> We surely also pull in a lot of potentially bad dependencies. and this may be a chance to re-check our dependencies and remove unnecessary..
----------------------------------- Xiangdong Huang Christofer Dutz <christofer.d...@c-ware.de> 于2024年4月5日周五 19:13写道: > > Hi all, > > I just wanted to bring up one idea that we decided in the PLC4X project and > seed the idea, if this would also be worth discussing here. > > So, we were seeing that our build kept on having sub-ideal CVE ratings as we > had dependencies for which CVEs were reported. > However, PLC4X itself has a very limited number of dependencies. The problem > was that we had several “integration” modules, that pulled in Kafka, Calcite, > Nifi and some Eclipse projects. > Also did a lot of our examples pull in various third party libraries, for > which also vulnerabilities were reported. > > We are currently in the process of splitting up our main repository into a > main and an extras repository. > The main contains the core of the project. The extras contains the examples, > additional tools and integration modules (The ones with the many, many > dependencies) > This way we can get a much better secutity standing for the main repo. > > Would this also be a good idea for IoTDB? I know with our dependencies to: > > * Flink > * Grafana > * Hadoop > * Hive > * Spark > * Zeppelin (this one is really bad when it comes to CVEs) > * Pulsar (only examples) > * RabbitMQ (only examples) > * RocketMQ (only examples) > > We surely also pull in a lot of potentially bad dependencies. If we moved > this out the same way we would probably have a much better CVE ranking. > This might become problematic in the future as in Europe and in the US > CRE/PLD and other initiatives are taking form. > > Chris