lhotari opened a new pull request #10288: URL: https://github.com/apache/pulsar/pull/10288
### Motivation [OWASP Dependency-Check](https://owasp.org/www-project-dependency-check/) is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. This PR adds basic configuration for `org.owasp:dependency-check-maven` maven plugin and makes it operational in the apache/pulsar project. This a starting point. Later on, it's possible to improve this further and introduce a scheduled job to automate the checking and fail the job if a new critical or high vulnerability is detected. ### Modifications Add necessary maven profiles and configuration so that it's possible to run the dependency-check independently for all projects. This is the way to run the dependency check for manual inspection: ``` # run dependency check for all projects ./build/pulsar_ci_tool.sh dependency_check # open the html report in a browser open target/dependency-check-report.html ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
