From 0171fd4be40e357672724771119a19ccd90673af Mon Sep 17 00:00:00 2001 From: Trask Stalnaker Date: Thu, 27 Oct 2022 19:21:38 -0700 Subject: [PATCH] Add OWASP dependency check (#6978) See comment in the github action that explains why I think this is helpful: > the benefit of this over dependabot is that this also analyzes transitive dependencies > while dependabot (at least currently) only analyzes top-level dependencies --- .../owasp-dependency-check-daily.yml | 31 +++++++++++++++++++ .../dependency-check-suppressions.xml | 9 ++++++ conventions/build.gradle.kts | 1 + .../kotlin/otel.java-conventions.gradle.kts | 7 +++++ 4 files changed, 48 insertions(+) create mode 100644 .github/workflows/owasp-dependency-check-daily.yml create mode 100644 buildscripts/dependency-check-suppressions.xml diff --git a/.github/workflows/owasp-dependency-check-daily.yml b/.github/workflows/owasp-dependency-check-daily.yml new file mode 100644 index 000000000000..ef87eb271977 --- /dev/null +++ b/.github/workflows/owasp-dependency-check-daily.yml @@ -0,0 +1,31 @@ +# the benefit of this over dependabot is that this also analyzes transitive dependencies +# while dependabot (at least currently) only analyzes top-level dependencies +name: OWASP dependency check (daily) + +on: + schedule: + - cron: '30 1 * * *' + workflow_dispatch: + +jobs: + analyze: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Set up Java 11 + uses: actions/setup-java@v3 + with: + distribution: temurin + java-version: 11 + + - uses: gradle/gradle-build-action@v2 + with: + arguments: ":javaagent:dependencyCheckAnalyze" + + - name: Upload report + if: always() + uses: actions/upload-artifact@v3 + with: + path: javaagent/build/reports diff --git a/buildscripts/dependency-check-suppressions.xml b/buildscripts/dependency-check-suppressions.xml new file mode 100644 index 000000000000..694a465537d7 --- /dev/null +++ b/buildscripts/dependency-check-suppressions.xml @@ -0,0 +1,9 @@ + + + + + ^pkg:maven/io\.opentelemetry[./].* + ^CVE-.* + + diff --git a/conventions/build.gradle.kts b/conventions/build.gradle.kts index 882ae4a4a866..bfddbd649d51 100644 --- a/conventions/build.gradle.kts +++ b/conventions/build.gradle.kts @@ -46,6 +46,7 @@ dependencies { implementation("org.ow2.asm:asm-tree:9.4") implementation("org.apache.httpcomponents:httpclient:4.5.13") implementation("org.gradle:test-retry-gradle-plugin:1.4.1") + implementation("org.owasp:dependency-check-gradle:7.3.0") implementation("ru.vyarus:gradle-animalsniffer-plugin:1.6.0") // When updating, also update dependencyManagement/build.gradle.kts implementation("net.bytebuddy:byte-buddy-gradle-plugin:1.12.18") diff --git a/conventions/src/main/kotlin/otel.java-conventions.gradle.kts b/conventions/src/main/kotlin/otel.java-conventions.gradle.kts index 64c5ccfc9cd9..c68c6795a619 100644 --- a/conventions/src/main/kotlin/otel.java-conventions.gradle.kts +++ b/conventions/src/main/kotlin/otel.java-conventions.gradle.kts @@ -13,6 +13,7 @@ plugins { id("otel.errorprone-conventions") id("otel.spotless-conventions") + id("org.owasp.dependencycheck") } val otelJava = extensions.create("otelJava") @@ -355,6 +356,12 @@ checkstyle { maxWarnings = 0 } +dependencyCheck { + skipConfigurations = listOf("errorprone", "checkstyle", "annotationProcessor") + suppressionFile = "buildscripts/dependency-check-suppressions.xml" + failBuildOnCVSS = 7.0f // fail on high or critical CVE +} + idea { module { isDownloadJavadoc = false