This is an automated email from the ASF dual-hosted git repository. kgyrtkirk pushed a commit to branch 36.0.0 in repository https://gitbox.apache.org/repos/asf/druid.git
commit e6995ef7ca45d6322411a31a29170457778ed856 Author: Zoltan Haindrich <[email protected]> AuthorDate: Thu Jan 15 16:06:40 2026 +0100 Fix vuln-scan in cron-jobs (#18898) (cherry picked from commit 78828284bacfad9fe438fa21847c056e62311f25) --- .github/workflows/cron-job-its.yml | 6 +++++- licenses.yaml | 11 ++++++++++- pom.xml | 5 ++--- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/.github/workflows/cron-job-its.yml b/.github/workflows/cron-job-its.yml index 1fb0c7a4fe7..063d4adddce 100644 --- a/.github/workflows/cron-job-its.yml +++ b/.github/workflows/cron-job-its.yml @@ -90,8 +90,12 @@ jobs: run: mvn clean install -P dist -P skip-static-checks,skip-tests -Dmaven.javadoc.skip=true -Dcyclonedx.skip=true -Dweb.console.skip=true - name: security vulnerabilities check + env: + OSS_INDEX_USERNAME: ${{ secrets.OSS_INDEX_USERNAME }} + OSS_INDEX_PASSWORD: ${{ secrets.OSS_INDEX_PASSWORD }} + NVD_API_KEY: ${{ secrets.NVD_API_KEY }} run: | - mvn dependency-check:purge dependency-check:check || { echo " + mvn -B dependency-check:purge dependency-check:check -DnvdApiKey=$NVD_API_KEY -DossIndexUsername=$OSS_INDEX_USERNAME -DossIndexPassword=$OSS_INDEX_PASSWORD || { echo " The OWASP dependency check has found security vulnerabilities. Please use a newer version of the dependency that does not have vulnerabilities. To see a report run `mvn dependency-check:check` diff --git a/licenses.yaml b/licenses.yaml index d549eb5f596..27a58e22602 100644 --- a/licenses.yaml +++ b/licenses.yaml @@ -2466,11 +2466,20 @@ module: java-core license_name: Apache License version 2.0 version: 1.8.1 libraries: - - at.yawk.lz4: lz4-java - org.lz4: lz4-java --- +name: LZ4 Java +license_category: binary +module: java-core +license_name: Apache License version 2.0 +version: 1.10.2 +libraries: + - at.yawk.lz4: lz4-java + +--- + name: MapDB license_category: binary module: java-core diff --git a/pom.xml b/pom.xml index 6d9df278c9f..33c190198f8 100644 --- a/pom.xml +++ b/pom.xml @@ -911,7 +911,7 @@ <dependency> <groupId>at.yawk.lz4</groupId> <artifactId>lz4-java</artifactId> - <version>1.8.1</version> + <version>1.10.2</version> </dependency> <dependency> <groupId>org.xerial.snappy</groupId> @@ -1846,10 +1846,9 @@ <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> - <version>12.1.0</version> + <version>12.2.0</version> <configuration> <nvdApiKey>${nvdApiKey}</nvdApiKey> - <ossIndexServerId>ossindex-credentials</ossIndexServerId> <failBuildOnCVSS>7</failBuildOnCVSS> <skipProvidedScope>true</skipProvidedScope> <skipSystemScope>true</skipSystemScope> <!-- avoid error when processing jdk.tools:jdk.tools:jar:1.8:system --> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
