RATIS-2372. Add weekly CVE vulnerability check workflow for Apache Ratis #1328
Conversation
Signed-off-by: OneSizeFitsQuorum <tanxinyu@apache.org>
Signed-off-by: OneSizeFitsQuorum <tanxinyu@apache.org>
OneSizeFitsQuorum
changed the title
|
@szetszwo @adoroszlai PTAL |
There was a problem hiding this comment.
Pull request overview
This PR adds a new GitHub Actions workflow to perform weekly CVE vulnerability checks for Apache Ratis using OWASP Dependency Check. The workflow is scheduled to run every Sunday at 16:00 UTC and can also be triggered manually.
Key Changes:
- Implements automated weekly vulnerability scanning using OWASP dependency-check-maven plugin
- Configures artifact upload for vulnerability reports with 15-day retention
- Uses OSS Index credentials for enhanced vulnerability detection
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
adoroszlai
left a comment
adoroszlai
left a comment
There was a problem hiding this comment.
Thanks @OneSizeFitsQuorum for the patch.
In addition to the inline comments, I think we should also refine cache creation and usage in the future. Regular CI's build job caches dependencies, but not NVD database. Currently vulnerability-check workflow does not utilize that cache of dependencies. Thus dependencies are downloaded and stored separately.
Some ideas:
- Populate the cache in a separate workflow, triggered by various events:
- by schedule or push (only POM change): download NVD database only in
apache/ratis, not in forks - workflow call or manual dispatch: download NVD database if requested (i.e. even in forks)
- by schedule or push (only POM change): download NVD database only in
- Only read the cache (
restore) inciworkflow. - Try to restore the cache in
vulnerability-check; callpopulate-cacheworkflow on cache miss.
I'll try to experiment with these.
| key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} | ||
| restore-keys: ${{ runner.os }}-m2- |
There was a problem hiding this comment.
Plugin doc recommends including the date in key:
# Using datetime in cache key as OWASP database may change, without the pom changing
key: ${{ runner.os }}-maven-${{ steps.get-date.outputs.datetime }}-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-${{ steps.get-date.outputs.datetime }}
${{ runner.os }}-maven-
For that we need to calculate and store the date before this step.
Also, I think only ~/.m2/repository should be cached, not ~/.m2.
There was a problem hiding this comment.
Just remove all cache to make sure each time we trigger this workflow we will alwayes pull newest code and nvd database to scan cves
| restore-keys: ${{ runner.os }}-m2- | ||
| - name: Do Maven install | ||
| shell: bash | ||
| run: mvn clean install -DskipTests |
There was a problem hiding this comment.
With mvn install we should delete Ratis artifacts at the end of the workflow to prevent Ratis jars from being cached. Even in case of failures (if: always()).
Alternatively, we can run build and check in a single command, using package instead of install:
mvn ... clean package org.owasp:dependency-check-maven:aggregate
Better yet, we can use existing CI script to build Ratis:
dev-support/checks/compile.sh org.owasp:dependency-check-maven:aggregate <... arguments for dependency-check>
compile.sh is basically an alias for:
mvn -Dmaven.javadoc.skip=true -DskipTests -Djacoco.skip clean verify
and accepts additional arguments for Maven.
There was a problem hiding this comment.
Just remove all cache to make sure each time we trigger this workflow we will alwayes pull newest code and nvd database to scan cves
Signed-off-by: OneSizeFitsQuorum <tanxinyu@apache.org>
|
@adoroszlai Thanks a lot for review this! Just finished addressing Copilot's issue, I'll take a moment before attempting to address your review suggestions. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: OneSizeFitsQuorum <tanxinyu@apache.org>
OneSizeFitsQuorum
force-pushed
the
jira2372
branch
from
590191e to
741ca7b
Compare
Signed-off-by: OneSizeFitsQuorum <tanxinyu@apache.org>
Signed-off-by: OneSizeFitsQuorum <tanxinyu@apache.org>
Signed-off-by: OneSizeFitsQuorum <tanxinyu@apache.org>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
@adoroszlai @szetszwo PTAL. This is the latest run : https://github.com/OneSizeFitsQuorum/ratis/actions/runs/20308233534/job/58331595453 |
adoroszlai
left a comment
adoroszlai
left a comment
There was a problem hiding this comment.
Thanks @OneSizeFitsQuorum for updating the patch.
|
@szetszwo PTAL |
2 participants
see https://issues.apache.org/jira/browse/RATIS-2372