Project

General

Profile

Actions

Bug #19279

closed

For plugins, we need to skip CVE check on provided dependencies

Added by François ARMAND over 3 years ago. Updated over 3 years ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:

Description

For plugins, and for reasons (#12171), we need to specify all rudder libraries and dependencies as provided (else they are included in plugins).
The exact version of the lib used can be bit of, because plugins don't use last version of rudder for ABI compat.
All that leads to false positive in CVE check in dependencies.

So we need to skip dependencies with scope "provided" in plugins (of course, the plugin own dependencies, which don't have that scope, will be checked).

Note: perhaps system properties should be skipped too, but I will let them for now, and we will see when the case arise if it's relevant.

Actions

Also available in: Atom PDF