geyanggang opened a new pull request, #10832: URL: https://github.com/apache/gravitino/pull/10832
### What changes were proposed in this pull request? - Added OWASP Dependency-Check 12.2.0 plugin to libs.versions.toml and `build.gradle.kts` - Configured scanner to analyze `runtimeClasspath` only, with HTML + JSON reports, fail threshold at CVSS ≥ 7.0 - Created suppressions.xml with 52 triage rules covering transitive dependencies from Hive/Hadoop/Spark/Flink/Netty/Jetty ecosystem, each with documented rationale and 90-day expiry - Added dependency-check.yml (manual trigger only) with NVD database caching - Upgraded Gradle wrapper from 8.2 to 8.14.4 for plugin compatibility ### Why are the changes needed? Provides automated software composition analysis for Gravitino's dependency tree. The suppression file establishes a documented triage process for transitive dependency findings that cannot be directly resolved, with periodic re-review enforced by expiry dates. Fix: #10827 ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? 1. Ran `./gradlew dependencyCheckAggregate` locally — BUILD SUCCESSFUL with all findings triaged 2. Verified Gradle 8.14.4 compatibility: `./gradlew --version`, `./gradlew spotlessApply`, `./gradlew build -PskipITs` all pass 3. Validated `config/owasp/suppressions.xml` as well-formed XML 4. Verified CI workflow syntax via GitHub Actions linter -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
