[
https://issues.apache.org/jira/browse/LIVY-900?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated LIVY-900:
-----------------------------
Description:
As part of the revival of the Livy project, we indicated that an immediate goal
would be to establish a process for CVE and dependency hygiene. There are a
number of ways that we can address this and we need to consider which ones
would be most appropriate. Off the top of my head:
* Dependabot is being used in many projects and I believe there are a couple
different ways to integrate this either at the github or gitbox (ASF) level.
** Some automatically create PRs for instance
* External tooling that can be run such as OWASP dependency-check. I have run
this locally to discover the currently outstanding upgrades that need to be
addressed
FYI - this can be run via mvn:
mvn org.owasp:dependency-check-maven:7.3.0:aggregate
I'd like to gather ideas for productive ways to maintain proper dependency
hygiene and file tasks to get at least some of these done for 0.8.0 release.
With the remediation of most if not all of the Critical and High CVEs addressed.
was:
As part of the revival of the Livy project, we indicated that an immediate goal
would be to establish a process for CVE and dependency hygiene. There are a
number of ways that we can address this and we need to consider which ones
would be most appropriate. Off the top of my head:
* Dependabot is being used in many projects and I believe there are a couple
different ways to integrate this either at the github or gitbox (ASF) level.
* External tooling that can be run such as OWASP dependency-check. I have run
this locally to discover the currently outstanding upgrades that need to be
addressed
FYI - this can be run via mvn:
mvn org.owasp:dependency-check-maven:7.3.0:aggregate
I'd like to gather ideas for productive ways to maintain proper dependency
hygiene and file tasks to get at least some of these done for 0.8.0 release.
With the remediation of most if not all of the Critical and High CVEs addressed.
> Security and CVE Remediation Process for 0.8.0
> ----------------------------------------------
>
> Key: LIVY-900
> URL: https://issues.apache.org/jira/browse/LIVY-900
> Project: Livy
> Issue Type: Improvement
> Components: Build
> Reporter: Larry McCay
> Priority: Major
> Fix For: 0.8.0
>
>
> As part of the revival of the Livy project, we indicated that an immediate
> goal would be to establish a process for CVE and dependency hygiene. There
> are a number of ways that we can address this and we need to consider which
> ones would be most appropriate. Off the top of my head:
> * Dependabot is being used in many projects and I believe there are a couple
> different ways to integrate this either at the github or gitbox (ASF) level.
> ** Some automatically create PRs for instance
> * External tooling that can be run such as OWASP dependency-check. I have
> run this locally to discover the currently outstanding upgrades that need to
> be addressed
> FYI - this can be run via mvn:
> mvn org.owasp:dependency-check-maven:7.3.0:aggregate
> I'd like to gather ideas for productive ways to maintain proper dependency
> hygiene and file tasks to get at least some of these done for 0.8.0 release.
> With the remediation of most if not all of the Critical and High CVEs
> addressed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
