This is an automated email from the ASF dual-hosted git repository.
eolivelli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new 3c29c7e Add OWASP Dependency Checker to the GH CI workflows (#13972)
3c29c7e is described below
commit 3c29c7e9c31b1f44ce86ba91f34a5127b3409dfa
Author: Andrey Yegorov <[email protected]>
AuthorDate: Tue Feb 1 00:53:44 2022 -0800
Add OWASP Dependency Checker to the GH CI workflows (#13972)
---
.github/workflows/ci-owasp-dep-check.yaml | 94 +++++++++++++++++++++++++++++++
distribution/io/pom.xml | 25 ++++++++
distribution/pom.xml | 1 -
pom.xml | 1 +
pulsar-io/docs/pom.xml | 27 +++++++++
pulsar-io/flume/pom.xml | 27 +++++++++
pulsar-io/hbase/pom.xml | 27 +++++++++
pulsar-io/hdfs2/pom.xml | 29 +++++++++-
pulsar-io/hdfs3/pom.xml | 29 +++++++++-
pulsar-io/pom.xml | 1 -
pulsar-sql/pom.xml | 28 +++++++++
tiered-storage/file-system/pom.xml | 27 +++++++++
12 files changed, 312 insertions(+), 4 deletions(-)
diff --git a/.github/workflows/ci-owasp-dep-check.yaml
b/.github/workflows/ci-owasp-dep-check.yaml
new file mode 100644
index 0000000..2677705
--- /dev/null
+++ b/.github/workflows/ci-owasp-dep-check.yaml
@@ -0,0 +1,94 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+name: CI - Misc - OWASP Dependency Check
+on:
+ pull_request:
+ branches:
+ - master
+ push:
+ branches:
+ - branch-*
+
+env:
+ MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false
-Dmaven.wagon.http.retryHandler.class=standard
-Dmaven.wagon.http.retryHandler.count=3
+
+jobs:
+
+ owasp-dep-check:
+ name:
+ runs-on: ubuntu-latest
+ timeout-minutes: 120
+
+ steps:
+ - name: checkout
+ uses: actions/checkout@v2
+
+ - name: Tune Runner VM
+ uses: ./.github/actions/tune-runner-vm
+
+ - name: Detect changed pom files
+ id: changes
+ uses: apache/pulsar-test-infra/paths-filter@master
+ with:
+ filters: |
+ poms:
+ - 'pom.xml'
+ - '**/pom.xml'
+
+ - name: Cache local Maven repository
+ if: ${{ steps.changes.outputs.poms == 'true' }}
+ uses: actions/cache@v2
+ with:
+ path: |
+ ~/.m2/repository/*/*/*
+ !~/.m2/repository/org/apache/pulsar
+ key: ${{ runner.os }}-m2-dependencies-all-${{
hashFiles('**/pom.xml') }}
+ restore-keys: |
+ ${{ runner.os }}-m2-dependencies-core-modules-${{
hashFiles('**/pom.xml') }}
+ ${{ runner.os }}-m2-dependencies-core-modules-
+
+ - name: Set up JDK 11
+ uses: actions/setup-java@v2
+ if: ${{ steps.changes.outputs.poms == 'true' }}
+ with:
+ distribution: 'temurin'
+ java-version: 11
+
+ - name: clean disk
+ if: ${{ steps.changes.outputs.poms == 'true' }}
+ run: |
+ sudo swapoff -a
+ sudo rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android
/opt/ghc
+ sudo apt clean
+ docker rmi $(docker images -q) -f
+ df -h
+
+ # Projects dependent on flume, hdfs, hbase, and presto currently
excluded from the scan.
