[jira] [Commented] (NUTCH-2840) Fix 'report-vulnerabilities' ant target in build.xml

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (NUTCH-2840) Fix 'report-vulnerabilities' ant target in build.xml

Steve Loughran (Jira)

    [ https://issues.apache.org/jira/browse/NUTCH-2840?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17262596#comment-17262596 ]

ASF GitHub Bot commented on NUTCH-2840:
---------------------------------------

sebastian-nagel commented on a change in pull request #561:
URL: https://github.com/apache/nutch/pull/561#discussion_r554980570



##########
File path: build.xml
##########
@@ -639,24 +641,38 @@
   </target>
 
   <!-- Check dependencies for security vulnerabilities                                    -->
-  <!-- requires installation of OWASP dependency check tool, see                          -->
-  <!--   https://jeremylong.github.io/DependencyCheck/dependency-check-ant/index.html     -->
-  <!-- get http://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-3.3.2-release.zip -->
-  <!-- and unzip in directory ./ivy/                                                      -->
-  <path id="dependency-check.path">
-    <pathelement location="${dependency-check.home}/dependency-check-ant.jar"/>
-    <fileset dir="${dependency-check.home}/lib" erroronmissingdir="false">
+  <target name="dependency-check-ant-download" description="--> download dependency-check-ant jar">
+    <available file="${dependency-check-ant.jar}" property="dependency-check-ant.jar.found"/>
+    <antcall target="dependency-check-ant-download-unchecked"/>
+  </target>
+
+  <target name="dependency-check-ant-download-unchecked" unless="dependency-check-ant.jar.found"
+          description="--> downloads the dependency-check-ant binary (dependency-check-ant-*.zip).">
+    <get src="https://github.com/jeremylong/DependencyCheck/releases/download/v${dependency-check-ant.version}/dependency-check-ant-${dependency-check-ant.version}-release.zip"
+         dest="${ivy.dir}/dependency-check-ant-${dependency-check-ant.version}-release.zip" usetimestamp="false" />
+
+    <unzip src="${dependency-check-ant.home}/dependency-check-ant-${dependency-check-ant.version}-release.zip"

Review comment:
       The parameter `src` should be `${ivy.dir}/dependency-check-ant-${dependency-check-ant.version}-release.zip` - same as download destination and file to be deleted later.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


> Fix 'report-vulnerabilities' ant target in build.xml
> ----------------------------------------------------
>
>                 Key: NUTCH-2840
>                 URL: https://issues.apache.org/jira/browse/NUTCH-2840
>             Project: Nutch
>          Issue Type: Improvement
>          Components: build
>    Affects Versions: 1.18
>            Reporter: Lewis John McGibbney
>            Assignee: Lewis John McGibbney
>            Priority: Critical
>             Fix For: 1.18
>
>
> I recently noticed (FOR THE FIRST TIME) the *report-vulnerabilities* target in build.xml
> When I invoked it, it was broken so I decided to fix it.
> PR coming up.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)