jacek-lewandowski commented on code in PR #2971:
URL: https://github.com/apache/cassandra/pull/2971#discussion_r1425425686
##########
.build/build-owasp.xml:
##########
@@ -52,35 +72,125 @@
</taskdef>
<!--
- default value for cveValidForHours is 4 after which sync is done
again
-
- skipping using two specific caches at the end is solving (1)
+ default value for nvdValidForHours is 4 after which sync is done
again
failBuildOnCVSS is by default 11 so build would never fail,
- the table categorising vulnerabilities is here (2), so by setting
+ the table categorising vulnerabilities is here (1), so by setting
"failBuildOnCVSS" to 1, we will fail the build on any CVE found
if it is not suppressed already dependency-check-suppressions.xml
If a vendor provides no details about a vulnerability,
NVD will score that vulnerability as 10.0 (the highest rating
translating to critical).
- (1) https://github.com/jeremylong/DependencyCheck/issues/2166
- (2) https://nvd.nist.gov/vuln-metrics/cvss
+ (1) https://nvd.nist.gov/vuln-metrics/cvss
-->
<dependency-check projectname="Apache Cassandra"
- reportoutputdirectory="${basedir}/build"
- reportformat="HTML"
+ nvdApiKey="${nvd.api.key}"
+
reportoutputdirectory="${dependency-check.report.dir}"
+ reportformat="ALL"
Review Comment:
HTML is for you to navigate the results easily, JUNIT is for CI to show the
results just like other tests results, JSON is for future license scan
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
