Merge pull request #720 from catenax-ng/chore/TRACEFOSS-XXX-fix-depen…

…dency-checks-findings chore: TRACEFOSS-XXX add dependency check badge
eclipse-tractusx · Nov 3, 2023 · 1dbdbdc · 1dbdbdc
2 parents d63951d + 900e9e9
commit 1dbdbdc
Show file tree

Hide file tree

Showing 6 changed files with 91 additions and 6 deletions.
diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml
@@ -67,3 +67,11 @@ jobs:
             ## ‼️ Dependency Check findings ‼️
             One or more high/critical findings have been found during dependency check. Please check the depenency report:
             https://github.com/catenax-ng/tx-traceability-foss/actions/runs/${{ github.run_id }}
+
+      - name: add PR comment
+        uses: mshick/add-pr-comment@v2
+        if: success()
+        with:
+          message: |
+            ## ✅ No Dependency Check findings were found
+
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -25,6 +25,8 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 - handling for invalid LocalDate string provided in filterCriteria for date related filtering
 - support for filtering join tables for Specification searchCriteria
 - added PR comment in case of HIGH/CRITICAL dependency check findings
+- Functionality to indicate that no Dependency Check findings occur in a PR
+- Badge to show successful Dependency Check status
 
 ### Changed
 - Updated user manual to reflect the table column settings feature
@@ -42,6 +44,7 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 - changed assetAsBuilt filtering manufacturerId to businessPartner
 - IRS-Client-Lib from 1.2.1-SNAPSHOT to 1.4.0
 - Decoupled dependency check in a separate GitHub action
+- Mitigated Dependency Check findings
 
 ### Removed
 - Removed &filterOperator=AND from filtering requests

diff --git a/README.md b/README.md
@@ -8,6 +8,7 @@
 [![VeraCode Backend](https://github.com/eclipse-tractusx/traceability-foss/actions/workflows/veracode_backend.yml/badge.svg)](https://github.com/eclipse-tractusx/traceability-foss/actions/workflows/veracode_backend.yml)
 [![VeraCode Frontend](https://github.com/eclipse-tractusx/traceability-foss/actions/workflows/veracode_frontend.yml/badge.svg)](https://github.com/eclipse-tractusx/traceability-foss/actions/workflows/veracode_frontend.yml)
 [![Eclipse DASH IP Check](https://github.com/eclipse-tractusx/traceability-foss/actions/workflows/eclipse-dash.yml/badge.svg)](https://github.com/eclipse-tractusx/traceability-foss/actions/workflows/eclipse-dash.yml)
+[![[BE] Dependency check](https://github.com/catenax-ng/tx-traceability-foss/actions/workflows/dependency-check.yml/badge.svg)](https://github.com/catenax-ng/tx-traceability-foss/actions/workflows/dependency-check.yml)
 
 ## Trace-X is a system for tracking parts along the supply chain.
 #### A high level of transparency across the supplier network enables faster intervention based on a recorded event in the supply chain. This saves costs by seamlessly tracking parts and creates trust through clearly defined and secure data access by the companies and persons involved in the process.

diff --git a/dependency_check/suppressions.xml b/dependency_check/suppressions.xml
@@ -39,4 +39,43 @@ SPDX-License-Identifier: Apache-2.0
         <sha1>91e1628251cf3ca90093ce9d0fe67e5b7dab3850</sha1>
         <cve>CVE-2023-33201</cve>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: jetty*
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty.*@.*$</packageUrl>
+        <cve>CVE-2023-36478</cve>
+        <cve>CVE-2023-44487</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: jetty-core-0.1.3.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.eclipse\.edc/jetty\-core@.*$</packageUrl>
+        <cve>CVE-2017-7657</cve>
+        <cve>CVE-2017-7658</cve>
+        <cve>CVE-2009-5045</cve>
+        <cve>CVE-2009-5045</cve>
+        <cve>CVE-2017-7656</cve>
+        <cve>CVE-2017-9735</cve>
+        <cve>CVE-2022-2048</cve>
+        <cve>CVE-2023-44487</cve>
+    </suppress>
+
+    <suppress>
+        <notes><![CDATA[
+   file name: jetty-jakarta-websocket-api-2.0.0.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty\-jakarta\-websocket\-api@.*$
+        </packageUrl>
+        <cve>CVE-2017-7657</cve>
+        <cve>CVE-2017-7658</cve>
+        <cve>CVE-2009-5045</cve>
+        <cve>CVE-2017-7656</cve>
+        <cve>CVE-2017-9735</cve>
+        <cve>CVE-2022-2048</cve>
+        <cve>CVE-2020-27216</cve>
+    </suppress>
+
+
 </suppressions>
diff --git a/tx-backend/pom.xml b/tx-backend/pom.xml
@@ -171,6 +171,26 @@ SPDX-License-Identifier: Apache-2.0
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.apache.tomcat.embed</groupId>
+                    <artifactId>tomcat-embed-core</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.tomcat.embed</groupId>
+                    <artifactId>tomcat-embed-websocket</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat.embed</groupId>
+            <artifactId>tomcat-embed-core</artifactId>
+            <version>10.1.15</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat.embed</groupId>
+            <artifactId>tomcat-embed-websocket</artifactId>
+            <version>10.1.15</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.cloud</groupId>
@@ -402,12 +422,6 @@ SPDX-License-Identifier: Apache-2.0
             <version>1.1.0</version>
             <scope>test</scope>
         </dependency>
-        <!-- Fixes CVE-2023-36478  https://github.com/catenax-ng/tx-traceability-foss/security/code-scanning/6770-->
-        <dependency>
-            <groupId>org.eclipse.jetty</groupId>
-            <artifactId>jetty-http</artifactId>
-            <version>11.0.17</version>
-        </dependency>
     </dependencies>
 
     <pluginRepositories>

diff --git a/tx-models/pom.xml b/tx-models/pom.xml
@@ -52,6 +52,26 @@ SPDX-License-Identifier: Apache-2.0
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.apache.tomcat.embed</groupId>
+                    <artifactId>tomcat-embed-core</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.tomcat.embed</groupId>
+                    <artifactId>tomcat-embed-websocket</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat.embed</groupId>
+            <artifactId>tomcat-embed-core</artifactId>
+            <version>10.1.15</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat.embed</groupId>
+            <artifactId>tomcat-embed-websocket</artifactId>
+            <version>10.1.15</version>
         </dependency>
 
         <dependency>