+ - name: run "clean install verify" to trigger dependency check
+ if: ${{ steps.changes.outputs.poms == 'true' }}
+ run: mvn -q -B -ntp clean install verify
-PskipDocker,owasp-dependency-check -DskipTests -pl
'!pulsar-sql,!distribution/io,!distribution/offloaders,!tiered-storage/file-system,!pulsar-io/flume,!pulsar-io/hbase,!pulsar-io/hdfs2,!pulsar-io/hdfs3,!pulsar-io/docs'
+
+ - name: Upload report
+ uses: actions/upload-artifact@v2
+ if: ${{ cancelled() || failure() }}
+ continue-on-error: true
+ with:
+ name: dependency report
+ path: target/dependency-check-report.html
diff --git a/distribution/io/pom.xml b/distribution/io/pom.xml
index b0abad7..15fea18 100644
--- a/distribution/io/pom.xml
+++ b/distribution/io/pom.xml
@@ -125,6 +125,31 @@
</plugins>
</build>
</profile>
+ <!--
+ The only working way for OWASP dependency checker plugin
+ to exclude module when failBuildOnCVSS is used
+ in the root pom's plugin.
+ -->
+ <profile>
+ <id>owasp-dependency-check</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>${dependency-check-maven.version}</version>
+ <executions>
+ <execution>
+ <goals>
+ <goal>aggregate</goal>
+ </goals>
+ <phase>none</phase>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
</profiles>
</project>
diff --git a/distribution/pom.xml b/distribution/pom.xml
index ee0a3c3..f8b1a48 100644
--- a/distribution/pom.xml
+++ b/distribution/pom.xml
@@ -53,7 +53,6 @@
<module>server</module>
</modules>
</profile>
-
</profiles>
<build>
diff --git a/pom.xml b/pom.xml
index 86bc285..1412831 100644
--- a/pom.xml
+++ b/pom.xml
@@ -2326,6 +2326,7 @@ flexible messaging model and an intuitive client
API.</description>
<suppressionFile>${pulsar.basedir}/src/owasp-dependency-check-false-positives.xml</suppressionFile>
<suppressionFile>${pulsar.basedir}/src/owasp-dependency-check-suppressions.xml</suppressionFile>
</suppressionFiles>
+ <failBuildOnCVSS>7</failBuildOnCVSS>
<msbuildAnalyzerEnabled>false</msbuildAnalyzerEnabled>
<nodeAnalyzerEnabled>false</nodeAnalyzerEnabled>
<yarnAuditAnalyzerEnabled>false</yarnAuditAnalyzerEnabled>
diff --git a/pulsar-io/docs/pom.xml b/pulsar-io/docs/pom.xml
index 3b234fb..c9a593a 100644
--- a/pulsar-io/docs/pom.xml
+++ b/pulsar-io/docs/pom.xml
@@ -215,5 +215,32 @@
</plugin>
</plugins>
</build>
+ <profiles>
+ <!--
+ The only working way for OWASP dependency checker plugin
+ to exclude module when failBuildOnCVSS is used
+ in the root pom's plugin.
+ -->
+ <profile>
+ <id>owasp-dependency-check</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>${dependency-check-maven.version}</version>
+ <executions>
+ <execution>
+ <goals>
+ <goal>aggregate</goal>
+ </goals>
+ <phase>none</phase>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ </profiles>
</project>
diff --git a/pulsar-io/flume/pom.xml b/pulsar-io/flume/pom.xml
index dfa3047..881648f 100644
--- a/pulsar-io/flume/pom.xml
+++ b/pulsar-io/flume/pom.xml
@@ -138,5 +138,32 @@
</plugin>
</plugins>
</build>
+ <profiles>
+ <!--
+ The only working way for OWASP dependency checker plugin
+ to exclude module when failBuildOnCVSS is used
+ in the root pom's plugin.
+ -->
+ <profile>
+ <id>owasp-dependency-check</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>${dependency-check-maven.version}</version>
+ <executions>
+ <execution>
+ <goals>
+ <goal>aggregate</goal>
+ </goals>
+ <phase>none</phase>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ </profiles>
</project>
diff --git a/pulsar-io/hbase/pom.xml b/pulsar-io/hbase/pom.xml
index 4f89865..21a95a7 100644
--- a/pulsar-io/hbase/pom.xml
+++ b/pulsar-io/hbase/pom.xml
@@ -95,5 +95,32 @@
</plugin>
</plugins>
</build>
+ <profiles>
+ <!--
+ The only working way for OWASP dependency checker plugin
+ to exclude module when failBuildOnCVSS is used
+ in the root pom's plugin.
