[
https://issues.apache.org/jira/browse/FLINK-12119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16811568#comment-16811568
]
Chesnay Schepler commented on FLINK-12119:
------------------------------------------
Sounds good to me, we can run this in a weekly cron job (see the bottom for why
other options wouldn't work). Since we don't have to compile anything this
should be relatively light-weight I hope, since we do have to run it against
the scala/hadoop matrix.
All modules that are either a) deployed to maven central or b) included in
flink-dist should be checked. Since the main CI will not be affected it
shouldn't be necessary to make any other exclusions.
In addition to {{system}} and {{provided}} dependencies we can also exclude
{{test}} dependencies.
Why a weekly cron job?
Conceptually we could ojust add it as an optional plugin to generate a report
on-demand, but this would rarely be used, if at all. At the same time, running
it on CI without failing the build would just waste resources (since no one
would look at it) and additionally introduces more failure points. Finally,
running it on CI and failing the build will just wreck the CI, potentially for
prolonged time.
> Add OWASP Dependency Check to Flink Build
> -----------------------------------------
>
> Key: FLINK-12119
> URL: https://issues.apache.org/jira/browse/FLINK-12119
> Project: Flink
> Issue Type: Improvement
> Components: Build System
> Reporter: Konstantin Knauf
> Assignee: Konstantin Knauf
> Priority: Major
>
> In order to obtain some visibility on the current known security
> vulnerabilities in Flink's dependencies. It would be useful to include the
> OWASP dependency check plugin [1] into our Maven build.
> By including it into flink-parent, we can get summary of all dependencies of
> all child projects by running
> {{mvn clean org.owasp:dependency-check-maven:5.0.0-M2:aggregate}}
> We should probably exclude some modules from the dependency-check. These
> could be:
> * flink-dist
> * flink-docs
> * flink-examples
> * flink-tests
> * flink-shaded-yarn-tests
> * flink-end-to-end-tests
> * flink-fs-tests
> * flink-test-utils-parent
> * flink-yarn-tests
> * flink-contrib
> Anything else? What about flink-python/flink-streaming-python?**
> In addition I propose to exclude all dependencies in the *system* or
> *provided* scope.
> At least initially, the build would never fails because of vulnerabilities.
> [1]
> [https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
