Konstantin Knauf created FLINK-12119: ----------------------------------------
Summary: Add OWASP Dependency Check to Flink Build Key: FLINK-12119 URL: https://issues.apache.org/jira/browse/FLINK-12119 Project: Flink Issue Type: Improvement Components: Build System Reporter: Konstantin Knauf Assignee: Konstantin Knauf In order to obtain some visibility on the current known security vulnerabilities in Flink's dependencies. It would be useful to include the OWASP dependency check plugin [1] into our Maven build. By including it into flink-parent, we can get summary of all dependencies of all child projects by running {{mvn clean org.owasp:dependency-check-maven:5.0.0-M2:aggregate}} We should probably exclude some modules from the dependency-check. These could be: * flink-dist * flink-docs * flink-examples * flink-end-to-end-tests * flink-fs-tests * flink-test-utils-parent * flink-yarn-tests * flink-contrib Anything else? What about flink-python/flink-streaming-python?** In addition I propose to exclude all dependencies in the *system* or *provided* scope. At least initially, the build would never fails because of vulnerabilities. [1] https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html -- This message was sent by Atlassian JIRA (v7.6.3#76005)