[
https://issues.apache.org/jira/browse/YETUS-441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16469073#comment-16469073
]
Sean Busbey commented on YETUS-441:
-----------------------------------
v2 the jenkins job
- adds a jenkins job that will handle caching the cli tool database
I tested this out locally and it works well.
{code}
jenkins busbey$ ./owasp-dependency-check-cache.sh --install
/var/folders/_n/t65fnc5x3779rz5qfdgw0f8r0000gp/T/tmp.fHqolPoM
/var/folders/_n/t65fnc5x3779rz5qfdgw0f8r0000gp/T/tmp.n0K85NmN
Dependency check CLI version: Dependency-Check Core version 3.1.2
[INFO] Checking for updates
[INFO] starting getUpdatesNeeded() ...
[INFO] NVD CVE requires several updates; this could take a couple of minutes.
[INFO] Download Started for NVD CVE - 2002
[INFO] Download Started for NVD CVE - 2006
[INFO] Download Started for NVD CVE - 2003
[INFO] Download Started for NVD CVE - 2005
[INFO] Download Started for NVD CVE - 2007
[INFO] Download Started for NVD CVE - 2004
[INFO] Download Complete for NVD CVE - 2003 (2315 ms)
[INFO] Download Started for NVD CVE - 2008
[INFO] Processing Started for NVD CVE - 2003
[INFO] Download Complete for NVD CVE - 2004 (2858 ms)
[INFO] Download Started for NVD CVE - 2009
[INFO] Processing Started for NVD CVE - 2004
[INFO] Download Complete for NVD CVE - 2005 (3540 ms)
[INFO] Download Started for NVD CVE - 2010
[INFO] Processing Started for NVD CVE - 2005
[INFO] Download Complete for NVD CVE - 2002 (3922 ms)
[INFO] Download Started for NVD CVE - 2011
[INFO] Processing Started for NVD CVE - 2002
[INFO] Download Complete for NVD CVE - 2007 (4562 ms)
[INFO] Download Started for NVD CVE - 2012
[INFO] Download Complete for NVD CVE - 2006 (5273 ms)
[INFO] Download Started for NVD CVE - 2013
[INFO] Processing Complete for NVD CVE - 2003 (5013 ms)
[INFO] Processing Started for NVD CVE - 2007
[INFO] Download Complete for NVD CVE - 2009 (5316 ms)
[INFO] Download Started for NVD CVE - 2014
[INFO] Download Complete for NVD CVE - 2010 (5604 ms)
[INFO] Download Started for NVD CVE - 2015
[INFO] Download Complete for NVD CVE - 2008 (7336 ms)
[INFO] Download Started for NVD CVE - 2016
[INFO] Download Complete for NVD CVE - 2012 (5549 ms)
[INFO] Download Started for NVD CVE - 2017
[INFO] Download Complete for NVD CVE - 2013 (5389 ms)
[INFO] Download Started for NVD CVE - 2018
[INFO] Processing Complete for NVD CVE - 2004 (8361 ms)
[INFO] Processing Started for NVD CVE - 2006
[INFO] Download Complete for NVD CVE - 2018 (3341 ms)
[INFO] Download Started for NVD CVE - Modified
[INFO] Download Complete for NVD CVE - 2014 (6195 ms)
[INFO] Download Complete for NVD CVE - 2015 (5372 ms)
[INFO] Download Complete for NVD CVE - 2011 (10796 ms)
[INFO] Download Complete for NVD CVE - 2016 (5527 ms)
[INFO] Processing Complete for NVD CVE - 2005 (12163 ms)
[INFO] Processing Started for NVD CVE - 2009
[INFO] Download Complete for NVD CVE - Modified (2209 ms)
[INFO] Processing Complete for NVD CVE - 2002 (12980 ms)
[INFO] Processing Started for NVD CVE - 2010
[INFO] Download Complete for NVD CVE - 2017 (8991 ms)
