Mmuzaf commented on code in PR #2971:
URL: https://github.com/apache/cassandra/pull/2971#discussion_r1425214567
##########
.build/build-owasp.xml:
##########
@@ -52,35 +72,125 @@
</taskdef>
<!--
- default value for cveValidForHours is 4 after which sync is done
again
-
- skipping using two specific caches at the end is solving (1)
+ default value for nvdValidForHours is 4 after which sync is done
again
failBuildOnCVSS is by default 11 so build would never fail,
- the table categorising vulnerabilities is here (2), so by setting
+ the table categorising vulnerabilities is here (1), so by setting
"failBuildOnCVSS" to 1, we will fail the build on any CVE found
if it is not suppressed already dependency-check-suppressions.xml
If a vendor provides no details about a vulnerability,
NVD will score that vulnerability as 10.0 (the highest rating
translating to critical).
- (1) https://github.com/jeremylong/DependencyCheck/issues/2166
- (2) https://nvd.nist.gov/vuln-metrics/cvss
+ (1) https://nvd.nist.gov/vuln-metrics/cvss
-->
<dependency-check projectname="Apache Cassandra"
- reportoutputdirectory="${basedir}/build"
- reportformat="HTML"
+ nvdApiKey="${nvd.api.key}"
+
reportoutputdirectory="${dependency-check.report.dir}"
+ reportformat="ALL"
Review Comment:
Do we need to generate all formats? Why HTML is not enough now?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
