[
https://issues.apache.org/jira/browse/APEXCORE-790?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16274499#comment-16274499
]
ASF GitHub Bot commented on APEXCORE-790:
-----------------------------------------
PramodSSImmaneni closed pull request #585: APEXCORE-790 Enforce dependency
analysis for CVE in CI builds
URL: https://github.com/apache/apex-core/pull/585
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/.travis.yml b/.travis.yml
index fbae091f8c..17d63e47dd 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -18,7 +18,7 @@ language: java
jdk:
- openjdk7
-script: mvn apache-rat:check verify -Dlicense.skip=false -Dtravis=true
+script: mvn apache-rat:check verify -Dlicense.skip=false -Dtravis=true && mvn
dependency-check:check -Ddependency.check.showSummary=false
notifications:
slack:
diff --git a/dependency-check-whitelist.xml b/dependency-check-whitelist.xml
new file mode 100644
index 0000000000..700c986860
--- /dev/null
+++ b/dependency-check-whitelist.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+-->
+<suppressions
xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd";>
+</suppressions>
diff --git a/pom.xml b/pom.xml
index ff91946a42..a5ddc4bbbe 100644
--- a/pom.xml
+++ b/pom.xml
@@ -116,7 +116,9 @@
<license.skip>true</license.skip>
<findbugs.xmlOutput>true</findbugs.xmlOutput>
<findbugs.failOnError>false</findbugs.failOnError>
- <findbugs.skip>false</findbugs.skip>
+ <dependency.check.failBuildOnCVSS>8</dependency.check.failBuildOnCVSS>
+ <dependency.check.showSummary>true</dependency.check.showSummary>
+
<dependency.check.whitelist>${project.basedir}/../dependency-check-whitelist.xml</dependency.check.whitelist>
<postNoticeText>The initial developer of the original code
is
DataTorrent, Inc. (http://www.datatorrent.com)
Copyright (c) 2012 -
2015. All Rights Reserved.</postNoticeText>
</properties>
@@ -260,17 +262,24 @@
<includeTests>true</includeTests>
<xmlOutput>${findbugs.xmlOutput}</xmlOutput>
<failOnError>${findbugs.failOnError}</failOnError>
- <skip>${findbugs.skip}</skip>
</configuration>
<executions>
<execution>
- <phase></phase>
+ <phase/>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <inherited>false</inherited>
+ <configuration>
+ <skip>true</skip>
+ </configuration>
+ </plugin>
</plugins>
<pluginManagement>
<plugins>
@@ -455,6 +464,28 @@
</execution>
</executions>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>3.0.2</version>
+ <configuration>
+
<failBuildOnCVSS>${dependency.check.failBuildOnCVSS}</failBuildOnCVSS>
+ <showSummary>${dependency.check.showSummary}</showSummary>
+ <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
+ <skipProvidedScope>true</skipProvidedScope>
+ <skipRuntimeScope>true</skipRuntimeScope>
+ <skipSystemScope>true</skipSystemScope>
+ <suppressionFiles>${dependency.check.whitelist}</suppressionFiles>
+ </configuration>
+ <executions>
+ <execution>
+ <phase/>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
</plugins>
</pluginManagement>
<extensions>
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Enforce dependency analysis for CVE in CI builds
> ------------------------------------------------
>
> Key: APEXCORE-790
> URL: https://issues.apache.org/jira/browse/APEXCORE-790
> Project: Apache Apex Core
> Issue Type: Task
> Reporter: Vlad Rozov
> Assignee: Vlad Rozov
> Priority: Minor
>
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
