[
https://issues.apache.org/jira/browse/HBASE-20553?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sakthi updated HBASE-20553:
---------------------------
Description:
We should proactively work to flag dependencies with known CVEs so that we can
then update them early in our development instead of near a release.
YETUS-441 is working to add a plugin for this, we should grab a copy early to
make sure it works for us.
Rough outline:
1. [install yetus locally|http://yetus.apache.org/downloads/]
2. [install the dependency-check
cli|https://www.owasp.org/index.php/OWASP_Dependency_Check] (homebrew
instructions on right hand margin)
3. Get a local copy of the OWASP datafile ({{dependency-check --updateonly
--data /some/local/path/to/dir}})
4. Run {{hbase_nightly_yetus.sh}} using matching environment variables from the
“yetus general check” (currently [line #126 in our nightly
Jenkinsfile|https://github.com/apache/hbase/blob/master/dev-support/Jenkinsfile#L126])
5. Grab the plugin definition and suppression file from from YETUS-441
6. put the plugin definition either in a directory of dev-support or into the
hbase-personality.sh directly
7. Re-run {{hbase_nightly_yetus.sh}} to verify that the plugin results show up.
(Probably this will involve adding new pointers for “where is the suppression
file”, “where is the OWASP datafile” and pointing them somewhere locally.)
Once all of that is in place we’ll get the changes needed into a branch that we
can test out. Over in YETUS-441 I’ll need to add a jenkins job that’ll handle
periodically updating a copy of the datafile for the OWASP dependency checker.
Presuming I have that in place by the time we have a nightly branch to check
this out, then we’ll also need to update our nightly Jenkinsfile to fetch the
data file from that job.
was:
We should proactively work to flag dependencies with known CVEs so that we can
then update them early in our development instead of near a release.
YETUS-441 is working to add a plugin for this, we should grab a copy early to
make sure it works for us.
Rough outline:
1. [install yetus locally|http://yetus.apache.org/downloads/]
2. [install the dependency-check
cli|https://www.owasp.org/index.php/OWASP_Dependency_Check] (homebrew
instructions on right hand margin)
3. Get a local copy of the OWASP datafile ({{dependency-check --update-only
--data /some/local/path/to/dir}})
4. Run {{hbase_nightly_yetus.sh}} using matching environment variables from the
“yetus general check” (currently [line #126 in our nightly
Jenkinsfile|https://github.com/apache/hbase/blob/master/dev-support/Jenkinsfile#L126])
5. Grab the plugin definition and suppression file from from YETUS-441
6. put the plugin definition either in a directory of dev-support or into the
hbase-personality.sh directly
7. Re-run {{hbase_nightly_yetus.sh}} to verify that the plugin results show up.
(Probably this will involve adding new pointers for “where is the suppression
file”, “where is the OWASP datafile” and pointing them somewhere locally.)
Once all of that is in place we’ll get the changes needed into a branch that we
can test out. Over in YETUS-441 I’ll need to add a jenkins job that’ll handle
periodically updating a copy of the datafile for the OWASP dependency checker.
Presuming I have that in place by the time we have a nightly branch to check
this out, then we’ll also need to update our nightly Jenkinsfile to fetch the
data file from that job.
> Add dependency CVE checking to nightly tests
> --------------------------------------------
>
> Key: HBASE-20553
> URL: https://issues.apache.org/jira/browse/HBASE-20553
> Project: HBase
> Issue Type: Umbrella
> Components: dependencies
> Affects Versions: 3.0.0
> Reporter: Sean Busbey
> Assignee: Sakthi
> Priority: Major
> Fix For: 3.0.0, 2.1.0
>
>
> We should proactively work to flag dependencies with known CVEs so that we
> can then update them early in our development instead of near a release.
> YETUS-441 is working to add a plugin for this, we should grab a copy early to
> make sure it works for us.
> Rough outline:
> 1. [install yetus locally|http://yetus.apache.org/downloads/]
> 2. [install the dependency-check
> cli|https://www.owasp.org/index.php/OWASP_Dependency_Check] (homebrew
> instructions on right hand margin)
> 3. Get a local copy of the OWASP datafile ({{dependency-check --updateonly
> --data /some/local/path/to/dir}})
> 4. Run {{hbase_nightly_yetus.sh}} using matching environment variables from
> the “yetus general check” (currently [line #126 in our nightly
> Jenkinsfile|https://github.com/apache/hbase/blob/master/dev-support/Jenkinsfile#L126])
> 5. Grab the plugin definition and suppression file from from YETUS-441
> 6. put the plugin definition either in a directory of dev-support or into the
> hbase-personality.sh directly
> 7. Re-run {{hbase_nightly_yetus.sh}} to verify that the plugin results show
> up. (Probably this will involve adding new pointers for “where is the
> suppression file”, “where is the OWASP datafile” and pointing them somewhere
> locally.)
> Once all of that is in place we’ll get the changes needed into a branch that
> we can test out. Over in YETUS-441 I’ll need to add a jenkins job that’ll
> handle periodically updating a copy of the datafile for the OWASP dependency
> checker. Presuming I have that in place by the time we have a nightly branch
> to check this out, then we’ll also need to update our nightly Jenkinsfile to
> fetch the data file from that job.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
