Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[chore] Ignore vulnerability in DependencyCheck and bumped the version #286

Merged
merged 1 commit into from
Sep 29, 2023
Merged

[chore] Ignore vulnerability in DependencyCheck and bumped the version #286

merged 1 commit into from
Sep 29, 2023

Conversation

nwithan8
Copy link
Member

@nwithan8 nwithan8 commented Sep 28, 2023
edited
Loading

Description

The DependencyCheck plugin we use to scan for vulnerabilities in our library is, itself, vulnerable. This is a red herring that unfortunately causes our CI to fail.

This PR will ignore this known vulnerability for the time being.

This does NOT pass vulnerable code down to our end-users, as this is purely an issue with one of the plugins we use to test the library.

Testing

  • make scan calls dependency check as expected
  • Dependency scan passes as expected (no current vulnerabilities other than the aforementioned vulnerability inside the now-removed Maven plugin)

Pull Request Type

Please select the option(s) that are relevant to this PR.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Improvement (fixing a typo, updating readme, renaming a variable name, etc)

@nwithan8 nwithan8 requested review from a team and dcaballeroc September 28, 2023 22:04
dcaballeroc
dcaballeroc previously approved these changes Sep 28, 2023
View reviewed changes
Copy link

@dcaballeroc dcaballeroc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still failing with Github Actions though

@nwithan8 nwithan8 marked this pull request as draft September 28, 2023 22:33
@nwithan8 nwithan8 marked this pull request as ready for review September 28, 2023 22:52
@nwithan8 nwithan8 mentioned this pull request Sep 28, 2023
Merged
4 tasks
dcaballeroc
dcaballeroc previously approved these changes Sep 28, 2023
View reviewed changes
Justintime50
Justintime50 previously requested changes Sep 29, 2023
View reviewed changes
Copy link
Member

@Justintime50 Justintime50 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't love this particular solution. Let's chat internally about this. I feel it defeats the point of having a dependency manager if we just store local copies of the dependencies. Dependencies typically shouldn't be checked into a repo if we can help it since it's not our code and will make future diffs bigger than they should be.

@nwithan8 nwithan8 marked this pull request as draft September 29, 2023 16:27
@nwithan8 nwithan8 changed the title [chore] Remove dependency check Maven plugin, substitute with CLI script [chore] Ignore vulnerability in DependencyCheck Sep 29, 2023
@nwithan8 nwithan8 force-pushed the dependency_check branch 2 times, most recently from ba15af6 to 1f07335 Compare September 29, 2023 17:42
@nwithan8 nwithan8 self-assigned this Sep 29, 2023
@nwithan8 nwithan8 marked this pull request as ready for review September 29, 2023 17:45
dcaballeroc
dcaballeroc approved these changes Sep 29, 2023
View reviewed changes
Copy link

@dcaballeroc dcaballeroc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks in line with what Justin was asking

@jchen293 jchen293 changed the title [chore] Ignore vulnerability in DependencyCheck [chore] Ignore vulnerability in DependencyCheck and bumped the version Sep 29, 2023
@nwithan8 nwithan8 merged commit 8e01cf5 into master Sep 29, 2023
16 checks passed
@nwithan8 nwithan8 deleted the dependency_check branch September 29, 2023 18:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jchen293 jchen293 jchen293 approved these changes

@dcaballeroc dcaballeroc dcaballeroc approved these changes

@Justintime50 Justintime50 Awaiting requested review from Justintime50

Assignees

@nwithan8 nwithan8

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nwithan8 @dcaballeroc @jchen293 @Justintime50