micronaut-projects · sdelamo · Jan 9, 2025 · Jan 8, 2025 · Jan 9, 2025 · Jan 9, 2025
diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
@@ -30,6 +30,8 @@ jobs:
       PREDICTIVE_TEST_SELECTION: "${{ github.event_name == 'pull_request' && 'true' || 'false' }}"
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      OSS_INDEX_USERNAME: ${{ secrets.OSS_INDEX_USERNAME }}
+      OSS_INDEX_PASSWORD: ${{ secrets.OSS_INDEX_PASSWORD }}
     steps:
        # https://github.com/actions/virtual-environments/issues/709
       - name: "🗑 Free disk space"
@@ -58,6 +60,11 @@ jobs:
         run: |
           [ -f ./setup.sh ] && ./setup.sh || [ ! -f ./setup.sh ]
 
+      - name: "🚔 Sonatype Scan"
+        id: sonatypescan
+        run: |
+          ./gradlew ossIndexAudit --no-parallel --info
+
       - name: "🛠 Build with Gradle"
         id: gradle
         run: |

diff --git a/buildSrc/build.gradle b/buildSrc/build.gradle
@@ -9,4 +9,5 @@ repositories {
 
 dependencies {
     implementation (libs.gradle.micronaut)
+    implementation(libs.sonatype.scan)
 }
diff --git a/buildSrc/src/main/groovy/io.micronaut.build.internal.micrometer-module.gradle b/buildSrc/src/main/groovy/io.micronaut.build.internal.micrometer-module.gradle
@@ -4,8 +4,20 @@
 plugins {
     id 'io.micronaut.build.internal.micrometer-base'
     id 'io.micronaut.build.internal.module'
+    id("org.sonatype.gradle.plugins.scan")
+}
+String ossIndexUsername = System.getenv("OSS_INDEX_USERNAME") ?: project.properties["ossIndexUsername"]
+String ossIndexPassword = System.getenv("OSS_INDEX_PASSWORD") ?: project.properties["ossIndexPassword"]
+boolean sonatypePluginConfigured = ossIndexUsername != null && ossIndexPassword != null
+if (sonatypePluginConfigured) {
+    ossIndexAudit {
+        username = ossIndexUsername
+        password = ossIndexPassword
+        excludeCoordinates = [
+                "org.threeten:threetenbp:1.6.9", // no version patched https://ossindex.sonatype.org/component/pkg:maven/org.threeten/threetenbp
+        ]
+    }
 }
-
 
 dependencies {
     api libs.managed.micrometer.core

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -27,6 +27,7 @@ micronaut-reactor = '3.6.0'
 micronaut-serde = "2.13.0"
 micronaut-sql = "6.0.2"
 micronaut-validation = "4.8.0"
+sonatype-scan = "3.0.0"
 
 [libraries]
 # Core
@@ -83,3 +84,4 @@ reflections = { module = 'org.reflections:reflections', version.ref = 'reflectio
 
 jcache = { module = "javax.cache:cache-api", version.ref = "jcache" }
 gradle-micronaut = { module = "io.micronaut.gradle:micronaut-gradle-plugin", version.ref = "micronaut-gradle-plugin" }
+sonatype-scan = { module = "org.sonatype.gradle.plugins:scan-gradle-plugin", version.ref = "sonatype-scan" }
diff --git a/micrometer-registry-otlp/build.gradle b/micrometer-registry-otlp/build.gradle
@@ -4,11 +4,5 @@ plugins {
 
 dependencies {
     api libs.micrometer.registry.otlp
-}
-
-// disable binary compatibility for new module
-micronautBuild {
-    binaryCompatibility {
-        enabled.set(false)
-    }
+    implementation(mnGrpc.protobuf.java) // apply com.google.protobuf:protobuf-java directly because the version brought transitively contains a vulnerable version.
 }
diff --git a/micrometer-registry-stackdriver/build.gradle b/micrometer-registry-stackdriver/build.gradle
@@ -4,4 +4,5 @@ plugins {
 
 dependencies {
     api libs.micrometer.registry.stackdriver
+    implementation(mnGrpc.protobuf.java) // apply com.google.protobuf:protobuf-java directly because the version brought transitively contains a vulnerable version.
 }