Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-10543

Add tool to check for CVEs among dependencies

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • Infrastructure
    • None
    • ghx-label-8

    Description

      Tried dependency-check-maven and it seems very easy to use:
      https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html

      Most of the issues it found seemed false positive or irrelevant for Impala, but it can be still useful to run it after adding new dependencies in maven.

      Integrating it could look like this:
      1. add the plugin to java/pom.xml to make running it a one line command
      2. add a suppressions.xml to suppress known issues
      3. potentially create a job that runs it automatically

      Attachments

        1. dependency-check-report.zip
          380 kB
          Csaba Ringhofer

        Activity

          People

            Unassigned Unassigned
            csringhofer Csaba Ringhofer
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: