Add owasp dependency check action

quarkusio · Mar 8, 2023 · dd11330 · dd11330
1 parent 2f927eb
commit dd11330
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 27 deletions.
diff --git a/.github/workflows/owasp-check.yml b/.github/workflows/owasp-check.yml
@@ -0,0 +1,35 @@
+name: "OWASP Dependency Check"
+
+on:
+
+  schedule:
+    - cron: '0 3 * * 0'
+
+jobs:
+  owasp:
+    name: OWASP Dependency Check Report
+    runs-on: ubuntu-latest
+    if: github.repository == 'quarkusio/quarkus'
+
+    strategy:
+      fail-fast: false
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 1
+        ref: main
+    - name: Setup Java JDK
+      uses: actions/setup-java@v3
+      with:
+        distribution: temurin
+        java-version: 11
+
+
+    - name: Build Java
+      run: ./mvnw -B --settings .github/mvn-settings.xml -Dquickly-ci install
+
+    - name: Perform OWASP Dependency Check Report
+      run: ./mvnw -Dowasp-report
+
diff --git a/build-parent/pom.xml b/build-parent/pom.xml
@@ -175,8 +175,6 @@
 
         <!-- google cloud functions invoker-->
         <gcf-invoker.version>1.1.1</gcf-invoker.version>
-        <owasp-dependency-check-plugin.version>8.1.2</owasp-dependency-check-plugin.version>
-
         <!-- Jakarta JMS API -->
         <jakarta.jms-api.version>3.1.0</jakarta.jms-api.version>
     </properties>
@@ -713,18 +711,6 @@
                         </execution>
                     </executions>
                 </plugin>
-                <plugin>
-                    <groupId>org.owasp</groupId>
-                    <artifactId>dependency-check-maven</artifactId>
-                    <version>${owasp-dependency-check-plugin.version}</version>
-                    <configuration>
-                        <!-- Disable Net Analyzer -->
-                        <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
-                        <nugetconfAnalyzerEnabled>false</nugetconfAnalyzerEnabled>
-                        <nuspecAnalyzerEnabled>false</nuspecAnalyzerEnabled>
-                        <retireJsAnalyzerEnabled>false</retireJsAnalyzerEnabled>
-                    </configuration>
-                </plugin>
             </plugins>
         </pluginManagement>
     </build>
@@ -1241,17 +1227,6 @@
                 </plugins>
             </build>
         </profile>
-        <profile>
-            <id>owasp-check</id>
-            <activation>
-                <property>
-                    <name>owasp-check</name>
-                </property>
-            </activation>
-            <build>
-                <defaultGoal>dependency-check:check</defaultGoal>
-            </build>
-        </profile>
         <profile>
             <id>Windows</id>
             <activation>

diff --git a/pom.xml b/pom.xml
@@ -55,7 +55,7 @@
         <maven.compiler.source>11</maven.compiler.source>
         <maven.compiler.release>11</maven.compiler.release>
         <maven.compiler.parameters>true</maven.compiler.parameters>
-
+        
         <graalvmHome>${env.GRAALVM_HOME}</graalvmHome>
         <postgres.url>jdbc:postgresql:hibernate_orm_test</postgres.url>
 
@@ -66,6 +66,8 @@
         <skipDocs>false</skipDocs>
         <skip.gradle.tests>false</skip.gradle.tests>
 
+        <owasp-dependency-check-plugin.version>8.1.2</owasp-dependency-check-plugin.version>
+
         <!-- Dependency versions -->
         <jacoco.version>0.8.8</jacoco.version>
         <kubernetes-client.version>6.4.1</kubernetes-client.version> <!-- Please check with Java Operator SDK team before updating -->
@@ -149,6 +151,18 @@
                     <artifactId>quarkus-platform-bom-maven-plugin</artifactId>
                     <version>${quarkus-platform-bom-plugin.version}</version>
                 </plugin>
+                <plugin>
+                    <groupId>org.owasp</groupId>
+                    <artifactId>dependency-check-maven</artifactId>
+                    <version>${owasp-dependency-check-plugin.version}</version>
+                    <configuration>
+                        <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
+                        <nugetconfAnalyzerEnabled>false</nugetconfAnalyzerEnabled>
+                        <nuspecAnalyzerEnabled>false</nuspecAnalyzerEnabled>
+                        <retireJsAnalyzerEnabled>false</retireJsAnalyzerEnabled>
+                        <nodeAnalyzerEnabled>false</nodeAnalyzerEnabled>
+                    </configuration>
+                </plugin>
             </plugins>
         </pluginManagement>
         <extensions>
@@ -354,6 +368,27 @@
                 </plugins>
             </build>
         </profile>
+        <profile>
+            <id>owasp-check</id>
+            <activation>
+                <property>
+                    <name>owasp-check</name>
+                </property>
+            </activation>
+            <build>
+                <defaultGoal>org.owasp:dependency-check-maven:check</defaultGoal>
+            </build>
+        </profile>
+        <profile>
+            <id>owasp-report</id>
+            <activation>
+                <property>
+                    <name>owasp-report</name>
+                </property>
+            </activation>
+            <build>
+                <defaultGoal>org.owasp:dependency-check-maven:aggregate</defaultGoal>
+            </build>
+        </profile>
     </profiles>
-
 </project>