Add OWASP dependency check (open-telemetry#6978)

See comment in the github action that explains why I think this is helpful: > the benefit of this over dependabot is that this also analyzes transitive dependencies > while dependabot (at least currently) only analyzes top-level dependencies
helios · Oct 31, 2022 · 0171fd4 · 0171fd4
1 parent 70242b0
commit 0171fd4
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 0 deletions.
diff --git a/.github/workflows/owasp-dependency-check-daily.yml b/.github/workflows/owasp-dependency-check-daily.yml
@@ -0,0 +1,31 @@
+# the benefit of this over dependabot is that this also analyzes transitive dependencies
+# while dependabot (at least currently) only analyzes top-level dependencies
+name: OWASP dependency check (daily)
+
+on:
+  schedule:
+    - cron: '30 1 * * *'
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Java 11
+        uses: actions/setup-java@v3
+        with:
+          distribution: temurin
+          java-version: 11
+
+      - uses: gradle/gradle-build-action@v2
+        with:
+          arguments: ":javaagent:dependencyCheckAnalyze"
+
+      - name: Upload report
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          path: javaagent/build/reports
diff --git a/buildscripts/dependency-check-suppressions.xml b/buildscripts/dependency-check-suppressions.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <suppress>
+    <!-- this suppresses opentelemetry instrumentation modules and artifacts which get misidentified
+         as real dependencies like dubbo and prometheus -->
+    <packageUrl regex="true">^pkg:maven/io\.opentelemetry[./].*</packageUrl>
+    <vulnerabilityName regex="true">^CVE-.*</vulnerabilityName>
+  </suppress>
+</suppressions>
diff --git a/conventions/build.gradle.kts b/conventions/build.gradle.kts
@@ -46,6 +46,7 @@ dependencies {
   implementation("org.ow2.asm:asm-tree:9.4")
   implementation("org.apache.httpcomponents:httpclient:4.5.13")
   implementation("org.gradle:test-retry-gradle-plugin:1.4.1")
+  implementation("org.owasp:dependency-check-gradle:7.3.0")
   implementation("ru.vyarus:gradle-animalsniffer-plugin:1.6.0")
   // When updating, also update dependencyManagement/build.gradle.kts
   implementation("net.bytebuddy:byte-buddy-gradle-plugin:1.12.18")

diff --git a/conventions/src/main/kotlin/otel.java-conventions.gradle.kts b/conventions/src/main/kotlin/otel.java-conventions.gradle.kts
@@ -13,6 +13,7 @@ plugins {
 
   id("otel.errorprone-conventions")
   id("otel.spotless-conventions")
+  id("org.owasp.dependencycheck")
 }
 
 val otelJava = extensions.create<OtelJavaExtension>("otelJava")
@@ -355,6 +356,12 @@ checkstyle {
   maxWarnings = 0
 }
 
+dependencyCheck {
+  skipConfigurations = listOf("errorprone", "checkstyle", "annotationProcessor")
+  suppressionFile = "buildscripts/dependency-check-suppressions.xml"
+  failBuildOnCVSS = 7.0f // fail on high or critical CVE
+}
+
 idea {
   module {
     isDownloadJavadoc = false