From 11ecf970ce1d6aa0392d86ab9c8d65e05f18f659 Mon Sep 17 00:00:00 2001 From: Charles Dubois <103174266+CharlesDuboisSAP@users.noreply.github.com> Date: Mon, 7 Oct 2024 15:02:24 +0200 Subject: [PATCH] Added OWASP Dependency check (#82) * Added OWASP Dependency check * Moved suppression file * Moved OWASP Dependency check to Fosstars workflow * Added Slack notification * Added Build SDK step --- .github/workflows/continuous-integration.yaml | 1 - .github/workflows/fosstars-report.yml | 42 +++++++++++++++++-- .pipeline/dependency-check-suppression.xml | 7 ++++ pom.xml | 1 - 4 files changed, 46 insertions(+), 5 deletions(-) create mode 100644 .pipeline/dependency-check-suppression.xml diff --git a/.github/workflows/continuous-integration.yaml b/.github/workflows/continuous-integration.yaml index c23c966e..c780bb56 100644 --- a/.github/workflows/continuous-integration.yaml +++ b/.github/workflows/continuous-integration.yaml @@ -101,4 +101,3 @@ jobs: env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK - #TODO: Blackduck and security rating steps diff --git a/.github/workflows/fosstars-report.yml b/.github/workflows/fosstars-report.yml index 57d4cc52..6e6765c9 100644 --- a/.github/workflows/fosstars-report.yml +++ b/.github/workflows/fosstars-report.yml @@ -2,15 +2,51 @@ name: "Fosstars (Security)" on: workflow_dispatch: schedule: - - cron: "0 0 * * *" + - cron: "0 0 * * *" # every day at midnight + +env: + MVN_MULTI_THREADED_ARGS: --batch-mode --no-transfer-progress --fail-at-end --show-version --threads 1C + JAVA_VERSION: 17 jobs: create_fosstars_report: runs-on: ubuntu-latest name: "Security rating" steps: - - uses: actions/checkout@v4 - - uses: SAP/fosstars-rating-core-action@v1.14.0 + - name: "Checkout repository" + uses: actions/checkout@v4 + + - name: "Setup java" + uses: actions/setup-java@v4 + with: + distribution: "temurin" + java-version: ${{ env.JAVA_VERSION }} + cache: 'maven' + + - name: "Build SDK" + run: | + MVN_ARGS="${{ env.MVN_MULTI_THREADED_ARGS }} clean install -DskipTests -DskipFormatting" + mvn $MVN_ARGS + + - name: "OWASP Dependency check" + run: mvn org.owasp:dependency-check-maven:10.0.4:check -DnvdApiKey=$NVD_API_KEY -DfailBuildOnCVSS=7 -DskipProvidedScope=true -DsuppressionFile=.pipeline/dependency-check-suppression.xml + env: + NVD_API_KEY: ${{ secrets.NVD_API_KEY }} + + - name: "Fosstars rating" + uses: SAP/fosstars-rating-core-action@v1.14.0 with: report-branch: fosstars-report token: ${{ secrets.GITHUB_TOKEN }} + + - name: "Slack Notification" + if: failure() + uses: slackapi/slack-github-action@v1.27.0 + with: + payload: | + { + "text": "⚠️ OWASP Dependency check failed! 😬 Please inspect & fix by clicking " + } + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} + SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK diff --git a/.pipeline/dependency-check-suppression.xml b/.pipeline/dependency-check-suppression.xml new file mode 100644 index 00000000..10617b8f --- /dev/null +++ b/.pipeline/dependency-check-suppression.xml @@ -0,0 +1,7 @@ + + + + + CVE-2021-41251 + + diff --git a/pom.xml b/pom.xml index 6f296419..a8cae2ac 100644 --- a/pom.xml +++ b/pom.xml @@ -63,7 +63,6 @@ 10.18.2 2.1.3 3.5.1 - 2.1.3 6.1.13 5.14.1