Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document how to cache NVD database for usage in CI (i.e. github actions) #305

Open
mdedetrich opened this issue May 5, 2023 · 0 comments
Labels

Comments

@mdedetrich
Copy link

mdedetrich commented May 5, 2023

So the background context of this ticket is that I am trying to integrate https://github.com/albuch/sbt-dependency-check into Pekko apache/pekko#289 . Originally the integration is meant to be a simple one that just involved adjusting a couple of settings (i.e. output directory) and having to manually generate the report using dependencyCheckAggregate however it was suggested in the PR that rather than us having to manually generate the report that instead we can have it as part of our CI pipeline.

More specifically this would mean that we would run dependencyCheckAggregate whenever our docs are generated using source generators (i.e. https://developer.lightbend.com/docs/paradox/current/customization/generators.html#generating-pages-with-code) and then integrate the generated report into the docs.

The obvious core problem here is that downloading/generating the NVD database takes a huge amount of time, so my first general question is whether doing this makes general sense and as a follow up question how would you recommend caching the database so it doesn't have to be downloaded every single time? I noticed that the database seems to be stored in the standard coursier local repository which means if I understand correctly it should be handled fine by the standard github actions cache action for sbt projects i.e. https://github.com/coursier/cache-action.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant