nutch-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (NUTCH-2668) Integrate OWASP dependency checks as ant target
Date Mon, 19 Nov 2018 20:58:00 GMT

    [ https://issues.apache.org/jira/browse/NUTCH-2668?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16692265#comment-16692265
] 

ASF GitHub Bot commented on NUTCH-2668:
---------------------------------------

sebastian-nagel closed pull request #401: NUTCH-2668 Integrate OWASP dependency checks as
ant target
URL: https://github.com/apache/nutch/pull/401
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/build.xml b/build.xml
index e19179e12..928ffaa0e 100644
--- a/build.xml
+++ b/build.xml
@@ -612,6 +612,34 @@
     </fail>
   </target>
 
+  <!-- Check dependencies for security vulnerabilities                               
    -->
+  <!-- requires installation of OWASP dependency check tool, see                     
    -->
+  <!--   https://jeremylong.github.io/DependencyCheck/dependency-check-ant/index.html
    -->
+  <!-- get http://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-3.3.2-release.zip
-->
+  <!-- and unzip in directory ./ivy/                                                 
    -->
+  <property name="dependency-check.home" value="${ivy.dir}/dependency-check-ant/"/>
+  <path id="dependency-check.path">
+    <pathelement location="${dependency-check.home}/dependency-check-ant.jar"/>
+    <fileset dir="${dependency-check.home}/lib">
+      <include name="*.jar"/>
+    </fileset>
+  </path>
+  <taskdef resource="dependency-check-taskdefs.properties">
+    <classpath refid="dependency-check.path" />
+  </taskdef>
+  <target name="report-vulnerabilities" description="--> check dependencies for security
vulnerabilities">
+    <dependency-check projectname="${name}"
+                      reportoutputdirectory="${build.dir}"
+                      reportformat="ALL">
+        <suppressionfile path="${dependency-check.home}/dependency-check-suppressions.xml"
/>
+        <retirejsFilter regex="copyright.*jeremy long" />
+        <fileset dir="${build.dir}">
+          <include name="lib/*.jar"/>
+          <include name="plugins/*/*.jar"/>
+        </fileset>
+    </dependency-check>
+  </target>
+
   <!-- ================================================================== -->
   <!-- Documentation                                                      -->
   <!-- ================================================================== -->
diff --git a/ivy/dependency-check-ant/dependency-check-suppressions.xml b/ivy/dependency-check-ant/dependency-check-suppressions.xml
new file mode 100644
index 000000000..e7de8febb
--- /dev/null
+++ b/ivy/dependency-check-ant/dependency-check-suppressions.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+   <suppress>
+      <notes>only applies to tika-server &lt; 1.18</notes>
+      <gav regex="true">^org\.(apache\.tika:tika-(core|parsers)|gagravarr:vorbis-java-tika):.*$</gav>
+      <cve>CVE-2018-1335</cve>
+   </suppress>
+</suppressions>


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Integrate OWASP dependency checks as ant target
> -----------------------------------------------
>
>                 Key: NUTCH-2668
>                 URL: https://issues.apache.org/jira/browse/NUTCH-2668
>             Project: Nutch
>          Issue Type: Improvement
>          Components: build
>    Affects Versions: 2.4, 1.16
>            Reporter: Sebastian Nagel
>            Priority: Major
>             Fix For: 2.4, 1.16
>
>         Attachments: 1x-dependency-check-report.html, 1x-dependency-check-vulnerability.html,
2x-dependency-check-report.html, 2x-dependency-check-vulnerability.html
>
>
> [OWASP|http://www.owasp.org/] provides the [ant tool "dependency-check"|https://jeremylong.github.io/DependencyCheck/dependency-check-ant/index.html]
which lists potential vulnerabilities of library dependencies. We should integrate the generation
of vulnerability reports into our build system as an optional task/target recommended to be
run from time to time and especially shortly before releases are prepared.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message