Thank you for improving our process for vulnerable dependencies. > As a next step we can work on making it email the dev list when it fails
+1 - I like this proposal. It will ensure that we have enough visibility to remediate vulnerabilities quickly. Thanks, Michael On Mon, Jan 31, 2022 at 3:07 PM Enrico Olivelli <eolive...@gmail.com> wrote: > > Great idea > > I will review the PRs > > Thanks > Enrico > > > Il Lun 31 Gen 2022, 21:33 Andrey Yegorov <andrey.yego...@datastax.com> ha > scritto: > > > Hello, > > > > As a final step in the series of PRs to upgrade old dependencies with > > various CVEs (by Nicolo and I) I added a PR that introduces extra check on > > pom.xml files changes: it will run OWASP dependency check and fail if any > > CVE level >= 7 is detected. > > > > Please review this PR https://github.com/apache/pulsar/pull/13972 an one > > more pending fix from Nicolo: https://github.com/apache/pulsar/pull/13943 > > > > There is an existing workflow that runs daily but it has limited visibility > > at the moment: > > > > https://github.com/apache/pulsar/actions/workflows/ci-owasp-dependency-check.yaml > > As a next step we can work on making it email the dev list when it fails > > but the check on PR when pom files change will be more immediately visible. > > > > Similar changes are pending for BookKeeper. > > > > -- > > Andrey Yegorov > >
