PIG-5352: Please add OWASP Dependency Check to the build ivy.xml (knoguchi)

git-svn-id: https://svn.apache.org/repos/asf/pig/trunk@1872609 13f79535-47bb-0310-9956-ffa450edef68

Author: Koji Noguchi

CHANGES.txt

@@ -26,6 +26,8 @@ PIG-5282: Upgade to Java 8 (satishsaley via rohini)
 
 IMPROVEMENTS
 
+PIG-5352: Please add OWASP Dependency Check to the build ivy.xml (knoguchi)
+
 PIG-5385: Skip calling extra gc() before spilling large bag when unnecessary (knoguchi)
 
 PIG-5389: Passing null to REPLACE udf preventing JIT optimization (knoguchi)

build.xml

@@ -268,6 +268,7 @@
     <property name="ivy.lib.dir.spark" location="${ivy.lib.dir}/spark" />
     <property name="build.ivy.report.dir" location="${build.ivy.dir}/report" />
     <property name="build.ivy.maven.dir" location="${build.ivy.dir}/maven" />
+    <property name="build.ivy.owasp.dir" location="${build.ivy.dir}/owasp" />
     <property name="pom.xml" location="${build.ivy.maven.dir}/pom.xml"/>
     <property name="build.ivy.maven.pom" location="${build.ivy.maven.dir}/pig-${version}.pom" />
     <property name="build.ivy.maven.jar" location="${build.ivy.maven.dir}/pig-${version}-core.jar" />
@@ -1461,6 +1462,21 @@
     <!-- Perform audit activities for the release                           -->
     <!-- ================================================================== -->
 
+    <target name="owasp" depends="ivy-owasp,ivy-compile" description="OWASP dependency check">
+        <typedef format="properties" resource="dependency-check-taskdefs.properties" uri="antlib:org.owasp.dependencycheck.anttasks" classpathref="owasp-classpath"/>
+        <owasp:dependency-check xmlns:owasp="antlib:org.owasp.dependencycheck.anttasks"
+                          projectname="Pig"
+                          reportoutputdirectory="${build.dir}/owasp"
+                          reportformat="ALL"
+                          failBuildOnCVSS="0">
+
+            <fileset dir="${ivy.lib.dir}">
+                <include name="**/*.jar"/>
+            </fileset>
+
+        </owasp:dependency-check>
+    </target>
+
     <target name="releaseaudit" depends="ivy-releaseaudit" description="generate a release audit report">
         <get src="${mvnrepo}/org/apache/rat/apache-rat/${apacherat.version}/apache-rat-${apacherat.version}.jar"
              dest="${basedir}/build/apache-rat-${apacherat.version}.jar"
@@ -1759,6 +1775,12 @@
        <ivy:cachepath pathid="jdiff.classpath" conf="jdiff"/>
      </target>
 
+     <target name="ivy-owasp" depends="ivy-resolve" description="Retrieve Ivy-managed artifacts for owasp configuration">
+        <ivy:retrieve settingsRef="${ant.project.name}.ivy.settings" log="${loglevel}"
+                      pattern="${build.ivy.owasp.dir}/${ivy.artifact.retrieve.pattern}" conf="owasp"/>
+        <ivy:cachepath pathid="owasp-classpath" conf="owasp"/>
+    </target>
+
      <target name="ivy-clean-cache" depends="ivy-init-antlib"
              description="Clean the Ivy cache">
          <ivy:cleancache />

ivy.xml

@@ -43,6 +43,7 @@
     <conf name="hbase2" visibility="private"/>
     <conf name="spark1" visibility="private" />
     <conf name="spark2" visibility="private" />
+    <conf name="owasp" visibility="private" description="Artifacts required for owasp target"/>
   </configurations>
   <publications>
     <artifact name="pig" conf="master"/>
@@ -614,6 +615,9 @@
       conf="hadoop2->master"/>
     <dependency org="org.apache.curator" name="curator-client" rev="${curator.version}"
       conf="hadoop2->master"/>
+    <!-- For dependency check -->
+    <dependency org="org.owasp" name="dependency-check-ant"
+                rev="${dependency-check-ant.version}" conf="owasp->default"/>
   </dependencies>
 </ivy-module>
 

ivy/libraries.properties

@@ -97,4 +97,5 @@ htrace4.version=4.0.1-incubating
 commons-lang3.version=3.6
 scala-xml.version=1.0.5
 glassfish.el.version=3.0.1-b08
-roaring-bitmap-shaded.version=0.7.14
+roaring-bitmap-shaded.version=0.7.14
+dependency-check-ant.version=5.2.4