Re: [PR] Cassandra 19146 3.0 [cassandra]

Wed, 13 Dec 2023 03:02:03 -0800 


Mmuzaf commented on code in PR #2971:
URL: https://github.com/apache/cassandra/pull/2971#discussion_r1425193152


##########
.build/build-owasp.xml:
##########
@@ -52,35 +72,125 @@
         </taskdef>
 
         <!--
-            default value for cveValidForHours is 4 after which sync is done 
again
-
-            skipping using two specific caches at the end is solving (1)
+            default value for nvdValidForHours is 4 after which sync is done 
again
 
             failBuildOnCVSS is by default 11 so build would never fail,
-            the table categorising vulnerabilities is here (2), so by setting
+            the table categorising vulnerabilities is here (1), so by setting
             "failBuildOnCVSS" to 1, we will fail the build on any CVE found
             if it is not suppressed already dependency-check-suppressions.xml
 
             If a vendor provides no details about a vulnerability,
             NVD will score that vulnerability as 10.0 (the highest rating 
translating to critical).
 
-            (1) https://github.com/jeremylong/DependencyCheck/issues/2166
-            (2) https://nvd.nist.gov/vuln-metrics/cvss
+            (1) https://nvd.nist.gov/vuln-metrics/cvss
         -->
         <dependency-check projectname="Apache Cassandra"
-                          reportoutputdirectory="${basedir}/build"
-                          reportformat="HTML"
+                          nvdApiKey="${nvd.api.key}"
+                          
reportoutputdirectory="${dependency-check.report.dir}"
+                          reportformat="ALL"
                           prettyPrint="true"
-                          cveValidForHours="1"
-                          centralAnalyzerUseCache="false"
-                          nodeAuditAnalyzerUseCache="false"
+                          nvdValidForHours="${nvd.validity.hours}"
+                          centralAnalyzerUseCache="true"

Review Comment:
   This is not only about the depencency-check version upgrade, right? We've 
introduced caching here, so the JIRA issue and its description should be 
updated accordingly :-)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to