exceptionfactory opened a new pull request #4971:
URL: https://github.com/apache/nifi/pull/4971
#### Description of PR
NIFI-5541 Adds a Maven build profile that can be used to generate an OWASP
dependency vulnerability report using the OWASP dependency-check plugin. The
following Maven command can be used to generate `dependency-check-report.html`
in the `target` directory:
`mvn clean verify -P owasp`
The build profile also references a default suppression configuration that
excludes warnings for Apache NiFi packages. This suppression configuration is
necessary since vulnerability analysis can produce false positives for NiFi
packages that contain the names of other projects.
As noted in the build profile comments, results of this report require
detailed analysis to determine whether the vulnerability impacts the
application. The purpose of this build profile and associated report is to
provide contributors with an initial snapshot of potential issues for further
investigation. Report results do not necessarily imply actual vulnerabilities
and upgrading dependencies requires careful usage evaluation.
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
### For all changes:
- [X] Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
- [X] Does your PR title start with **NIFI-XXXX** where XXXX is the JIRA
number you are trying to resolve? Pay particular attention to the hyphen "-"
character.
- [X] Has your PR been rebased against the latest commit within the target
branch (typically `main`)?
- [X] Is your initial contribution a single, squashed commit? _Additional
commits in response to PR reviewer feedback should be made on this branch and
pushed to allow change tracking. Do not `squash` or use `--force` when pushing
to allow for clean monitoring of changes._
### For code changes:
- [X] Have you ensured that the full suite of tests is executed via `mvn
-Pcontrib-check clean install` at the root `nifi` folder?
- [ ] Have you written or updated unit tests to verify your changes?
- [X] Have you verified that the full build is successful on JDK 8?
- [X] Have you verified that the full build is successful on JDK 11?
- [ ] If adding new dependencies to the code, are these dependencies
licensed in a way that is compatible for inclusion under [ASF
2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the `LICENSE` file, including the main
`LICENSE` file under `nifi-assembly`?
- [ ] If applicable, have you updated the `NOTICE` file, including the main
`NOTICE` file found under `nifi-assembly`?
- [ ] If adding new Properties, have you added `.displayName` in addition to
.name (programmatic access) for each of the new properties?
### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in which
it is rendered?
### Note:
Please ensure that once the PR is submitted, you check GitHub Actions CI for
build issues and submit an update to your PR as soon as possible.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
