From 6fc12bb1c346094b32d5d6aa1443a8e0536edc09 Mon Sep 17 00:00:00 2001 From: Ben Manes Date: Sat, 28 Jan 2023 13:58:38 -0800 Subject: [PATCH] upgrade dependency-check (vulnerability scanner) --- .github/workflows/codacy.yml | 7 ++++++- .github/workflows/dependency-check.yml | 7 ++++++- .github/workflows/semgrep.yml | 8 ++++++-- .github/workflows/{snyke.yml => snyk.yml} | 20 +++++++++++++++----- build.gradle | 12 +++++++++++- gradle/dependencies.gradle | 17 +++++++++-------- gradle/wrapper/gradle-wrapper.properties | 2 +- 7 files changed, 54 insertions(+), 19 deletions(-) rename .github/workflows/{snyke.yml => snyk.yml} (69%) diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml index 3a5380d56d..3a1859dc76 100644 --- a/.github/workflows/codacy.yml +++ b/.github/workflows/codacy.yml @@ -25,8 +25,13 @@ jobs: output: results.sarif gh-code-scanning-compat: true max-allowed-issues: 2147483647 + - name: Check file existence + id: check_files + uses: andstor/file-existence-action@v2 + with: + files: results.sarif - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v2 - continue-on-error: true + if: steps.check_files.outputs.files_exists == 'true' with: sarif_file: results.sarif diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index b95367a468..ff7af54eab 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -30,8 +30,13 @@ jobs: with: java: ${{ env.JAVA_VERSION }} arguments: dependencyCheckAggregate + - name: Check file existence + id: check_files + uses: andstor/file-existence-action@v2 + with: + files: build/reports/dependency-check-report.sarif - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v2 - continue-on-error: true + if: steps.check_files.outputs.files_exists == 'true' with: sarif_file: build/reports/dependency-check-report.sarif diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 6ba9c01a22..6799eac1a2 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -29,9 +29,13 @@ jobs: p/github-actions p/semgrep-rule-lints p/semgrep-misconfigurations + - name: Check file existence + id: check_files + uses: andstor/file-existence-action@v2 + with: + files: semgrep.sarif - name: Upload SARIF file for GitHub Advanced Security Dashboard uses: github/codeql-action/upload-sarif@v2 - continue-on-error: true + if: steps.check_files.outputs.files_exists == 'true' with: sarif_file: semgrep.sarif - if: always() diff --git a/.github/workflows/snyke.yml b/.github/workflows/snyk.yml similarity index 69% rename from .github/workflows/snyke.yml rename to .github/workflows/snyk.yml index d9e58f1642..fec88acfa5 100644 --- a/.github/workflows/snyke.yml +++ b/.github/workflows/snyk.yml @@ -1,4 +1,4 @@ -name: snyke +name: snyk on: push: branches: [master, v2.dev, v3.dev] @@ -10,7 +10,7 @@ env: JAVA_VERSION: 19 jobs: - snyke: + snyk: runs-on: ubuntu-latest permissions: actions: read @@ -25,15 +25,25 @@ jobs: disable-sudo: true egress-policy: audit - uses: actions/checkout@v3 + - name: Downgrade Gradle (snyk-gradle-plugin/issues/252) + uses: ./.github/actions/run-gradle + with: + java: ${{ env.JAVA_VERSION }} + arguments: wrapper --gradle-version 7.6 - name: Run Snyk test uses: ./.github/actions/run-gradle continue-on-error: true with: java: ${{ env.JAVA_VERSION }} - arguments: snyk-test -PsnykArgs="--sarif-file-output=snyk.sarif" + arguments: snyk-test -PsnykArgs="--sarif-file-output=snyk.sarif" --no-configuration-cache + - name: Check file existence + id: check_files + uses: andstor/file-existence-action@v2 + with: + files: snyk.sarif - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v2 - continue-on-error: true + if: steps.check_files.outputs.files_exists == 'true' with: sarif_file: snyk.sarif - name: Run Snyk monitor @@ -41,4 +51,4 @@ jobs: continue-on-error: true with: java: ${{ env.JAVA_VERSION }} - arguments: snyk-monitor + arguments: snyk-monitor --no-configuration-cache diff --git a/build.gradle b/build.gradle index 8cf75b0cf3..f4a01efbdc 100644 --- a/build.gradle +++ b/build.gradle @@ -144,7 +144,9 @@ tasks.named('dependencyUpdates').configure { } dependencyCheck { - formats = ['html', 'sarif'] + formats = ['html', 'sarif']*.toUpperCase() + scanBuildEnv = true + failOnError = false } dependencyCheckAggregate.dependsOn(subprojects*.tasks.jar) @@ -154,3 +156,11 @@ snyk { autoDownload = true autoUpdate = true } +tasks.named('snyk-test').configure { + notCompatibleWithConfigurationCache( + 'The snyk-test task is not compatible with the configuration cache') +} +tasks.named('snyk-monitor').configure { + notCompatibleWithConfigurationCache( + 'The snyk-monitor task is not compatible with the configuration cache') +} diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle index 1fef047552..ff5d9f27e0 100644 --- a/gradle/dependencies.gradle +++ b/gradle/dependencies.gradle @@ -37,7 +37,7 @@ ext { config: '1.4.2', ehcache3: '3.10.8', errorprone: '2.18.0', - errorproneSupport: '0.7.0', + errorproneSupport: '0.8.0', expiringMap: '0.5.10', fastfilter: '1.0.2', fastutil: '8.5.11', @@ -45,7 +45,7 @@ ext { googleJavaFormat: '1.15.0', guava: '31.1-jre', hazelcast: '5.2.1', - jackrabbit: '1.46.0', + jackrabbit: '1.48.0', jamm: '0.3.3', javaObjectLayout: '0.16', javapoet: '1.13.0', @@ -57,7 +57,7 @@ ext { nullaway: '0.10.8', ohc: '0.6.1', osgiComponentAnnotations: '1.5.1', - picocli: '4.7.0', + picocli: '4.7.1', slf4j: '2.0.6', tcache: '2.0.1', stream: '2.9.8', @@ -71,7 +71,7 @@ ext { commonsCollectionsTests: '4.4', eclipseCollections: '11.1.0', felix: '7.0.5', - felixScr: '2.2.4', + felixScr: '2.2.6', guice: '5.1.0', hamcrest: '2.2', jcacheTck: '1.1.1', @@ -92,7 +92,7 @@ ext { bnd: '6.4.0', checkstyle: '10.6.0', coveralls: '2.12.0', - dependencyCheck: '7.4.4', + dependencyCheck: '8.0.2', errorprone: '3.0.1', findsecbugs: '1.12.0', forbiddenApis: '3.4', @@ -101,9 +101,9 @@ ext { jmhReport: '0.9.0', nexusPublish: '1.1.0', nullaway: '1.5.0', - pmd: '6.53.0', + pmd: '6.54.0', semanticVersioning: '1.1.0', - snyke: '0.4', + snyk: '0.4', sonarqube: '3.5.0.2730', spotbugs: '4.7.3', spotbugsContrib: '7.4.7', @@ -239,7 +239,7 @@ ext { nullaway: "net.ltgt.gradle:gradle-nullaway-plugin:${pluginVersions.nullaway}", pmd: "net.sourceforge.pmd:pmd:${pluginVersions.pmd}", semanticVersioning: "io.ehdev:gradle-semantic-versioning:${pluginVersions.semanticVersioning}", - snyke: "gradle.plugin.io.snyk.gradle.plugin:snyk:${pluginVersions.snyke}", + snyk: "gradle.plugin.io.snyk.gradle.plugin:snyk:${pluginVersions.snyk}", sonarqube: "org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:${pluginVersions.sonarqube}", spotbugs: "com.github.spotbugs:spotbugs:${pluginVersions.spotbugs}", spotbugsContrib: "com.mebigfatguy.sb-contrib:sb-contrib:${pluginVersions.spotbugsContrib}", @@ -261,6 +261,7 @@ ext { 'com.fasterxml.jackson:jackson-bom': '2.14.1', 'com.google.protobuf:protobuf-java': '3.21.8', 'com.thoughtworks.xstream:xstream': '1.4.20', + 'net.sourceforge.nekohtml:nekohtml': '1.9.22', 'org.apache.bcel:bcel': '6.6.1', 'org.apache.commons:commons-text': '1.10.0', 'org.apache.httpcomponents:httpclient': '4.5.13', diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index a56b1052a0..a946bb4c5f 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,4 +1,4 @@ -distributionUrl=https\://services.gradle.org/distributions/gradle-8.0-rc-1-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-8.0-rc-2-bin.zip distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists zipStoreBase=GRADLE_USER_HOME