[
https://issues.apache.org/jira/browse/YETUS-441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16565486#comment-16565486
]
Allen Wittenauer commented on YETUS-441:
----------------------------------------
Here's the console-based report generated for Hadoop trunk (with some
irrelevant bits pulled out):
{code:java}
-1 overall
| Vote | Subsystem | Runtime | Comment
============================================================================
| 0 | reexec | 18m 44s | Docker mode activated.
| | | | Prechecks
| | | | Compile Tests
| 0 | mvndep | 5m 35s | Maven dependency ordering
| -1 | dependency_check | 4m 6s | The source tree has 27 issues.
| | | | Other Tests
| | | 28m 55s |
Reason | Tests
CVE | Severity Dependency
CVE-2017-9735 | Medium jetty-http-9.3.19.v20170502.jar
CVE-2017-9735 | Medium jetty-server-9.3.19.v20170502.jar
CVE-2017-9735 | Medium jetty-util-9.3.19.v20170502.jar
CVE-2017-9735 | Medium jetty-security-9.3.19.v20170502.jar
CVE-2017-9735 | Medium jetty-servlet-9.3.19.v20170502.jar
CVE-2017-9735 | Medium jetty-xml-9.3.19.v20170502.jar
CVE-2017-9735 | Medium jetty-webapp-9.3.19.v20170502.jar
CVE-2015-5237 | Medium protobuf-java-2.5.0.jar
CVE-2014-0085 | Low curator-framework-2.12.0.jar
CVE-2016-5017 | Medium curator-framework-2.12.0.jar
CVE-2018-8012 | Medium curator-framework-2.12.0.jar
CVE-2014-0085 | Low zookeeper-3.4.9.jar
CVE-2017-5637 | Medium zookeeper-3.4.9.jar
CVE-2018-8012 | Medium zookeeper-3.4.9.jar
CVE-2015-4035 | Medium xz-1.0.jar
CVE-2017-9735 | Medium jetty-util-ajax-9.3.19.v20170502.jar
CVE-2017-15095 | High htrace-core4-4.1.0-incubating.jar (shaded:
com.fasterxml.jackson.core:jackson-databind:2.4.0)
CVE-2017-17485 | High htrace-core4-4.1.0-incubating.jar (shaded:
com.fasterxml.jackson.core:jackson-databind:2.4.0)
CVE-2017-7525 | High htrace-core4-4.1.0-incubating.jar (shaded:
com.fasterxml.jackson.core:jackson-databind:2.4.0)
CVE-2018-5968 | Medium htrace-core4-4.1.0-incubating.jar (shaded:
com.fasterxml.jackson.core:jackson-databind:2.4.0)
CVE-2018-7489 | High htrace-core4-4.1.0-incubating.jar (shaded:
com.fasterxml.jackson.core:jackson-databind:2.4.0)
CVE-2006-4711 | Medium aws-java-sdk-bundle-1.11.271.jar (shaded:
com.amazonaws:aws-java-sdk-sagemaker:1.11.271)
CVE-2007-0896 | Medium aws-java-sdk-bundle-1.11.271.jar (shaded:
com.amazonaws:aws-java-sdk-sagemaker:1.11.271)
CVE-2015-3362 | Low aws-java-sdk-bundle-1.11.271.jar (shaded:
com.amazonaws:aws-java-sdk-kinesisvideo:1.11.271)
CVE-2015-8559 | Medium aws-java-sdk-bundle-1.11.271.jar (shaded:
com.amazonaws:aws-java-sdk-opsworkscm:1.11.271)
CVE-2017-17485 | High aws-java-sdk-bundle-1.11.271.jar (shaded:
com.fasterxml.jackson.core:jackson-databind:2.6.7.1)
CVE-2018-5968 | Medium aws-java-sdk-bundle-1.11.271.jar (shaded:
com.fasterxml.jackson.core:jackson-databind:2.6.7.1)
|| Subsystem || Report/Notes ||
============================================================================
| dependency_check | version: 3.3.0 |
| dependency_check | Full Report:
https://builds.apache.org/job/yetus-hadoop-rbt/9/artifact/out/dependency-check-report.html
|
{code}
> Add a precommit check for known CVEs from dependencies
> ------------------------------------------------------
>
> Key: YETUS-441
> URL: https://issues.apache.org/jira/browse/YETUS-441
> Project: Yetus
> Issue Type: New Feature
> Components: Test Patch
> Reporter: Sean Busbey
> Assignee: Sean Busbey
> Priority: Major
> Fix For: 0.8.0
>
> Attachments: YETUS-441.0.patch, YETUS-441.004.patch,
> YETUS-441.005.patch, YETUS-441.006.patch, YETUS-441.1.patch,
> YETUS-441.2.patch, YETUS-441.3.patch, dependency-check-suppression.xml
>
>
> Add in a precommit test that makes use of [The OWASP Dependency
> Check|https://www.owasp.org/index.php/OWASP_Dependency_Check] to look for
> known bad dependencies.
> there's a maven plugin, ant task, and command line tool. So we should be able
> to build similar support to what we have for RAT.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
