Can we build a way into CI to distinguish between these and a new vulnerability that has come up in an unchanged dependency?
On Fri, Sep 8, 2017 at 3:44 PM, Thomas Weise <t...@apache.org> wrote: > On Fri, Sep 8, 2017 at 3:36 PM, Pramod Immaneni <pra...@datatorrent.com> > wrote: > > > Though I like the functionality of being able to detect if a new > dependency > > being added has vulnerabilities and prompting the search for a better > > version, I am wary of tying a build strongly to vulnerability detection > > i.e., the build failing when vulnerabilities are discovered in > > dependencies. This immediately blocks our project till those > > vulnerabilities are addressed as nothing can go in because builds are > > failing. If details are suppressed and we have a summary warning but not > > fail the build, that should be ok. > > > > > I think that if a new problem is introduced, then it should be discovered > in the CI and the PR that causes it not be merged until it is addressed. >