+ -->
+ <profile>
+ <id>owasp-dependency-check</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>${dependency-check-maven.version}</version>
+ <executions>
+ <execution>
+ <goals>
+ <goal>aggregate</goal>
+ </goals>
+ <phase>none</phase>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ </profiles>
</project>
diff --git a/pulsar-io/hdfs2/pom.xml b/pulsar-io/hdfs2/pom.xml
index 903c386..984d22e 100644
--- a/pulsar-io/hdfs2/pom.xml
+++ b/pulsar-io/hdfs2/pom.xml
@@ -92,5 +92,32 @@
</plugin>
</plugins>
</build>
-
+ <profiles>
+ <!--
+ The only working way for OWASP dependency checker plugin
+ to exclude module when failBuildOnCVSS is used
+ in the root pom's plugin.
+ -->
+ <profile>
+ <id>owasp-dependency-check</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>${dependency-check-maven.version}</version>
+ <executions>
+ <execution>
+ <goals>
+ <goal>aggregate</goal>
+ </goals>
+ <phase>none</phase>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ </profiles>
+
</project>
\ No newline at end of file
diff --git a/pulsar-io/hdfs3/pom.xml b/pulsar-io/hdfs3/pom.xml
index d1b9160..dbaca3c 100644
--- a/pulsar-io/hdfs3/pom.xml
+++ b/pulsar-io/hdfs3/pom.xml
@@ -97,5 +97,32 @@
</plugin>
</plugins>
</build>
-
+ <profiles>
+ <!--
+ The only working way for OWASP dependency checker plugin
+ to exclude module when failBuildOnCVSS is used
+ in the root pom's plugin.
+ -->
+ <profile>
+ <id>owasp-dependency-check</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>${dependency-check-maven.version}</version>
+ <executions>
+ <execution>
+ <goals>
+ <goal>aggregate</goal>
+ </goals>
+ <phase>none</phase>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ </profiles>
+
</project>
\ No newline at end of file
diff --git a/pulsar-io/pom.xml b/pulsar-io/pom.xml
index 2fec8d4..b098345 100644
--- a/pulsar-io/pom.xml
+++ b/pulsar-io/pom.xml
@@ -88,7 +88,6 @@
<module>data-generator</module>
</modules>
</profile>
-
</profiles>
<build>
diff --git a/pulsar-sql/pom.xml b/pulsar-sql/pom.xml
index a4eb11a..e9bca81 100644
--- a/pulsar-sql/pom.xml
+++ b/pulsar-sql/pom.xml
@@ -167,4 +167,32 @@
</plugins>
</build>
+ <profiles>
+ <!--
+ The only working way for OWASP dependency checker plugin
+ to exclude module when failBuildOnCVSS is used
+ in the root pom's plugin.
+ -->
+ <profile>
+ <id>owasp-dependency-check</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>${dependency-check-maven.version}</version>
+ <executions>
+ <execution>
+ <goals>
+ <goal>aggregate</goal>
+ </goals>
+ <phase>none</phase>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ </profiles>
+
</project>
diff --git a/tiered-storage/file-system/pom.xml
b/tiered-storage/file-system/pom.xml
index c5da919..810d15d 100644
--- a/tiered-storage/file-system/pom.xml
+++ b/tiered-storage/file-system/pom.xml
@@ -179,4 +179,31 @@
</plugin>
</plugins>
</build>
+ <profiles>
+ <!--
+ The only working way for OWASP dependency checker plugin
+ to exclude module when failBuildOnCVSS is used
+ in the root pom's plugin.
+ -->
+ <profile>
+ <id>owasp-dependency-check</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>${dependency-check-maven.version}</version>
+ <executions>
+ <execution>
+ <goals>
+ <goal>aggregate</goal>
+ </goals>
+ <phase>none</phase>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ </profiles>
</project>
