[
https://issues.apache.org/jira/browse/FLINK-12119?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Konstantin Knauf updated FLINK-12119:
-------------------------------------
Description:
In order to obtain some visibility on the current known security
vulnerabilities in Flink's dependencies. It would be useful to include the
OWASP dependency check plugin [1] into our Maven build.
By including it into flink-parent, we can get summary of all dependencies of
all child projects by running
{{mvn clean org.owasp:dependency-check-maven:5.0.0-M2:aggregate}}
We should probably exclude some modules from the dependency-check. These could
be:
* flink-docs
* flink-examples
* flink-end-to-end-tests
* flink-fs-tests
* flink-test-utils-parent
* flink-yarn-tests
* flink-contrib
Anything else? What about flink-python/flink-streaming-python?**
In addition I propose to exclude all dependencies in the *system* or *provided*
scope.
At least initially, the build would never fails because of vulnerabilities.
[1]
[https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html]
was:
In order to obtain some visibility on the current known security
vulnerabilities in Flink's dependencies. It would be useful to include the
OWASP dependency check plugin [1] into our Maven build.
By including it into flink-parent, we can get summary of all dependencies of
all child projects by running
{{mvn clean org.owasp:dependency-check-maven:5.0.0-M2:aggregate}}
We should probably exclude some modules from the dependency-check. These could
be:
* flink-dist
* flink-docs
* flink-examples
* flink-tests
* flink-end-to-end-tests
* flink-fs-tests
* flink-test-utils-parent
* flink-yarn-tests
* flink-contrib
Anything else? What about flink-python/flink-streaming-python?**
In addition I propose to exclude all dependencies in the *system* or *provided*
scope.
At least initially, the build would never fails because of vulnerabilities.
[1]
[https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html]
> Add OWASP Dependency Check to Flink Build
> -----------------------------------------
>
> Key: FLINK-12119
> URL: https://issues.apache.org/jira/browse/FLINK-12119
> Project: Flink
> Issue Type: Improvement
> Components: Build System
> Reporter: Konstantin Knauf
> Assignee: Konstantin Knauf
> Priority: Major
>
> In order to obtain some visibility on the current known security
> vulnerabilities in Flink's dependencies. It would be useful to include the
> OWASP dependency check plugin [1] into our Maven build.
> By including it into flink-parent, we can get summary of all dependencies of
> all child projects by running
> {{mvn clean org.owasp:dependency-check-maven:5.0.0-M2:aggregate}}
> We should probably exclude some modules from the dependency-check. These
> could be:
> * flink-docs
> * flink-examples
> * flink-end-to-end-tests
> * flink-fs-tests
> * flink-test-utils-parent
> * flink-yarn-tests
> * flink-contrib
> Anything else? What about flink-python/flink-streaming-python?**
> In addition I propose to exclude all dependencies in the *system* or
> *provided* scope.
> At least initially, the build would never fails because of vulnerabilities.
> [1]
> [https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
