Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update OWASP dependency check plugin version #44343

Merged
merged 1 commit into from
Nov 6, 2024
Merged

Update OWASP dependency check plugin version #44343

merged 1 commit into from
Nov 6, 2024

Conversation

sberyozkin
Copy link
Member

No description provided.

@jmartisk
Copy link
Contributor

jmartisk commented Nov 6, 2024

Do we have a way to test that this will fix the failure?

@sberyozkin
Copy link
Member Author

@jmartisk Jan, I think maybe we can manually trigger the action ? The update is long overdue in any case

@jmartisk
Copy link
Contributor

jmartisk commented Nov 6, 2024

We can trigger it manually, but to run it in this repo, we would have to merge it first. Could you try executing it in your repo? You'd go to https://github.com/sberyozkin/quarkus/actions/workflows/owasp-check.yml and trigger it using the "Run workflow" button that I don't see because I'm not an admin of your fork

@jmartisk
Copy link
Contributor

jmartisk commented Nov 6, 2024

If it turns out to be a problem, we can just merge it and wait for the next nightly run

@sberyozkin
Copy link
Member Author

@jmartisk Sure, just did it, will take awhile :-)

@sberyozkin
Copy link
Member Author

@jmartisk It does not want to run it in my fork: https://github.com/sberyozkin/quarkus/actions/runs/11702263054/job/32590086209

I've run it on this PR's branch, while the action references the main branch, but all previous scheduled runs were cancelled after just 2 secs too.

We can just merge and users can also try to run it locally

@jmartisk
Copy link
Contributor

jmartisk commented Nov 6, 2024
edited
Loading

I think you'd have to change/remove this line https://github.com/sberyozkin/quarkus/blob/816a3521115210ebc0552149653b97ba7ab3b477/.github/workflows/owasp-check.yml#L12 to allow it to run on your fork (so I guess you'd need to create another branch with just this change - to avoid polluting this PR... it's a bit tricky).

But yeah I don't mind just merging it here too, after the regular CI finishes

@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented Nov 6, 2024
edited by github-actions bot
Loading

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit 121e4a9.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

Flaky tests - Develocity

⚙️ JVM Tests - JDK 17

📦 extensions/vertx-http/deployment

io.quarkus.devui.ConfigurationTest.testConfigurationUpdate - History

  • Request failed: WebSocket upgrade failure: 500 - java.lang.IllegalStateException
java.lang.IllegalStateException: Request failed: WebSocket upgrade failure: 500
	at io.quarkus.devui.tests.DevUIJsonRPCTest$WebSocketResponse.message(DevUIJsonRPCTest.java:254)
	at io.quarkus.devui.tests.DevUIJsonRPCTest.objectResultFromJsonRPC(DevUIJsonRPCTest.java:155)
	at io.quarkus.devui.tests.DevUIJsonRPCTest.objectResultFromJsonRPC(DevUIJsonRPCTest.java:167)
	at io.quarkus.devui.tests.DevUIJsonRPCTest.objectResultFromJsonRPC(DevUIJsonRPCTest.java:148)
	at io.quarkus.devui.tests.DevUIJsonRPCTest.getJsonRPCResponse(DevUIJsonRPCTest.java:124)
	at io.quarkus.devui.tests.DevUIJsonRPCTest.getJsonRPCResponse(DevUIJsonRPCTest.java:119)
	at io.quarkus.devui.tests.DevUIJsonRPCTest.executeJsonRPCMethod(DevUIJsonRPCTest.java:86)

⚙️ JVM Tests - JDK 21

📦 extensions/smallrye-reactive-messaging/deployment

io.quarkus.smallrye.reactivemessaging.hotreload.ConnectorChangeTest.testUpdatingConnector - History

  • Expecting actual: ["-4","-5","-6","-7","-8","-9","-10","-11"] to start with: ["-3", "-4", "-5", "-6"] - java.lang.AssertionError
java.lang.AssertionError: 

Expecting actual:
  ["-4","-5","-6","-7","-8","-9","-10","-11"]
to start with:
  ["-3", "-4", "-5", "-6"]

	at io.quarkus.smallrye.reactivemessaging.hotreload.ConnectorChangeTest.testUpdatingConnector(ConnectorChangeTest.java:36)

@sberyozkin
Copy link
Member Author

Let me merge, and I'll trigger an action

@sberyozkin sberyozkin merged commit 3742ca0 into quarkusio:main Nov 6, 2024
52 checks passed
@sberyozkin sberyozkin deleted the owasp_version_11.1.0 branch November 6, 2024 15:23
@quarkus-bot quarkus-bot bot added this to the 3.17 - main milestone Nov 6, 2024
@sberyozkin
Copy link
Member Author

Sorry @jmartisk, I merged and then decided to scroll and noticed your comment, my apologies :-), the version update itself should be fine in any case, let me trigger the action

@sberyozkin
Copy link
Member Author

@jmartisk @aloubyansky It worked :-), I guess the next step is to see how to wire in sbom

@jmartisk
Copy link
Contributor

jmartisk commented Nov 7, 2024

@sberyozkin are you sure the plugin supports working from sbom? Or do you have a different plugin in mind?

On the other hand, I found https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html where Example 7 shows how to exclude vulnerabilities that we don't want to pollute the report, which may be useful

@sberyozkin
Copy link
Member Author

Thanks @jmartisk, yeah, this one does not accept BOM AFAIK... Yeah, I'm not seeing which OWASP plugin can take SBOM as input for the CVE checks on dependencies... We may have to do exclusions, I'll have a look

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aloubyansky aloubyansky aloubyansky approved these changes

@jmartisk jmartisk Awaiting requested review from jmartisk

Assignees
No one assigned
Labels
triage/flaky-test
Projects
None yet
Milestone
3.17.0.CR1
Development

Successfully merging this pull request may close these issues.
3 participants
@sberyozkin @jmartisk @aloubyansky