Open hpvd opened 2 years ago
Since https://github.com/apache/pulsar/pull/10855 we are doing dependency scans for vulnerabilities on regular basis. That is really great!
Over time, more and more vulnerabilities are suppressed. This may
org.apache.pulsar:pulsar-server-distribution:2.11.0-SNAPSHOT: Vulnerabilities Suppressed: 23
org.apache.pulsar:pulsar-offloader-distribution:2.11.0-SNAPSHOT: Vulnerabilities Suppressed: 4
before every release: check for each suppressed vulnerability if it's still reasonable/necessary to suppress it otherwise we are possibly releasing with security flaws which could easily being solved
before: update check tool to latest version (which typical solves some false positive) 7.11+, the check today uses see 7.10 https://github.com/jeremylong/DependencyCheck/releases
No response
The issue had no activity for 30 days, mark with Stale label.
Search before asking
Motivation
Since https://github.com/apache/pulsar/pull/10855 we are doing dependency scans for vulnerabilities on regular basis. That is really great!
Over time, more and more vulnerabilities are suppressed. This may
org.apache.pulsar:pulsar-server-distribution:2.11.0-SNAPSHOT: Vulnerabilities Suppressed: 23
org.apache.pulsar:pulsar-offloader-distribution:2.11.0-SNAPSHOT: Vulnerabilities Suppressed: 4
Solution
before every release: check for each suppressed vulnerability if it's still reasonable/necessary to suppress it otherwise we are possibly releasing with security flaws which could easily being solved
before: update check tool to latest version (which typical solves some false positive) 7.11+, the check today uses see 7.10 https://github.com/jeremylong/DependencyCheck/releases
Alternatives
Anything else?
No response
Are you willing to submit a PR?