2 år sedan · cd95517ddc
--- a/.github/workflows/owasp-dependency-check-daily.yml
+++ b/.github/workflows/owasp-dependency-check-daily.yml
@@ -0,0 +1,31 @@
 
				+# the benefit of this over dependabot is that this also analyzes transitive dependencies
			
 
				+# while dependabot (at least currently) only analyzes top-level dependencies
			
 
				+name: OWASP dependency check (daily)
			
 
				+
			
 
				+on:
			
 
				+  schedule:
			
 
				+    - cron: '30 1 * * *'
			
 
				+  workflow_dispatch:
			
 
				+
			
 
				+jobs:
			
 
				+  analyze:
			
 
				+    runs-on: ubuntu-latest
			
 
				+
			
 
				+    steps:
			
 
				+      - uses: actions/checkout@v3
			
 
				+
			
 
				+      - name: Set up Java 11
			
 
				+        uses: actions/setup-java@v3
			
 
				+        with:
			
 
				+          distribution: temurin
			
 
				+          java-version: 11
			
 
				+
			
 
				+      - uses: gradle/gradle-build-action@v2
			
 
				+        with:
			
 
				+          arguments: ":javaagent:dependencyCheckAnalyze"
			
 
				+
			
 
				+      - name: Upload report
			
 
				+        if: always()
			
 
				+        uses: actions/upload-artifact@v3
			
 
				+        with:
			
 
				+          path: javaagent/build/reports
			
--- a/buildscripts/dependency-check-suppressions.xml
+++ b/buildscripts/dependency-check-suppressions.xml
@@ -0,0 +1,9 @@
 
				+<?xml version="1.0" encoding="UTF-8"?>
			
 
				+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
			
 
				+  <suppress>
			
 
				+    <!-- this suppresses opentelemetry instrumentation modules and artifacts which get misidentified
			
 
				+         as real dependencies like dubbo and prometheus -->
			
 
				+    <packageUrl regex="true">^pkg:maven/io\.opentelemetry[./].*</packageUrl>
			
 
				+    <vulnerabilityName regex="true">^CVE-.*</vulnerabilityName>
			
 
				+  </suppress>
			
 
				+</suppressions>
			
--- a/conventions/build.gradle.kts
+++ b/conventions/build.gradle.kts
@@ -46,6 +46,7 @@ dependencies {
 
				   implementation("org.ow2.asm:asm-tree:9.4")
			
 
				   implementation("org.apache.httpcomponents:httpclient:4.5.13")
			
 
				   implementation("org.gradle:test-retry-gradle-plugin:1.4.1")
			
 
				+  implementation("org.owasp:dependency-check-gradle:7.3.0")
			
 
				   implementation("ru.vyarus:gradle-animalsniffer-plugin:1.6.0")
			
 
				   // When updating, also update dependencyManagement/build.gradle.kts
			
 
				   implementation("net.bytebuddy:byte-buddy-gradle-plugin:1.12.18")
			
--- a/conventions/src/main/kotlin/otel.java-conventions.gradle.kts
+++ b/conventions/src/main/kotlin/otel.java-conventions.gradle.kts
@@ -13,6 +13,7 @@ plugins {
 
				 
			
 
				   id("otel.errorprone-conventions")
			
 
				   id("otel.spotless-conventions")
			
 
				+  id("org.owasp.dependencycheck")
			
 
				 }
			
 
				 
			
 
				 val otelJava = extensions.create<OtelJavaExtension>("otelJava")
			
@@ -355,6 +356,12 @@ checkstyle {
 
				   maxWarnings = 0
			
 
				 }
			
 
				 
			
 
				+dependencyCheck {
			
 
				+  skipConfigurations = listOf("errorprone", "checkstyle", "annotationProcessor")
			
 
				+  suppressionFile = "buildscripts/dependency-check-suppressions.xml"
			
 
				+  failBuildOnCVSS = 7.0f // fail on high or critical CVE
			
 
				+}
			
 
				+
			
 
				 idea {
			
 
				   module {
			
 
				     isDownloadJavadoc = false