[jira] [Commented] (LIVY-900) Security and CVE Remediation Process for 0.8.0

Thu, 17 Nov 2022 22:28:04 -0800 


    [ 
https://issues.apache.org/jira/browse/LIVY-900?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17635683#comment-17635683
 ] 

Damon Cortesi commented on LIVY-900:
------------------------------------

re: dependency-check - seems relatively maintained and reliable. Could 
configure [GitHub 
Actions|https://github.com/marketplace/actions/dependency-check] to run it any 
time dependencies change and/or on a regular basis. In theory could possibly 
even script the output to open new issues.

I don't know how Dependabot compares to dependency-check in terms of 
accuracy/completeness, though there is some interesting research 
[here|https://arxiv.org/pdf/2108.12078.pdf]. It is nice that the former will 
create ready-to-merge PRs if it can.

> Security and CVE Remediation Process for 0.8.0
> ----------------------------------------------
>
>                 Key: LIVY-900
>                 URL: https://issues.apache.org/jira/browse/LIVY-900
>             Project: Livy
>          Issue Type: Improvement
>          Components: Build
>            Reporter: Larry McCay
>            Priority: Major
>             Fix For: 0.8.0
>
>
> As part of the revival of the Livy project, we indicated that an immediate 
> goal would be to establish a process for CVE and dependency hygiene. There 
> are a number of ways that we can address this and we need to consider which 
> ones would be most appropriate. Off the top of my head:
>  * Dependabot is being used in many projects and I believe there are a couple 
> different ways to integrate this either at the github or gitbox (ASF) level.
>  ** Some automatically create PRs for instance
>  * External tooling that can be run such as OWASP dependency-check. I have 
> run this locally to discover the currently outstanding upgrades that need to 
> be addressed
> FYI - this can be run via mvn:
> mvn org.owasp:dependency-check-maven:7.3.0:aggregate
> I'd like to gather ideas for productive ways to maintain proper dependency 
> hygiene and file tasks to get at least some of these done for 0.8.0 release. 
> With the remediation of most if not all of the Critical and High CVEs 
> addressed.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to