Sean Busbey created HBASE-20553:
-----------------------------------
Summary: Add dependency CVE checking to nightly tests
Key: HBASE-20553
URL: https://issues.apache.org/jira/browse/HBASE-20553
Project: HBase
Issue Type: Umbrella
Components: dependencies
Affects Versions: 3.0.0
Reporter: Sean Busbey
Fix For: 3.0.0, 2.1.0
We should proactively work to flag dependencies with known CVEs so that we can
then update them early in our development instead of near a release.
YETUS-441 is working to add a plugin for this, we should grab a copy early to
make sure it works for us.
Rough outline:
1. [install yetus locally|http://yetus.apache.org/downloads/]
2. [install the dependency-check
cli|https://www.owasp.org/index.php/OWASP_Dependency_Check] (homebrew
instructions on right hand margin)
3. Get a local copy of the OWASP datafile ({{dependency-check --update-only
--data /some/local/path/to/dir}})
4. Run {{hbase_nightly_yetus.sh}} using matching environment variables from the
“yetus general check” (currently [line #126 in our nightly
Jenkinsfile|https://github.com/apache/hbase/blob/master/dev-support/Jenkinsfile#L126])
5. Grab the plugin definition and suppression file from from YETUS-441
6. put the plugin definition either in a directory of dev-support or into the
hbase-personality.sh directly
7. Re-run {{hbase_nightly_yetus.sh}} to verify that the plugin results show up.
(Probably this will involve adding new pointers for “where is the suppression
file”, “where is the OWASP datafile” and pointing them somewhere locally.)
Once all of that is in place we’ll get the changes needed into a branch that we
can test out. Over in YETUS-441 I’ll need to add a jenkins job that’ll handle
periodically updating a copy of the datafile for the OWASP dependency checker.
Presuming I have that in place by the time we have a nightly branch to check
this out, then we’ll also need to update our nightly Jenkinsfile to fetch the
data file from that job.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
