[
https://issues.apache.org/jira/browse/LIVY-900?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17646292#comment-17646292
]
Damon Cortesi commented on LIVY-900:
------------------------------------
It looks like we can create an independent xml file with the skipped issues and
add that as a flag to the command.
For example, with this xml in the root, we can use the
-DsuppressionFiles=depcheck-ignore.xml flag:
{code:xml}
<?xml version="1.0" encoding="UTF-8"?>
<suppressions
xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd";>
<suppress>
<notes><![CDATA[
file name: spark-sql_2.11-2.4.5.jar
]]></notes>
<packageUrl
regex="true">^pkg:maven/org\.apache\.spark/spark-sql_2\.11@.*$</packageUrl>
<cpe>cpe:/a:apache:spark</cpe>
</suppress>
</suppressions>{code}
{code:bash}
docker run --rm -it -v $(pwd)/../../:/workspace -v $HOME/.m2/:/root/.m2 livy
mvn org.owasp:dependency-check-maven:aggregate -DskipSystemScope=true
-DsuppressionFiles=depcheck-ignore.xml{code}
> Security and CVE Remediation Process for 0.8.0
> ----------------------------------------------
>
> Key: LIVY-900
> URL: https://issues.apache.org/jira/browse/LIVY-900
> Project: Livy
> Issue Type: Improvement
> Components: Build
> Reporter: Larry McCay
> Priority: Major
> Fix For: 0.8.0
>
> Attachments: dependency-check-report.html
>
>
> As part of the revival of the Livy project, we indicated that an immediate
> goal would be to establish a process for CVE and dependency hygiene. There
> are a number of ways that we can address this and we need to consider which
> ones would be most appropriate. Off the top of my head:
> * Dependabot is being used in many projects and I believe there are a couple
> different ways to integrate this either at the github or gitbox (ASF) level.
> ** Some automatically create PRs for instance
> * External tooling that can be run such as OWASP dependency-check. I have
> run this locally to discover the currently outstanding upgrades that need to
> be addressed
> FYI - this can be run via mvn:
> mvn org.owasp:dependency-check-maven:7.3.0:aggregate
> I'd like to gather ideas for productive ways to maintain proper dependency
> hygiene and file tasks to get at least some of these done for 0.8.0 release.
> With the remediation of most if not all of the Critical and High CVEs
> addressed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
