risdenk commented on code in PR #1299:
URL: https://github.com/apache/solr/pull/1299#discussion_r1073604042
##########
gradle/validation/owasp-dependency-check.gradle:
##########
@@ -26,9 +26,12 @@ configure(rootProject) {
dependencyCheck {
failBuildOnCVSS = propertyOrDefault("validation.owasp.threshold", 7) as
Integer
formats = ['ALL']
- skipProjects = [':solr:solr-ref-guide']
+ skipProjects = [':solr:solr-ref-guide', ':solr-missing-doclet']
Review Comment:
`solr-missing-doclet` is a build only dependency and keeps getting flagged
as a Solr 1.0 version with lots of CVEs - this doesn't need to be checked.
##########
gradle/validation/owasp-dependency-check.gradle:
##########
@@ -26,9 +26,12 @@ configure(rootProject) {
dependencyCheck {
failBuildOnCVSS = propertyOrDefault("validation.owasp.threshold", 7) as
Integer
formats = ['ALL']
- skipProjects = [':solr:solr-ref-guide']
+ skipProjects = [':solr:solr-ref-guide', ':solr-missing-doclet']
skipConfigurations = ['unifiedClasspath', 'permitUnusedDeclared']
suppressionFile = file("${resources}/exclusions.xml")
+ analyzers {
+ assemblyEnabled = false
+ }
Review Comment:
I have some .Net projects locally and for some reason dependency check is
picking this up and trying to scan the project. Since we don't use .Net - we
can disable the .Net Assembly scanner. See details here:
https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration.html
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
