Apache
/
druid
mirror of https://github.com/apache/druid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Change security vulnerability scan to cron job (#9340) 

* Change security vulnerability scan to cron job

Previously, when new CVEs were reported, the security vulnerability scan
would unfortunately block PRs that did not modify any dependencies. To
prevent this issue, the security scan is now run as a Travis cron job
that runs on master and notifies the druid dev list if it fails. The
security scan has also been added to the "apache-release" maven profile,
to ensure that it passes before a release.

Also adjusted some Travis CI job failure help messages to not be folded
in the Travis CI job logs.

* Dedup plugin configuration definition
This commit is contained in:
Chi Cao Minh 2020-02-11 13:43:08 -08:00 committed by GitHub
parent ebd199da73
commit a5c49cc4bd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 53 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
.travis.yml
View File

@ -47,6 +47,12 @@ env:
# output. To compensate, use travis_wait to extend the timeout.
install: MAVEN_OPTS='-Xmx3000m' travis_wait 15 ${MVN} clean install -q -ff ${MAVEN_SKIP} ${MAVEN_SKIP_TESTS} -T1C
stages:
- name: test # jobs that do not specify a stage get this default value
if: type != cron
- name: cron
if: type = cron
jobs:
include:
- name: "animal sniffer checks"
@ -93,9 +99,8 @@ jobs:
-pl '!benchmarks' ${MAVEN_SKIP} ${MAVEN_SKIP_TESTS}
- name: "analyze dependencies"
script: MAVEN_OPTS='-Xmx3000m' ${MVN} ${MAVEN_SKIP} dependency:analyze -DoutputXML=true -DignoreNonCompile=true -DfailOnWarning=true
after_failure: |-
echo "FAILURE EXPLANATION:
script: |-
MAVEN_OPTS='-Xmx3000m' ${MVN} ${MAVEN_SKIP} dependency:analyze -DoutputXML=true -DignoreNonCompile=true -DfailOnWarning=true || { echo "
The dependency analysis has found a dependency that is either:
@ -112,19 +117,8 @@ jobs:
For more information, refer to:
https://maven.apache.org/plugins/maven-dependency-plugin/analyze-mojo.html
"
- name: "security vulnerabilities"
install: skip
script: ${MVN} dependency-check:check
after_failure: |-
echo "FAILURE EXPLANATION:
The OWASP dependency check has found security vulnerabilities. Please use a newer version
of the dependency that does not have vulenerabilities. If the analysis has false positives,
they can be suppressed by adding entries to owasp-dependency-check-suppressions.xml (for more
information, see https://jeremylong.github.io/DependencyCheck/general/suppression.html).
"
" && false; }
- &package
name: "(openjdk8) packaging check"
@ -259,9 +253,8 @@ jobs:
- name: "docs"
install: (cd website && npm install)
script: (cd website && npm run lint && npm run spellcheck)
after_failure: |-
echo "FAILURE EXPLANATION:
script: |-
(cd website && npm run lint && npm run spellcheck) || { echo "
If there are spell check errors:
@ -272,7 +265,8 @@ jobs:
2) Running Spell Check Locally: cd website && npm install && npm run spellcheck
For more information, refer to: https://www.npmjs.com/package/markdown-spellcheck
"
" && false; }
- &integration_batch_index
name: "batch index integration test"
@ -324,3 +318,29 @@ jobs:
env: TESTNG_GROUPS='-DexcludedGroups=batch-index,perfect-rollup-parallel-batch-index,kafka-index,query,realtime-index'
script: *run_integration_test
after_failure: *integration_test_diags
- name: "security vulnerabilities"
stage: cron
install: skip
script: |-
${MVN} dependency-check:check || { echo "
The OWASP dependency check has found security vulnerabilities. Please use a newer version
of the dependency that does not have vulnerabilities. If the analysis has false positives,
they can be suppressed by adding entries to owasp-dependency-check-suppressions.xml (for more
information, see https://jeremylong.github.io/DependencyCheck/general/suppression.html).
" && false; }
# Travis CI only supports per build (and not per-job notifications): https://github.com/travis-ci/travis-ci/issues/9888
notifications:
email:
if: type = cron
recipients:
# This is the string "dev@druid.apache.org" encrypted against the apache/druid repo so that forks are unable to
# use this notification:
# https://github.com/travis-ci/travis-ci/issues/1094#issuecomment-215019909
# https://github.com/travis-ci/travis-ci/issues/2711
- secure: "MupjX/0jLwh3XzHPl74BTk2/Kp5r+8TrEewfRhpQdWKFMBXLKNqu0k2VXf5C/NIg3uvPianq3REk+qeTHI8dL2ShjiWS/eIRkJOHLfObdNNBuos5fo4TxAuBQcXyT4VjAq5jnAkH84Pxf2Nl0rkisWoIhvwSX7+kNrjW1qdu7K0="
on_success: change
on_failure: change

15
pom.xml
View File

@ -109,6 +109,7 @@
<zookeeper.version>3.4.14</zookeeper.version>
<checkerframework.version>2.5.7</checkerframework.version>
<com.google.apis.client.version>1.22.0</com.google.apis.client.version>
<repoOrgId>apache.snapshots</repoOrgId>
<repoOrgName>Apache Snapshot Repository</repoOrgName>
<repoOrgUrl>https://repository.apache.org/snapshots</repoOrgUrl>
@ -1507,7 +1508,7 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>5.2.4</version>
<version>5.3.0</version>
<configuration>
<cveValidForHours>24</cveValidForHours>
<failBuildOnCVSS>7</failBuildOnCVSS>
@ -1907,6 +1908,18 @@
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<executions>
<execution>
<phase>compile</phase>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>