Hi all, I just wanted to bring up one idea that we decided in the PLC4X project and seed the idea, if this would also be worth discussing here.
So, we were seeing that our build kept on having sub-ideal CVE ratings as we had dependencies for which CVEs were reported. However, PLC4X itself has a very limited number of dependencies. The problem was that we had several “integration” modules, that pulled in Kafka, Calcite, Nifi and some Eclipse projects. Also did a lot of our examples pull in various third party libraries, for which also vulnerabilities were reported. We are currently in the process of splitting up our main repository into a main and an extras repository. The main contains the core of the project. The extras contains the examples, additional tools and integration modules (The ones with the many, many dependencies) This way we can get a much better secutity standing for the main repo. Would this also be a good idea for IoTDB? I know with our dependencies to: * Flink * Grafana * Hadoop * Hive * Spark * Zeppelin (this one is really bad when it comes to CVEs) * Pulsar (only examples) * RabbitMQ (only examples) * RocketMQ (only examples) We surely also pull in a lot of potentially bad dependencies. If we moved this out the same way we would probably have a much better CVE ranking. This might become problematic in the future as in Europe and in the US CRE/PLD and other initiatives are taking form. Chris
