[
https://issues.apache.org/jira/browse/HADOOP-13198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15299176#comment-15299176
]
Mike Yoder commented on HADOOP-13198:
-------------------------------------
Another thing to consider with a precommit hook is that the data that
dependency-check uses for CVEs is, quite literally, the CVE database. If
something pops up there, the results of dependency-check will change shortly
thereafter - potentially blocking innocent submittals because suddenly thinks
look worse.
To get serious about things, we'd want to somehow lock down the ability to add
new dependencies. IIRC Solr does something with jar signing.
> Add support for OWASP's dependency-check
> ----------------------------------------
>
> Key: HADOOP-13198
> URL: https://issues.apache.org/jira/browse/HADOOP-13198
> Project: Hadoop Common
> Issue Type: Improvement
> Components: build
> Reporter: Mike Yoder
> Assignee: Mike Yoder
> Priority: Minor
> Attachments: HADOOP-13198.001.patch,
> hadoop-all-dependency-check-report.html
>
>
> OWASP's Dependency-Check is a utility that identifies project
> dependencies and checks if there are any known, publicly disclosed,
> vulnerabilities.
> See https://www.owasp.org/index.php/OWASP_Dependency_Check
> This is very useful to stay on top of known vulnerabilities in third party
> jars. Since it's a maven plugin it's pretty easy to drop in.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
