Note the owasp job has been failing since the upgrade to dependency checker 4 due to "Target "dependency-check-update" does not exist in the project "ZooKeeper"" the jenkins job was explicitly running the update (which seems to not exist after the upgrade).
I updated the job targets however it's now failing due to CVEs in netty and some deps: https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/255/ agree we should clear these out... Patrick On Sat, Jan 26, 2019 at 3:54 AM Enrico Olivelli <eolive...@gmail.com> wrote: > I have forced the download of pattern and now the results are > consistent with the ones on my laptop > > see the results: > https://builds.apache.org/job/ZooKeeper-trunk-owasp/250/console > > In patch: > https://github.com/apache/zookeeper/pull/788 > > I have added the fix to force the download of patterns at every run. > > IMHO it is better to merge the patch soon > > Enrico > > Il giorno sab 26 gen 2019 alle ore 11:44 Enrico Olivelli > <eolive...@gmail.com> ha scritto: > > > > Hi Zookeepers, > > while working on the migration of OWASP task to the Maven build I > > found that currently the CI Job > > (https://builds.apache.org/job/ZooKeeper-trunk-owasp/) is not working > > properly. > > > > On my laptop both the ant task and the maven one are reporting several > > issues, due to dependencies updated/introduced recently, like Netty > > 4.1.29 (which is not the latest and greatest released version) > > > > I have attached my logs in JIRA > > https://issues.apache.org/jira/browse/ZOOKEEPER-3256 > > > > This is the patch to add OWASP to Maven build > > https://github.com/apache/zookeeper/pull/788 > > > > My proposal: > > 1) commit PR #788 to all the active branches > > 2) create an issue to address the new issues and upgrade all the deps > > and/or add suppressions > > 3) add OWASP job to the new Maven CI pre-commit/post-commit > > > > As soon as we commit the plugin configuration I will setup the CI Job > for OWASP. > > > > Please anyone try out my patch and/or the ant task and confirm my > findings. > > I am trying to understand why CI jobs is not reporting the same > > results as on my laptop. Actually my best guess is that it is not > > re-downloading CVE patterns from NIST and so it is working with stale > > information. > > > > Regards > > Enrico >
