[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OWASP Dependency Checker to the GH CI workflows #13972

Merged
merged 2 commits into from
Feb 1, 2022
Merged

Add OWASP Dependency Checker to the GH CI workflows #13972

merged 2 commits into from
Feb 1, 2022

Conversation

dlg99
Copy link
Contributor
@dlg99 dlg99 commented Jan 27, 2022

Motivation

Detect CVEs early and make them visible to the committers

Modifications

Added GH workflow that will fail if new CVE with level > 7 detected. The plan is to not treat it as blocking merge.
Currently some projects that will not pass the check and aren't included into the suppressions for variety of reasons are excluded.

Verifying this change

  • Make sure that the change passes the CI checks.

This change is a trivial rework / code cleanup without any test coverage.

Does this pull request potentially affect one of the following parts:

If yes was chosen, please highlight the changes

  • Dependencies (does it add or upgrade a dependency): (yes / no)
  • The public API: (yes / no)
  • The schema: (yes / no / don't know)
  • The default values of configurations: (yes / no)
  • The wire protocol: (yes / no)
  • The rest endpoints: (yes / no)
  • The admin cli options: (yes / no)
  • Anything that affects deployment: (yes / no / don't know)

Documentation

Check the box below or label this PR directly (if you have committer privilege).

Need to update docs?

  • doc-required

    (If you need help on updating docs, create a doc issue)

  • no-need-doc

    (Please explain why)

  • doc

    (If this PR contains doc changes)

@dlg99 dlg99 marked this pull request as draft January 27, 2022 00:43
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Jan 27, 2022
@dlg99
Copy link
Contributor Author
dlg99 commented Jan 29, 2022

/pulsarbot run-failure-checks

1 similar comment
@dlg99
Copy link
Contributor Author
dlg99 commented Jan 29, 2022

/pulsarbot run-failure-checks

lhotari
lhotari approved these changes Jan 29, 2022
View reviewed changes
Copy link
Member
@lhotari lhotari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

eolivelli
eolivelli requested changes Jan 29, 2022
View reviewed changes
Copy link
Contributor
@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great stuff.
But I left one comment.

.github/workflows/ci-owasp-dep-check.yaml

name: CI - Misc - OWASP Dependency Check
on:
pull_request:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why running this check on every pull request?
New dependencies are added very seldom.
If a dependency is flagged there will be much noise.
People usually add a new dependency using the latest available version.

I suggest to run this only periodically, like every day and manually on every active release branch

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@eolivelli this is only run when one of the pom.xml files is modified.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in addition there's the existing job to run periodically

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@eolivelli as Lari said, it runs only on changes in pom files, see:

      - name: Detect changed pom files
        id: changes
        uses: apache/pulsar-test-infra/paths-filter@master
        with:
          filters: |
            poms:
              - 'pom.xml'
              - '**/pom.xml'

@dlg99 dlg99 marked this pull request as ready for review January 31, 2022 20:14
eolivelli
eolivelli approved these changes Jan 31, 2022
View reviewed changes
Copy link
Contributor
@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your clarifications

Lgtm

nicoloboschi
nicoloboschi approved these changes Jan 31, 2022
View reviewed changes
Copy link
Contributor
@nicoloboschi nicoloboschi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1, great work

@eolivelli eolivelli merged commit 3c29c7e into apache:master Feb 1, 2022
@hpvd hpvd mentioned this pull request Feb 2, 2022
Closed
@hpvd
Copy link
hpvd commented Feb 2, 2022

+1

@lhotari lhotari mentioned this pull request Mar 1, 2022
Closed
Nicklee007 pushed a commit to Nicklee007/pulsar that referenced this pull request Apr 20, 2022
@dlg99
Add OWASP Dependency Checker to the GH CI workflows (apache#13972)
bb21c86
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lhotari lhotari lhotari approved these changes

@michaeljmarshall michaeljmarshall michaeljmarshall approved these changes

@eolivelli eolivelli eolivelli approved these changes

@nicoloboschi nicoloboschi nicoloboschi approved these changes

Assignees

@dlg99 dlg99

Labels
area/build area/security doc-not-needed Your PR changes do not impact docs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@dlg99 @hpvd @lhotari @eolivelli @nicoloboschi @michaeljmarshall