There are a couple of things here. You may be hard pressed to find software
with no CVE vulnerabilities as security issues are found all the time so we
should go with a guideline that is in the spirit of "let's discuss this
addition and weigh the pros and cons" rather than "don't add whatsoever if
you find a vulnerability". Almost every software out there has
vulnerabilities including your OS, hadoop and the various other
dependencies.

I am fine with the build failing for a PR that has a newly added dependency
which has CVEs as long as we don't penalize PRs that have nothing to do
with a dependency change, i.e., don't fail builds for PRs because a new CVE
was discovered in existing dependencies. Also, if there is a PR with a new
dependency that has CVEs, let it not be an automatic disqualifier but
should be discussed on the dev list.

Thanks

On Fri, Sep 8, 2017 at 3:51 PM, Vlad Rozov <[EMAIL PROTECTED]> wrote:
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB