[
https://issues.apache.org/jira/browse/LIVY-900?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17646209#comment-17646209
]
Larry McCay commented on LIVY-900:
----------------------------------
[~dacort] - filed LIVY-901 to track the subtasks for 0.8.0 release.
I've also assessed all of the Spark issues with a subtask - going to close that
as resolved.
Plan to grab another functional area like netty next.
> Security and CVE Remediation Process for 0.8.0
> ----------------------------------------------
>
> Key: LIVY-900
> URL: https://issues.apache.org/jira/browse/LIVY-900
> Project: Livy
> Issue Type: Improvement
> Components: Build
> Reporter: Larry McCay
> Priority: Major
> Fix For: 0.8.0
>
> Attachments: dependency-check-report.html
>
>
> As part of the revival of the Livy project, we indicated that an immediate
> goal would be to establish a process for CVE and dependency hygiene. There
> are a number of ways that we can address this and we need to consider which
> ones would be most appropriate. Off the top of my head:
> * Dependabot is being used in many projects and I believe there are a couple
> different ways to integrate this either at the github or gitbox (ASF) level.
> ** Some automatically create PRs for instance
> * External tooling that can be run such as OWASP dependency-check. I have
> run this locally to discover the currently outstanding upgrades that need to
> be addressed
> FYI - this can be run via mvn:
> mvn org.owasp:dependency-check-maven:7.3.0:aggregate
> I'd like to gather ideas for productive ways to maintain proper dependency
> hygiene and file tasks to get at least some of these done for 0.8.0 release.
> With the remediation of most if not all of the Critical and High CVEs
> addressed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
