Replace NVD with Sonatype OSS Index#8186
Conversation
Looks like a new CVE backing that better understands maven coordinates and so the suppressions we maintained previously should no longer be needed. Ported from open-telemetry/opentelemetry-java-instrumentation#16445
| // Skip OWASP dependencyCheck task on test module | ||
| dependencyCheck { | ||
| skip = true | ||
| } |
There was a problem hiding this comment.
Is there no analog for this? Or is it no longer applicable?
There was a problem hiding this comment.
Maybe this is what you referred to with the suppressions no longer being needed.
There was a problem hiding this comment.
we're using a different plugin altogether now
There was a problem hiding this comment.
I get that. But we skipped OWASP on testing-internal because it had dependencies that triggered OWASP. And now we're not doing that. That means the new plugin either doesn't consider the testing dependencies problematic or somehow automatically excludes testing modules like this or something equivalent.
Just curious if you already know the answer.
There was a problem hiding this comment.
oh, good point, I'll check this
|
Ran into an issue, let's wait for upstream fix: sonatype-nexus-community/scan-gradle-plugin#204 |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #8186 +/- ##
============================================
+ Coverage 90.30% 90.32% +0.01%
- Complexity 7651 7653 +2
============================================
Files 843 843
Lines 23061 23071 +10
Branches 2310 2311 +1
============================================
+ Hits 20826 20838 +12
+ Misses 1516 1515 -1
+ Partials 719 718 -1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
|
||
| - `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password | ||
| - `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password | ||
| - `NVD_API_KEY` - stored in OpenTelemetry-Java 1Password |
There was a problem hiding this comment.
TODO: reminder to myself to delete this secret once merged
jack-berg
left a comment
jack-berg
left a comment
There was a problem hiding this comment.
Just one nit about duplicate github action workflow
|
Manually kicking off first run to see how things go: https://github.com/open-telemetry/opentelemetry-java/actions/runs/23760622947 |
2 participants
Looks like a new CVE backing that better understands maven coordinates and so the suppressions we maintained previously should no longer be needed.
Ported from open-telemetry/opentelemetry-java-instrumentation#16445