[jira] [Commented] (LIVY-900) Security and CVE Remediation Process for 0.8.0

Mon, 12 Dec 2022 10:17:11 -0800 


    [ 
https://issues.apache.org/jira/browse/LIVY-900?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17646261#comment-17646261
 ] 

Damon Cortesi commented on LIVY-900:
------------------------------------

Awesome, thanks [~lmccay] - I'll hopefully get some time this week to dive into 
another area.

Your tracking process looks good. One concern I have is around WONTFIX-style 
CVEs - I saw you identified a few of these with the Spark libraries. What do 
you think about making use of the [suppression 
functionality|https://jeremylong.github.io/DependencyCheck/general/suppression.html]
 so that some of the false positives don't show up in the dependency check 
report?

> Security and CVE Remediation Process for 0.8.0
> ----------------------------------------------
>
>                 Key: LIVY-900
>                 URL: https://issues.apache.org/jira/browse/LIVY-900
>             Project: Livy
>          Issue Type: Improvement
>          Components: Build
>            Reporter: Larry McCay
>            Priority: Major
>             Fix For: 0.8.0
>
>         Attachments: dependency-check-report.html
>
>
> As part of the revival of the Livy project, we indicated that an immediate 
> goal would be to establish a process for CVE and dependency hygiene. There 
> are a number of ways that we can address this and we need to consider which 
> ones would be most appropriate. Off the top of my head:
>  * Dependabot is being used in many projects and I believe there are a couple 
> different ways to integrate this either at the github or gitbox (ASF) level.
>  ** Some automatically create PRs for instance
>  * External tooling that can be run such as OWASP dependency-check. I have 
> run this locally to discover the currently outstanding upgrades that need to 
> be addressed
> FYI - this can be run via mvn:
> mvn org.owasp:dependency-check-maven:7.3.0:aggregate
> I'd like to gather ideas for productive ways to maintain proper dependency 
> hygiene and file tasks to get at least some of these done for 0.8.0 release. 
> With the remediation of most if not all of the Critical and High CVEs 
> addressed.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to