On 2024/07/03 14:44:30 Dave Fisher wrote: > I did not see exactly where the download happens in the workflow. Is there a > separate action or workflow?
In the current master branch version, it gets downloaded here: https://github.com/apache/pulsar/blob/dbbb6b66c99afd12762dec198482dbf766bff3bb/.github/workflows/ci-owasp-dependency-check.yaml#L104 > Seems to me that you need Infra’s help as the Apache org’s GitHub admin to > add this secret. They will probably suggest that you create an INFRA JIRA and > tell you where to send the API Key. Gavin replied on ASF Slack and I created ASF Infra ticket INFRA-25938. Gavin has added the NVD API Key as a secret to the GitHub Actions workflow. I have created PR https://github.com/apache/pulsar/pull/22999 with changes to use NVD API key. Please review! I have been testing changes in my own fork, at https://github.com/lhotari/pulsar/actions/workflows/ci-owasp-dependency-check.yaml . We would have to merge the PR to do the final testing in apache/pulsar repository. -Lari
