[jira] [Commented] (CALCITE-7260) Add gradle/actions/dependency-submission GitHub action to track vulnerable dependencies

Tue, 04 Nov 2025 12:36:04 -0800 


    [ 
https://issues.apache.org/jira/browse/CALCITE-7260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18035431#comment-18035431
 ] 

Vladimir Sitnikov commented on CALCITE-7260:
--------------------------------------------

{quote} Are you proposing that, in order to push to main, the committer must 
apply any critical dependency upgrades first (presumably in a separate 
commit).{quote}
Of course not.

What I suggest requires absolutely no mandatory actions from anybody. To my 
best knowledge it would generate zero emails and notifications (assuming 
Dependabot security updates are disabled).

You and any other contributor could continue working as usual, and it won't 
stand in the way.

The workflow would populate security tab at GitHub, so the ones who are 
interested might open it and check the current state of CVEs that impact 
Calcite.

Here's how it looks like in my fork: see calcite_security_overall.png , 
calcite_security_single_cve.png

In my experience it is much more accessible than executing obscure build system 
tasks.



> Add gradle/actions/dependency-submission GitHub action to track vulnerable 
> dependencies
> ---------------------------------------------------------------------------------------
>
>                 Key: CALCITE-7260
>                 URL: https://issues.apache.org/jira/browse/CALCITE-7260
>             Project: Calcite
>          Issue Type: Improvement
>            Reporter: Vladimir Sitnikov
>            Priority: Major
>         Attachments: calcite_security_overall.png, 
> calcite_security_single_cve.png
>
>
> dependency-submission enables GitHub track all the used dependencies and show 
> CVE alerts via https://github.com/apache/calcite/security/dependabot
> It would track both runtime, test, build-time, and even build-script 
> dependencies which is the right thing from my point of view.
> See 
> https://github.com/actions/gradle-build-tools-actions?tab=readme-ov-file#the-dependency-submission-action
> See 
> https://github.com/apache/jmeter/blob/2c17f5d2b6b0fa7e0f69dbd56785386a785c8745/.github/workflows/gradle-dependency-submit.yaml



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to