[GitHub] [lucene-solr] risdenk commented on a change in pull request #1121: SOLR-11207: Add OWASP dependency checker to gradle build

2019-12-28 Thread GitBox 
risdenk commented on a change in pull request #1121: SOLR-11207: Add OWASP 
dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121#discussion_r361818552
 
 

 ##
 File path: gradle/validation/dependency-check.gradle
 ##
 @@ -0,0 +1,12 @@
+// This adds OWASP vulnerability validation of project dependencies
+
+// This should be false only for debugging.
+def failOnError = true
 
 Review comment:
   It might make sense to set this to false to get this into the gradle-master 
build and then once merged to master change the default.
   
   I personally find failing the build on OWASP errors can be really 
frustrating with new CVEs out all the time. I like to see the warnings/errors 
but not fail the build. This depends on the severity of the CVE as well 
sometimes.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

[GitHub] [lucene-solr] risdenk commented on a change in pull request #1121: SOLR-11207: Add OWASP dependency checker to gradle build

2019-12-28 Thread GitBox 
risdenk commented on a change in pull request #1121: SOLR-11207: Add OWASP 
dependency checker to gradle build
URL: https://github.com/apache/lucene-solr/pull/1121#discussion_r361818500
 
 

 ##
 File path: gradle/validation/dependency-check.gradle
 ##
 @@ -0,0 +1,12 @@
+// This adds OWASP vulnerability validation of project dependencies
+
+// This should be false only for debugging.
+def failOnError = true
+
+dependencyCheck {
+  autoUpdate=false
 
 Review comment:
   Why not `autoUpdate=true`? I think this is for auto updating the definitions.
   
   From 
https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration.html
   
   ```
   Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not 
recommended that this be turned to false.
   ```


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org