Handle security CVE violations #45
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Cobertura is an abandonned project and does not officialy supports Java 8+
this commit adds support for Gitpod.io, a free automated dev environment that makes contributing and generally working on GitHub projects much easier. It allows anyone to start a ready-to-code dev environment for any branch, issue and pull request with a single click.
herve-brun
force-pushed
the
master
branch
2 times, most recently
from
1a9409c to
fc552e8
Compare
The maintainer needs to declare three secrets in the GitHub repository : - SONAR_PROJECTKEY, - SONAR_ORGANIZATION, and - SONAR_TOKEN SONAR_TOKEN is the secret generated in sourcloud.io once you imported and set up the project. SONAR_PROJECTKEY is the project's key in the maintainer's sonarqube cloud account. SONAR_ORGANIZATION is the maintainer's sonarqube clound account organization identifier. ci(build): Java CI build ci(sonar): Sonarqube analysis ci(codecov): Codecov coverage analysis ci(codeql): CodeQL code security anlysis ci(github): Obfuscate GitHub secrets doc(readme): Badges for quality gates in the README. Signed-off-by: Hervé Brun <herve-brun@users.noreply.github.com> Co-authored-by: Hervé Brun <herve-brun@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com
Two deprecations without breaking changes : * one due to an update of the swagger dependencies. * another due to an update of jCommander. Signed-off-by: Hervé Brun <herve-brun@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Hervé Brun <herve-brun@users.noreply.github.com>
|
Any news on this merge request ? |
Snyk has created this PR to upgrade io.swagger:swagger-parser from 1.0.65 to 1.0.67. See this package in Maven Repository: https://mvnrepository.com/artifact/io.swagger/swagger-parser/ See this project in Snyk: https://app.snyk.io/org/herve-brun/project/6eccac95-a83d-471b-9350-911b67341608?utm_source=github&utm_medium=referral&page=upgrade-pr Co-authored-by: snyk-bot <snyk-bot@snyk.io>
Snyk has created this PR to upgrade com.alibaba:fastjson from 2.0.21 to 2.0.33. See this package in Maven Repository: https://mvnrepository.com/artifact/com.alibaba/fastjson/ See this project in Snyk: https://app.snyk.io/org/herve-brun/project/6eccac95-a83d-471b-9350-911b67341608?utm_source=github&utm_medium=referral&page=upgrade-pr Co-authored-by: snyk-bot <snyk-bot@snyk.io>
Snyk has created this PR to upgrade com.alibaba:fastjson from 2.0.33 to 2.0.34. See this package in Maven Repository: https://mvnrepository.com/artifact/com.alibaba/fastjson/ See this project in Snyk: https://app.snyk.io/org/herve-brun/project/6eccac95-a83d-471b-9350-911b67341608?utm_source=github&utm_medium=referral&page=upgrade-pr Co-authored-by: snyk-bot <snyk-bot@snyk.io>
#135) Bumps [org.apache.maven.plugins:maven-javadoc-plugin](https://github.com/apache/maven-javadoc-plugin) from 3.5.0 to 3.6.0. - [Release notes](https://github.com/apache/maven-javadoc-plugin/releases) - [Commits](apache/maven-javadoc-plugin@maven-javadoc-plugin-3.5.0...maven-javadoc-plugin-3.6.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-javadoc-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps org.slf4j:slf4j-nop from 2.0.7 to 2.0.9. --- updated-dependencies: - dependency-name: org.slf4j:slf4j-nop dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
|
@Sayi |
|
Stale MR .. closing. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This merge request handles all the CVE security issues detected by static analysis tools (dependabot, depshield, etc. ...)
No breaking change has been detected.
I added a few GitHub actions and some badges to reflect the quality gates in the README.
I also did set up a CodeCov and a Sonarqube analysis actions.
I know you are using another coverage analysis tool but CodeCov is integrated in GitHub actions.
I could remove it if you wish ... ?
The Sonarqube actions uses two GitHub project secrets you will have to set up in your GitHub repo before merging if you want this action to be functional :
One you create a sonarcloud.io account, the set up is really easy : import the github project and choose the "Setup GitHub Action" tile to setup the sonarcloud project.