{"id":28793027,"url":"https://github.com/cdapio/cdap-build","last_synced_at":"2026-05-23T13:02:22.811Z","repository":{"id":37549563,"uuid":"64784065","full_name":"cdapio/cdap-build","owner":"cdapio","description":"Repository for building CDAP and additional external projects","archived":false,"fork":false,"pushed_at":"2026-03-05T10:31:46.000Z","size":706,"stargazers_count":16,"open_issues_count":4,"forks_count":31,"subscribers_count":50,"default_branch":"develop","last_synced_at":"2026-03-05T14:53:16.253Z","etag":null,"topics":["cdap","cdap-release"],"latest_commit_sha":null,"homepage":null,"language":"Dockerfile","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cdapio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2016-08-02T18:56:48.000Z","updated_at":"2026-02-18T05:52:54.000Z","dependencies_parsed_at":"2023-02-12T22:45:22.216Z","dependency_job_id":"18906f36-38d8-4993-81d1-4a3e7203285c","html_url":"https://github.com/cdapio/cdap-build","commit_stats":null,"previous_names":[],"tags_count":324,"template":false,"template_full_name":null,"purl":"pkg:github/cdapio/cdap-build","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdapio%2Fcdap-build","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdapio%2Fcdap-build/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdapio%2Fcdap-build/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdapio%2Fcdap-build/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cdapio","download_url":"https://codeload.github.com/cdapio/cdap-build/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdapio%2Fcdap-build/sbom","scorecard":{"id":269506,"data":{"date":"2025-08-11","repo":{"name":"github.com/cdapio/cdap-build","commit":"d73ba26517b916ba2e8e40bf701c35592d1060ae"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":6.1,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Maintained","score":10,"reason":"24 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: topLevel 'contents' permission set to 'write': .github/workflows/build-and-unit-test.yml:48","Warn: topLevel 'checks' permission set to 'write': .github/workflows/build-and-unit-test.yml:49","Warn: topLevel 'statuses' permission set to 'write': .github/workflows/build-and-unit-test.yml:50","Warn: no topLevel permission defined: .github/workflows/docker-deploy.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Pinned-Dependencies","score":3,"reason":"dependency not pinned by hash detected -- score normalized to 3","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-and-unit-test.yml:89: update your workflow using https://app.stepsecurity.io/secureworkflow/cdapio/cdap-build/build-and-unit-test.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-and-unit-test.yml:99: update your workflow using https://app.stepsecurity.io/secureworkflow/cdapio/cdap-build/build-and-unit-test.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-and-unit-test.yml:112: update your workflow using https://app.stepsecurity.io/secureworkflow/cdapio/cdap-build/build-and-unit-test.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-and-unit-test.yml:139: update your workflow using https://app.stepsecurity.io/secureworkflow/cdapio/cdap-build/build-and-unit-test.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-and-unit-test.yml:190: update your workflow using https://app.stepsecurity.io/secureworkflow/cdapio/cdap-build/build-and-unit-test.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docker-deploy.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/cdapio/cdap-build/docker-deploy.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docker-deploy.yml:77: update your workflow using https://app.stepsecurity.io/secureworkflow/cdapio/cdap-build/docker-deploy.yml/develop?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:16","Warn: containerImage not pinned by hash: Dockerfile:44","Warn: containerImage not pinned by hash: maven.Dockerfile:18","Info:   0 out of   6 GitHub-owned GitHubAction dependencies pinned","Info:   4 out of   5 third-party GitHubAction dependencies pinned","Info:   0 out of   3 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE.txt:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact latest not signed: https://api.github.com/repos/cdapio/cdap-build/releases/74226943","Warn: release artifact v6.11.1-SNAPSHOT not signed: https://api.github.com/repos/cdapio/cdap-build/releases/208075785","Warn: release artifact v6.10.7-SNAPSHOT not signed: https://api.github.com/repos/cdapio/cdap-build/releases/237470651","Warn: release artifact v6.10.6 not signed: https://api.github.com/repos/cdapio/cdap-build/releases/232958150","Warn: release artifact v6.10.5 not signed: https://api.github.com/repos/cdapio/cdap-build/releases/207089570","Warn: release artifact latest does not have provenance: https://api.github.com/repos/cdapio/cdap-build/releases/74226943","Warn: release artifact v6.11.1-SNAPSHOT does not have provenance: https://api.github.com/repos/cdapio/cdap-build/releases/208075785","Warn: release artifact v6.10.7-SNAPSHOT does not have provenance: https://api.github.com/repos/cdapio/cdap-build/releases/237470651","Warn: release artifact v6.10.6 does not have provenance: https://api.github.com/repos/cdapio/cdap-build/releases/232958150","Warn: release artifact v6.10.5 does not have provenance: https://api.github.com/repos/cdapio/cdap-build/releases/207089570"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-17T12:59:02.367Z","repository_id":37549563,"created_at":"2025-08-17T12:59:02.367Z","updated_at":"2025-08-17T12:59:02.367Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33396576,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-23T04:15:53.637Z","status":"ssl_error","status_checked_at":"2026-05-23T04:15:53.242Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cdap","cdap-release"],"created_at":"2025-06-18T01:04:17.679Z","updated_at":"2026-05-23T13:02:22.786Z","avatar_url":"https://github.com/cdapio.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CDAP Build repository\n\nThis repository is used for building a complete CDAP release.\n\nThis checks out CDAP, CDAP Security Extensions,\nand Cask Hydrator Plugins. The external application\nartifact repositories are located under `app-artifacts`, while\nsecurity extensions are located under `security-extensions`, so\nCDAP should be built using\n`-Dadditional.artifacts.dir=$(pwd)/app-artifacts -Dsecurity.extensions.dir=$(pwd)/security-extensions`\nto include the additional projects in the CDAP Master packages.\n\n## Submodules and Git\n\nThis repository uses Git submodules to provide links to other\nrepositories. Cloning this repository with `--recursive` will\nautomatically initialize and checkout the additional repositories.\nThese additional repositories are configured to track the correct\nremote branches for a given CDAP release. This repository will have\nthe correct Git references stored for a particular tag. Checking\nout a tag to your working directory will update the submodule Git\nreferences to the ones used to build that tag.\n\nIf you cloned without using `--recursive`, you will need to\ninitialize and checkout the submodules:\n\n```bash\ngit submodule init\ngit submodule update\n```\n\nStarting with Git 1.8, it is possible to track remote branches\nin Git submodules. These branches have already been configured\nfor each submodule, and the submodules can be updated to the\nhead of that branch by appending `--remote` to the update command:\n\n```bash\ngit submodule update --remote\n```\n\n## Building a CDAP release\n\n### Compiling/Installing Apache Sentry 1.7.0\n\nThe CDAP Security Extensions require you to have Apache Sentry 1.7.0\nJARs in your local Maven repository. These JARs are not available from\nMaven Central, so you may need to compile them. The correct branch\nfor Sentry is included as a submodule under `apache-sentry` to make\ncompilation easy.\n\n```bash\nmvn clean install -DskipTests -f apache-sentry\n```\n\n### Installing CDAP API JARs\n\nCompiling the artifacts requires first building and installing the\nCDAP API JARs into your local Maven repository.\n\n```bash\nexport MAVEN_OPTS=\"-Xmx3056m -XX:MaxPermSize=128m\"\nmvn install -DskipTests -B -am -pl cdap/cdap-api -P templates\nmvn install -DskipTests -B -am -f cdap/cdap-app-templates -P templates\n```\n\n### Compiling CDAP, including external artifacts and security extensions (example)\n\n```bash\nmvn package -P examples,templates,dist,release,rpm-prepare,rpm,deb-prepare,deb,tgz,unit-tests \\\n -Dgpg.passphrase=${GPG_PASSPHRASE} -Dgpg.useagent=false \\\n -Dadditional.artifacts.dir=$(pwd)/app-artifacts \\\n -Dsecurity.extensions.dir=$(pwd)/security-extensions\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcdapio%2Fcdap-build","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcdapio%2Fcdap-build","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcdapio%2Fcdap-build/lists"}