[
https://issues.apache.org/jira/browse/NUTCH-2668?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16692266#comment-16692266
]
ASF GitHub Bot commented on NUTCH-2668:
---------------------------------------
sebastian-nagel closed pull request #404: NUTCH-2668 Integrate OWASP dependency
checks as ant target
URL: https://github.com/apache/nutch/pull/404
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/build.xml b/build.xml
index c21ced9a3..1f5a0d9b2 100644
--- a/build.xml
+++ b/build.xml
@@ -599,6 +599,35 @@
</fail>
</target>
+ <!-- Check dependencies for security vulnerabilities
-->
+ <!-- requires installation of OWASP dependency check tool, see
-->
+ <!--
https://jeremylong.github.io/DependencyCheck/dependency-check-ant/index.html
-->
+ <!-- get
http://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-3.3.2-release.zip
-->
+ <!-- and unzip in directory ./ivy/
-->
+ <property name="dependency-check.home"
value="${ivy.dir}/dependency-check-ant/"/>
+ <path id="dependency-check.path">
+ <pathelement location="${dependency-check.home}/dependency-check-ant.jar"/>
+ <fileset dir="${dependency-check.home}/lib">
+ <include name="*.jar"/>
+ </fileset>
+ </path>
+ <taskdef resource="dependency-check-taskdefs.properties">
+ <classpath refid="dependency-check.path" />
+ </taskdef>
+ <target name="report-vulnerabilities" description="--> check dependencies
for security vulnerabilities">
+ <dependency-check projectname="${name}"
+ reportoutputdirectory="${build.dir}"
+ reportformat="ALL">
+ <suppressionfile
path="${dependency-check.home}/dependency-check-suppressions.xml" />
+ <retirejsFilter regex="copyright.*jeremy long" />
+ <fileset dir="${build.dir}">
+ <include name="lib/*.jar"/>
+ <include name="plugins/*/*.jar"/>
+ </fileset>
+ </dependency-check>
+ </target>
+
+
<target name="compile-avro-schema" depends="resolve-default"
description="--> compile the avro schema(s) in src/gora/*.avsc">
<typedef name="schema"
classname="org.apache.avro.specific.SchemaTask"
diff --git a/ivy/dependency-check-ant/dependency-check-suppressions.xml
b/ivy/dependency-check-ant/dependency-check-suppressions.xml
new file mode 100644
index 000000000..e7de8febb
--- /dev/null
+++ b/ivy/dependency-check-ant/dependency-check-suppressions.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions
xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd";>
+ <suppress>
+ <notes>only applies to tika-server < 1.18</notes>
+ <gav
regex="true">^org\.(apache\.tika:tika-(core|parsers)|gagravarr:vorbis-java-tika):.*$</gav>
+ <cve>CVE-2018-1335</cve>
+ </suppress>
+</suppressions>
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Integrate OWASP dependency checks as ant target
> -----------------------------------------------
>
> Key: NUTCH-2668
> URL: https://issues.apache.org/jira/browse/NUTCH-2668
> Project: Nutch
> Issue Type: Improvement
> Components: build
> Affects Versions: 2.4, 1.16
> Reporter: Sebastian Nagel
> Priority: Major
> Fix For: 2.4, 1.16
>
> Attachments: 1x-dependency-check-report.html,
> 1x-dependency-check-vulnerability.html, 2x-dependency-check-report.html,
> 2x-dependency-check-vulnerability.html
>
>
> [OWASP|http://www.owasp.org/] provides the [ant tool
> "dependency-check"|https://jeremylong.github.io/DependencyCheck/dependency-check-ant/index.html]
> which lists potential vulnerabilities of library dependencies. We should
> integrate the generation of vulnerability reports into our build system as an
> optional task/target recommended to be run from time to time and especially
> shortly before releases are prepared.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
