FYI I updated master with ZOOKEEPER-3262 PR and the job is green again: https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/260/ As I noted on the PR the patch only applies to master, please submit prs for 3.5/3.4.
Thanks! Patrick On Thu, Jan 31, 2019 at 12:08 AM Enrico Olivelli <eolive...@gmail.com> wrote: > Il giorno gio 31 gen 2019, 00:42 Patrick Hunt <ph...@apache.org> ha > scritto: > > > On Wed, Jan 30, 2019 at 3:13 PM Enrico Olivelli <eolive...@gmail.com> > > wrote: > > > > > Il giorno mer 30 gen 2019, 21:41 Patrick Hunt <ph...@apache.org> ha > > > scritto: > > > > > > > Note the owasp job has been failing since the upgrade to dependency > > > checker > > > > 4 due to > > > > "Target "dependency-check-update" does not exist in the project > > > > "ZooKeeper"" > > > > the jenkins job was explicitly running the update (which seems to not > > > exist > > > > after the upgrade). > > > > > > > > > > Maybe I tried to force the update by changing the job and I left such > > > command in the configuration. > > > The good way to force the update is changing build.xml as we have > > > committed. > > > Using Maven there is a specific mojo. > > > I apologize if I had broken the configuration, I will check the history > > of > > > configurations of the job > > > > > > > > No worries at all. Easy enough to address once it was noticed. > > > > > > > A little off topic: > > > We could keep jenkins jobs configuration on Zookeeper git repo, this > way > > > jobs configuration will be subject to the review-then-commit policy > > > > > > > > I literally removed a single target from the "ant ..." command in the > > jenkins job ant build spec. There isn't much that could go into git > unless > > we wrap ant with a bash script or something... which would not be optimal > > imo. Better would be to define jenkins jobs via DSL, but afaik apache > > jenkins doesn't support that yet (?). > > > > It is exactly what I meant. > In bookkeeper we have Jenkins jobs committed inside the repo > > https://github.com/apache/bookkeeper/tree/master/.test-infra/jenkins > > > We can do the same for Zookeeper > > Enrico > > > > > Patrick > > > > > > > Cheers > > > Enrico > > > > > > > > > > > > > I updated the job targets however it's now failing due to CVEs in > netty > > > and > > > > some deps: > > > > > > > > > > > > > > https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/255/ > > > > agree we should clear these out... > > > > > > > > Patrick > > > > > > > > > > > > On Sat, Jan 26, 2019 at 3:54 AM Enrico Olivelli <eolive...@gmail.com > > > > > > wrote: > > > > > > > > > I have forced the download of pattern and now the results are > > > > > consistent with the ones on my laptop > > > > > > > > > > see the results: > > > > > https://builds.apache.org/job/ZooKeeper-trunk-owasp/250/console > > > > > > > > > > In patch: > > > > > https://github.com/apache/zookeeper/pull/788 > > > > > > > > > > I have added the fix to force the download of patterns at every > run. > > > > > > > > > > IMHO it is better to merge the patch soon > > > > > > > > > > Enrico > > > > > > > > > > Il giorno sab 26 gen 2019 alle ore 11:44 Enrico Olivelli > > > > > <eolive...@gmail.com> ha scritto: > > > > > > > > > > > > Hi Zookeepers, > > > > > > while working on the migration of OWASP task to the Maven build I > > > > > > found that currently the CI Job > > > > > > (https://builds.apache.org/job/ZooKeeper-trunk-owasp/) is not > > > working > > > > > > properly. > > > > > > > > > > > > On my laptop both the ant task and the maven one are reporting > > > several > > > > > > issues, due to dependencies updated/introduced recently, like > Netty > > > > > > 4.1.29 (which is not the latest and greatest released version) > > > > > > > > > > > > I have attached my logs in JIRA > > > > > > https://issues.apache.org/jira/browse/ZOOKEEPER-3256 > > > > > > > > > > > > This is the patch to add OWASP to Maven build > > > > > > https://github.com/apache/zookeeper/pull/788 > > > > > > > > > > > > My proposal: > > > > > > 1) commit PR #788 to all the active branches > > > > > > 2) create an issue to address the new issues and upgrade all the > > deps > > > > > > and/or add suppressions > > > > > > 3) add OWASP job to the new Maven CI pre-commit/post-commit > > > > > > > > > > > > As soon as we commit the plugin configuration I will setup the CI > > Job > > > > > for OWASP. > > > > > > > > > > > > Please anyone try out my patch and/or the ant task and confirm my > > > > > findings. > > > > > > I am trying to understand why CI jobs is not reporting the same > > > > > > results as on my laptop. Actually my best guess is that it is not > > > > > > re-downloading CVE patterns from NIST and so it is working with > > stale > > > > > > information. > > > > > > > > > > > > Regards > > > > > > Enrico > > > > > > > > > > > > > > >