Working on the fix https://issues.apache.org/jira/browse/ZOOKEEPER-3262
Enrico Il giorno mer 30 gen 2019 alle ore 21:41 Patrick Hunt <ph...@apache.org> ha scritto: > > Note the owasp job has been failing since the upgrade to dependency checker > 4 due to > "Target "dependency-check-update" does not exist in the project "ZooKeeper"" > the jenkins job was explicitly running the update (which seems to not exist > after the upgrade). > > I updated the job targets however it's now failing due to CVEs in netty and > some deps: > https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/255/ > agree we should clear these out... > > Patrick > > > On Sat, Jan 26, 2019 at 3:54 AM Enrico Olivelli <eolive...@gmail.com> wrote: > > > I have forced the download of pattern and now the results are > > consistent with the ones on my laptop > > > > see the results: > > https://builds.apache.org/job/ZooKeeper-trunk-owasp/250/console > > > > In patch: > > https://github.com/apache/zookeeper/pull/788 > > > > I have added the fix to force the download of patterns at every run. > > > > IMHO it is better to merge the patch soon > > > > Enrico > > > > Il giorno sab 26 gen 2019 alle ore 11:44 Enrico Olivelli > > <eolive...@gmail.com> ha scritto: > > > > > > Hi Zookeepers, > > > while working on the migration of OWASP task to the Maven build I > > > found that currently the CI Job > > > (https://builds.apache.org/job/ZooKeeper-trunk-owasp/) is not working > > > properly. > > > > > > On my laptop both the ant task and the maven one are reporting several > > > issues, due to dependencies updated/introduced recently, like Netty > > > 4.1.29 (which is not the latest and greatest released version) > > > > > > I have attached my logs in JIRA > > > https://issues.apache.org/jira/browse/ZOOKEEPER-3256 > > > > > > This is the patch to add OWASP to Maven build > > > https://github.com/apache/zookeeper/pull/788 > > > > > > My proposal: > > > 1) commit PR #788 to all the active branches > > > 2) create an issue to address the new issues and upgrade all the deps > > > and/or add suppressions > > > 3) add OWASP job to the new Maven CI pre-commit/post-commit > > > > > > As soon as we commit the plugin configuration I will setup the CI Job > > for OWASP. > > > > > > Please anyone try out my patch and/or the ant task and confirm my > > findings. > > > I am trying to understand why CI jobs is not reporting the same > > > results as on my laptop. Actually my best guess is that it is not > > > re-downloading CVE patterns from NIST and so it is working with stale > > > information. > > > > > > Regards > > > Enrico > >
