[phoenix] branch 4.x updated: PHOENIX-6065 Add OWASP dependency check, and update the flagged direct dependencies

Wed, 09 Sep 2020 10:14:09 -0700 

This is an automated email from the ASF dual-hosted git repository.

stoty pushed a commit to branch 4.x
in repository https://gitbox.apache.org/repos/asf/phoenix.git


The following commit(s) were added to refs/heads/4.x by this push:
     new 5cbb813  PHOENIX-6065 Add OWASP dependency check, and update the 
flagged direct dependencies
5cbb813 is described below

commit 5cbb8134033530322ff42f992ea254eb79be6445
Author: Istvan Toth <st...@apache.org>
AuthorDate: Fri Aug 28 09:15:17 2020 +0200

    PHOENIX-6065 Add OWASP dependency check, and update the flagged direct 
dependencies
---
 BUILDING.md |  8 ++++++++
 pom.xml     | 33 +++++++++++++++++++++++++++++++--
 2 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/BUILDING.md b/BUILDING.md
index 8a7d531..57116bd 100644
--- a/BUILDING.md
+++ b/BUILDING.md
@@ -89,6 +89,14 @@ generated at /target/site/jacoco/index.html
 To skip code coverage analysis
 `$ mvn verify -Dskip.code-coverage`
 
+Running OWASP Dependency-Check
+------------------------------
+
+To run OWASP Dependency-Check (https://owasp.org/www-project-dependency-check/)
+`$ mvn verify -DskipTests -Dowasp-check`
+
+The report is generated in target/dependency-check-report.html
+
 Findbugs
 --------
 
diff --git a/pom.xml b/pom.xml
index b98c498..4376310 100644
--- a/pom.xml
+++ b/pom.xml
@@ -153,8 +153,9 @@
     <!-- JaCoCo thresholds which we can override in each sub-module if 
required -->
     
<jacoco.instruction.coverage.percentage>0.700</jacoco.instruction.coverage.percentage>
     
<jacoco.branch.coverage.percentage>0.600</jacoco.branch.coverage.percentage>
-   <curator.version>2.12.0</curator.version>
+    <curator.version>2.12.0</curator.version>
 
+    <maven-owasp-plugin.version>5.3.2</maven-owasp-plugin.version>
   </properties>
 
   <build>
@@ -1248,7 +1249,35 @@
       </properties>
     </profile>
 
-
+    <profile>
+      <id>owasp-dependency-check</id>
+      <activation>
+        <property>
+          <name>owasp-check</name>
+        </property>
+      </activation>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <version>${maven-owasp-plugin.version}</version>
+            <configuration>
+              <skipProvidedScope>true</skipProvidedScope>
+              <skipRuntimeScope>true</skipRuntimeScope>
+              <skipSystemScope>true</skipSystemScope>
+            </configuration>
+            <executions>
+              <execution>
+                <goals>
+                  <goal>aggregate</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
 
     <profile>
       <id>codecoverage</id>

Reply via email to