[GitHub] [lucene-solr] risdenk commented on a change in pull request #1121: SOLR-11207: Add OWASP dependency checker to gradle build
risdenk commented on a change in pull request #1121: SOLR-11207: Add OWASP dependency checker to gradle build URL: https://github.com/apache/lucene-solr/pull/1121#discussion_r361818552 ## File path: gradle/validation/dependency-check.gradle ## @@ -0,0 +1,12 @@ +// This adds OWASP vulnerability validation of project dependencies + +// This should be false only for debugging. +def failOnError = true Review comment: It might make sense to set this to false to get this into the gradle-master build and then once merged to master change the default. I personally find failing the build on OWASP errors can be really frustrating with new CVEs out all the time. I like to see the warnings/errors but not fail the build. This depends on the severity of the CVE as well sometimes. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[GitHub] [lucene-solr] risdenk commented on a change in pull request #1121: SOLR-11207: Add OWASP dependency checker to gradle build
risdenk commented on a change in pull request #1121: SOLR-11207: Add OWASP dependency checker to gradle build URL: https://github.com/apache/lucene-solr/pull/1121#discussion_r361818500 ## File path: gradle/validation/dependency-check.gradle ## @@ -0,0 +1,12 @@ +// This adds OWASP vulnerability validation of project dependencies + +// This should be false only for debugging. +def failOnError = true + +dependencyCheck { + autoUpdate=false Review comment: Why not `autoUpdate=true`? I think this is for auto updating the definitions. From https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration.html ``` Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. ``` This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org