[ https://issues.apache.org/jira/browse/HBASE-20553?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16522665#comment-16522665 ]
Sakthi commented on HBASE-20553: -------------------------------- Sure. Makes sense. > Add dependency CVE checking to nightly tests > -------------------------------------------- > > Key: HBASE-20553 > URL: https://issues.apache.org/jira/browse/HBASE-20553 > Project: HBase > Issue Type: Umbrella > Components: dependencies > Affects Versions: 3.0.0 > Reporter: Sean Busbey > Assignee: Sakthi > Priority: Major > Fix For: 3.0.0, 2.2.0 > > > We should proactively work to flag dependencies with known CVEs so that we > can then update them early in our development instead of near a release. > YETUS-441 is working to add a plugin for this, we should grab a copy early to > make sure it works for us. > Rough outline: > 1. [install yetus locally|http://yetus.apache.org/downloads/] > 2. [install the dependency-check > cli|https://www.owasp.org/index.php/OWASP_Dependency_Check] (homebrew > instructions on right hand margin) > 3. Get a local copy of the OWASP datafile ({{dependency-check --updateonly > --data /some/local/path/to/dir}}) > 4. Run {{hbase_nightly_yetus.sh}} using matching environment variables from > the “yetus general check” (currently [line #126 in our nightly > Jenkinsfile|https://github.com/apache/hbase/blob/master/dev-support/Jenkinsfile#L126]) > 5. Grab the plugin definition and suppression file from from YETUS-441 > 6. put the plugin definition either in a directory of dev-support or into the > hbase-personality.sh directly > 7. Re-run {{hbase_nightly_yetus.sh}} to verify that the plugin results show > up. (Probably this will involve adding new pointers for “where is the > suppression file”, “where is the OWASP datafile” and pointing them somewhere > locally.) > Once all of that is in place we’ll get the changes needed into a branch that > we can test out. Over in YETUS-441 I’ll need to add a jenkins job that’ll > handle periodically updating a copy of the datafile for the OWASP dependency > checker. Presuming I have that in place by the time we have a nightly branch > to check this out, then we’ll also need to update our nightly Jenkinsfile to > fetch the data file from that job. -- This message was sent by Atlassian JIRA (v7.6.3#76005)