lhotari opened a new pull request #10855:
URL: https://github.com/apache/pulsar/pull/10855
### Motivation
Monitoring for new library vulnerabilities without having an automated
solution is prone to errors.
There's an enhancement request #8815 about "Automated security and update
routine before every release". This PR will help address those aspects.
New library vulnerabilities can be detected earlier when there's a scheduled
build once per day.
### Modifications
- add suppressions for false positives
- add suppressions for known issues in distribution/server and make the check
fail if new vulnerabilities are introduced
- run reports for distribution/offloaders, distribution/io and
pulsar-sql/presto-distribution to get a complete report of all
vulnerabilities
- upload report files as GitHub Actions artifact
### Additional context
The current master branch contains a few vulnerabilities:
- libthrift-0.12.0.jar (pkg:maven/org.apache.thrift/[email protected],
cpe:2.3:a:apache:thrift:0.12.0:*:*:*:*:*:*:*) : CVE-2019-0205, CVE-2019-0210,
CVE-2020-13949
- issue #9248
- vertx-core-3.5.4.jar (pkg:maven/io.vertx/[email protected],
cpe:2.3:a:eclipse:vert.x:3.5.4:*:*:*:*:*:*:*) : CVE-2018-12541, CVE-2019-17640
- more details in #10295 . Waiting for vert.x 3.9.8 release.
- zookeeper-3.6.2.jar (pkg:maven/org.apache.zookeeper/[email protected],
cpe:2.3:a:apache:zookeeper:3.6.2:*:*:*:*:*:*:*) : CVE-2021-21409
- fixed by #10852
These are suppressed in `src/owasp-dependency-check-suppressions.xml` file
so that it's possible to run OWASP Dependency Check with
`-DfailBuildOnAnyVulnerability=true` for failing the build if any new
vulnerabilities are detected. This is the way how this PR sets a baseline and
llbrary vulnerabilities can be tracked.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