[INFO] Processing Complete for NVD CVE - 2007 (16433 ms)
[INFO] Processing Started for NVD CVE - 2008
[INFO] Processing Complete for NVD CVE - 2009 (13396 ms)
[INFO] Processing Started for NVD CVE - 2012
[INFO] Processing Complete for NVD CVE - 2006 (18225 ms)
[INFO] Processing Started for NVD CVE - 2013
[INFO] Processing Complete for NVD CVE - 2010 (15323 ms)
[INFO] Processing Started for NVD CVE - 2018
[INFO] Processing Complete for NVD CVE - 2018 (9568 ms)
[INFO] Processing Started for NVD CVE - 2014
[INFO] Processing Complete for NVD CVE - 2008 (25788 ms)
[INFO] Processing Started for NVD CVE - 2015
[INFO] Processing Complete for NVD CVE - 2012 (24264 ms)
[INFO] Processing Started for NVD CVE - 2011
[INFO] Processing Complete for NVD CVE - 2013 (24109 ms)
[INFO] Processing Started for NVD CVE - 2016
[INFO] Processing Complete for NVD CVE - 2015 (33817 ms)
[INFO] Processing Started for NVD CVE - Modified
[INFO] Processing Complete for NVD CVE - 2014 (41995 ms)
[INFO] Processing Started for NVD CVE - 2017
[INFO] Processing Complete for NVD CVE - Modified (3869 ms)
[INFO] Processing Complete for NVD CVE - 2011 (34246 ms)
[INFO] Processing Complete for NVD CVE - 2016 (35660 ms)
[INFO] Processing Complete for NVD CVE - 2017 (21085 ms)
[INFO] Begin database maintenance.
[INFO] End database maintenance.
[INFO] Check for updates complete (114832 ms)
Done updating cache in
'/var/folders/_n/t65fnc5x3779rz5qfdgw0f8r0000gp/T/tmp.n0K85NmN'
enkins busbey$ ls -lah
/var/folders/_n/t65fnc5x3779rz5qfdgw0f8r0000gp/T/tmp.n0K85NmN
total 643448
drwx------ 3 busbey staff 102B May 9 09:41 .
drwx------ 116 busbey staff 3.9K May 9 09:41 ..
-rw-r--r-- 1 busbey staff 314M May 9 09:41 dc.h2.db
dhcp-10-16-0-175:jenkins busbey$ ./owasp-dependency-check-cache.sh --install
/var/folders/_n/t65fnc5x3779rz5qfdgw0f8r0000gp/T/tmp.fHqolPoM
/var/folders/_n/t65fnc5x3779rz5qfdgw0f8r0000gp/T/tmp.n0K85NmN
Dependency check CLI version: Dependency-Check Core version 3.1.2
[INFO] Checking for updates
[INFO] Skipping NVD check since last check was within 4 hours.
[INFO] Check for updates complete (21 ms)
Done updating cache in
'/var/folders/_n/t65fnc5x3779rz5qfdgw0f8r0000gp/T/tmp.n0K85NmN'
{code}
while pending review I'll push this to a branch so I can point an actual
jenkins job somewhere to make sure there isn't a gap in that environment.
> Add a precommit check for known CVEs from dependencies
> ------------------------------------------------------
>
> Key: YETUS-441
> URL: https://issues.apache.org/jira/browse/YETUS-441
> Project: Yetus
> Issue Type: New Feature
> Components: Test Patch
> Reporter: Sean Busbey
> Assignee: Sean Busbey
> Priority: Major
> Attachments: YETUS-441.0.patch, YETUS-441.1.patch, YETUS-441.2.patch,
> dependency-check-suppression.xml
>
>
> Add in a precommit test that makes use of [The OWASP Dependency
> Check|https://www.owasp.org/index.php/OWASP_Dependency_Check] to look for
> known bad dependencies.
> there's a maven plugin, ant task, and command line tool. So we should be able
> to build similar support to what we have for RAT.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
