Merge branch 'main' into refactor/copyright-file-headers

SAP · Mar 27, 2024 · b7b978e · b7b978e
2 parents 97e1e12 + 74151d7
commit b7b978e
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 25 deletions.
diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
@@ -7,8 +7,9 @@ on:
     branches: [ main ]
 
 env:
-  CVE_CACHE_DIR: ~/.m2/repository/org/owasp/dependency-check-data/**
-  CVE_CACHE_KEY: "cve-cache"
+  # keep the below two variables in sync with the ones in .github/workflows/update-vulnerability-database.yaml
+  CVE_CACHE_KEY: cve-db
+  CVE_CACHE_DIR: ~/.m2/repository/org/owasp/dependency-check-data
 
 jobs:
   build:
@@ -25,12 +26,13 @@ jobs:
         with:
           distribution: 'adopt'
           java-version: ${{ matrix.java-version }}
-      - name: Restore Vulnerabilities Database
-        id: restore-cve
+
+      - name: Restore CVE Database
         uses: actions/cache/restore@v4
         with:
-          key: ${{ env.CVE_CACHE_KEY }}
           path: ${{ env.CVE_CACHE_DIR }}
+          key: ${{ env.CVE_CACHE_KEY }}
+          fail-on-cache-miss: true
 
       - name: Build with Maven
         run: mvn clean install -Dgpg.skip --no-transfer-progress
@@ -40,10 +42,3 @@ jobs:
             echo -e "Following files need to be formatted: \n$(git diff --name-only)"
             exit 1
           fi
-
-      - name: Store Vulnerabilities Database
-        if: ${{ steps.restore-cve.outputs.cache-hit != 'true' }}
-        uses: actions/cache/save@v4
-        with:
-          path: ${{ env.CVE_CACHE_DIR }}
-          key: ${{ env.CVE_CACHE_KEY }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,8 +14,9 @@ on:
         default: minor
 
 env:
-  CVE_CACHE_DIR: ~/.m2/repository/org/owasp/dependency-check-data/9.0/**
-  CVE_CACHE_KEY: "cve-cache"
+  # keep the below two variables in sync with the ones in .github/workflows/update-vulnerability-database.yaml
+  CVE_CACHE_KEY: cve-db
+  CVE_CACHE_DIR: ~/.m2/repository/org/owasp/dependency-check-data
 
 jobs:
   release:
@@ -37,12 +38,13 @@ jobs:
         with:
           distribution: 'adopt'
           java-version: 8
-      - name: Restore Vulnerabilities Database
-        id: restore-cve
+
+      - name: Restore CVE Database
         uses: actions/cache/restore@v4
         with:
-          key: ${{ env.CVE_CACHE_KEY }}
           path: ${{ env.CVE_CACHE_DIR }}
+          key: ${{ env.CVE_CACHE_KEY }}
+          fail-on-cache-miss: true
 
       - name: Bump Version
         id: bump-version
@@ -53,13 +55,6 @@ jobs:
       - name: Build Project
         run: mvn clean install -P release -Dgpg.skip
 
-      - name: Store Vulnerabilities Database
-        if: ${{ steps.restore-cve.outputs.cache-hit != 'true' }}
-        uses: actions/cache/save@v4
-        with:
-          path: ${{ env.CVE_CACHE_DIR }}
-          key: ${{ env.CVE_CACHE_KEY }}
-
       - name: Commit Changes
         run: |
           git config --global user.email "[email protected]"

diff --git a/.github/workflows/update-vulnerability-database.yaml b/.github/workflows/update-vulnerability-database.yaml
@@ -0,0 +1,47 @@
+name: Update Vulnerability Database
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '17 5 * * *' # use a somewhat random time to avoid producing load spikes on the GH actions infrastructure
+
+env:
+  CVE_CACHE_REF: refs/heads/main
+  CVE_CACHE_KEY: cve-db
+  CVE_CACHE_DIR: ~/.m2/repository/org/owasp/dependency-check-data
+
+jobs:
+  update-vulnerability-database:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ env.CVE_CACHE_REF }}
+      - name: Restore Existing Cache
+        uses: actions/cache/restore@v4
+        with:
+          path: ${{ env.CVE_CACHE_DIR }}
+          key: ${{ env.CVE_CACHE_KEY }}
+
+      - name: Run Maven Plugin
+        run: |
+          mvn org.owasp:dependency-check-maven:update-only -DnvdMaxRetryCount=10 -DnvdApiDelay=15000 -DconnectionTimeout=60000
+
+      - name: Delete Cache
+        run: |
+          CACHE_IDS=$(gh cache list --key "${{ env.CVE_CACHE_KEY }}" --ref "${{ env.CVE_CACHE_REF }}" --json id | jq -r '.[] | .id')
+          for CACHE_ID in $CACHE_IDS; do
+              echo "Deleting cache with ID: $CACHE_ID"
+              gh cache delete "${CACHE_ID}"
+          done
+        env:
+          GH_TOKEN: ${{ secrets.CLOUD_SDK_AT_SAP_ALL_ACCESS_PAT }}
+
+      - name: Cache CVE Database
+        uses: actions/cache/save@v4
+        with:
+          path: ${{ env.CVE_CACHE_DIR }}
+          key: ${{ env.CVE_CACHE_KEY }}
+
diff --git a/pom.xml b/pom.xml
@@ -55,6 +55,7 @@
         <maven.version>3.8</maven.version>
         <java.failOnWarning>true</java.failOnWarning>
         <skipTests>false</skipTests>
+        <updateCveDatabase>false</updateCveDatabase>
         <project.rootdir>${project.basedir}</project.rootdir>
         <project.build.resourceEncoding>UTF-8</project.build.resourceEncoding>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -249,6 +250,7 @@
                         <skipProvidedScope>true</skipProvidedScope>
                         <failBuildOnCVSS>7</failBuildOnCVSS>
                         <suppressionFile>.etc/suppression.xml</suppressionFile>
+                        <autoUpdate>${updateCveDatabase}</autoUpdate>
                     </configuration>
                 </plugin>
                 <plugin>
@@ -496,4 +498,4 @@
             </build>
         </profile>
     </profiles>
-</project>
+</project>