Security & dependencies #8
Conversation
- 5.1 Add OWASP Dependency Check plugin to scan for CVEs in transitive dependencies. - 5.2 Document the Tika dependency impact (100+ transitive deps, ~50MB fat JAR) and consider providing a lighter "minimal" build profile. - 5.3 Document required signing credentials setup (signing.keyId, sonatypeUsername, sonatypePassword) for publishing.
There was a problem hiding this comment.
Pull request overview
This pull request enhances the project's dependency management and documentation by switching to a lightweight Tika dependency, adding comprehensive OWASP security scanning, and providing detailed guides for publishing and dependency management. The changes reduce the project's dependency footprint from ~60MB to ~11-15MB while maintaining full functionality.
Key Changes
- Replaced heavy Tika parser dependencies with lightweight tika-core (~1MB vs ~50MB)
- Added OWASP Dependency Check plugin integration for CVE scanning
- Created comprehensive publishing and dependency management documentation
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| gi-common/build.gradle | Removed tika-parsers-standard-package and tika-parser-text-module dependencies, keeping only tika-core for MIME detection |
| build.gradle | Added OWASP Dependency Check plugin with security scanning configuration |
| docs/PUBLISHING.md | New comprehensive guide for Maven Central publishing with GPG setup, credentials management, and CI/CD integration |
| docs/DEPENDENCIES.md | New guide documenting dependency structure, Tika optimization rationale, security scanning, and version compatibility |
| TODO.md | Marked security and dependency-related tasks as complete |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@perNyfelt I've opened a new pull request, #9, to work on those changes. Once the pull request is ready, I'll request review from you. |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
@perNyfelt I've opened a new pull request, #10, to work on those changes. Once the pull request is ready, I'll request review from you. |
|
@perNyfelt I've opened a new pull request, #11, to work on those changes. Once the pull request is ready, I'll request review from you. |
|
@perNyfelt I've opened a new pull request, #12, to work on those changes. Once the pull request is ready, I'll request review from you. |
Co-authored-by: perNyfelt <13261538+perNyfelt@users.noreply.github.com>
…ISHING.md Co-authored-by: perNyfelt <13261538+perNyfelt@users.noreply.github.com>
Co-authored-by: perNyfelt <13261538+perNyfelt@users.noreply.github.com>
Co-authored-by: perNyfelt <13261538+perNyfelt@users.noreply.github.com>
Co-authored-by: perNyfelt <13261538+perNyfelt@users.noreply.github.com>
Co-authored-by: perNyfelt <13261538+perNyfelt@users.noreply.github.com>
Fix GPG secret naming inconsistency in publishing documentation
Improve GPG signing documentation security and modernize approach
Fix DEPENDENCIES.md CI/CD workflow description
Document both file-based and in-memory GPG signing for publishing
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This pull request introduces comprehensive improvements to the project's dependency management and publishing documentation, with a focus on security, clarity, and minimizing the dependency footprint. The most important changes include switching to a lighter Apache Tika dependency, adding detailed guides for dependency and publishing best practices, and marking key security and publishing checklist items as complete.
Dependency Management Improvements:
tika-parsers-standard-packageandtika-parser-text-moduledependencies to justtika-coreingi-common/build.gradle, significantly reducing the size and number of transitive dependencies for MIME type detection.docs/DEPENDENCIES.mdguide that explains the dependency structure, rationale for usingtika-core, instructions for adding full Tika parsers if needed, security scanning with OWASP Dependency Check, and best practices for keeping dependencies up to date.Security and Publishing Documentation:
docs/PUBLISHING.mdguide detailing the process for publishing to Maven Central, including Sonatype account setup, GPG signing, credential configuration, release steps, troubleshooting, and CI/CD integration.TODO.mdchecklist to mark OWASP Dependency Check integration, Tika dependency documentation, and signing credentials documentation as complete.