdk.tools:jdk.tools:jar:1.8:system -->
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
