Add owasp dependency check action

[sberyozkin]

I'm not 100% sure it is correct since I've never done github actions before, I just copied the codeql one and modified.

Also, I'm not sure if, instead of doing a check goal it would be better to have

    <reporting>
        ...
        <plugins>
            ...
            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>8.1.2</version>
                <reportSets>
                    <reportSet>
                        <reports>
                            <report>aggregate</report>
                        </reports>
                    </reportSet>
                </reportSets>
            </plugin>
            ...
        </plugins>
        ...
    </reporting>

[sberyozkin]

I'll probably need to tune it in a few iterations to get the best format, unfortunately it is not run as part of the PR which brings it

[sberyozkin]

@gsmet @aloubyansky Hi, I've experimented quite a lot with running an aggregate report with and without <reporting> and it looks like to be the best option is simply run mvn -Dowasp-report which will run dependency-check:aggregate, avoiding mvn site required for reporting altogether as mvn site, depending on whether it is run in the root or in the extensions directories, can ignore a selective report configuration and just will do 15 of them.

mvn -Dowasp-report is quite fast, creates a single HTML report in quarkus-root-dir/target. This might work well for RHBQ as well avoiding various Snyk issues. As far as the github action is concerned, I'm not sure yet how this quarkus-root-dir/target will be accessible, I guess one way or another it will be possible to make it easily accessible from the action result page, I'll just need to experiment with it, and in meantime both mvn -Dowasp-report and mvn -Dowasp-check can be run directly anyway.

FYI, the difference between mvn -Dowasp-report and mvn -Dowasp-check is that the former won't be building the reports in every subdirectory.

I'll open for review tomorrow once Guillaume does the alpha 5 release

[gsmet]

@sberyozkin getting there... I had a look at the CI and what bugs me is that we won't have any report if something's failing. Should we include it in the usual reporting?

I'm also not sure if something is failing if there is a security problem or if it's just a report?

[sberyozkin]

Hi @gsmet, apologies, seeing your comment only now.

I had a look at the CI and what bugs me is that we won't have any report if something's failing. Should we include it in the usual reporting?

and

I'm also not sure if something is failing if there is a security problem or if it's just a report?

I'm not sure I understand the questions, I think I might be partially, OK, so right now, the only output of this action is an HTML report in quarkus-root-dir/target - I don't know how to have it reported similarly to how it is done for CodeQL. I've been hoping I can just somehow access that HTML report in quarkus-root-dir/target and that would suffice to start with. Is it what you are concerned about, there is no obvious way to access the results ?

The other thing is that it is not expected to fail, it is possible to configure it to fail when it sees the first CVE of some category, but I believe it is simpler to get the HTML report in quarkus-root-dir/target and then look at it and check what public CVEs are reported against various extensions.

So right now, the main challenge, as I see it, is to get an access to the HTML report in quarkus-root-dir/target once the action is complete, either somehow directly to start with, or have this HTML report page shown in the action page somehow.

What do you think ?

[jmartisk]

Could we simply attach the report using the upload-artifact action?

    - uses: actions/upload-artifact@v3
      with:
        name: owasp-report
        path: target/dependency-check-report.html

Potentially we could also figure out how to send it via email to interested people?

I would also, for better troubleshooting, add the workflow_dispatch trigger to the workflow so we can trigger it manually if needed.

[jmartisk]

Uhm, the HTML report is 20 megabytes big, so it's probably not a good idea to receive it by email every day. We probably should thus also decrease the retention period (default is 90 days):

    - uses: actions/upload-artifact@v3
      with:
        name: owasp-report
        path: target/dependency-check-report.html
        retention-days: 5

[jmartisk]

If we get the report published daily in the workflow's artifacts, then the responsible engineer(s) would just have to open it and skim through it once every few days

[sberyozkin]

Hey @jmartisk Thanks, that was was missing, an upload artifact step, thanks

Uhm, the HTML report is 20 megabytes big, so it's probably not a good idea to receive it by email every day.

I agree, uploading it shoul be enough, though I guess what we can send, is a link, but then the question of managing emails, with all the GDPR angle, would make it tricky.
Also, we can review and decide if we want some extensions (or libraries) skipped, not sure how to configure the plugin, but some related tuning should be possible

If we get the report published daily in the workflow's artifacts,

May be we can try say every 3 days ?

then the responsible engineer(s) would just have to open it and skim through it once every few days

Sure, that would be the plan, myself, two of us, can look at it periodically

[jmartisk]

Yeah let's make it run, say, on Sunday, Tuesday, Thursday, or something like that :)

[sberyozkin]

@jmartisk How about Sunday, Wednesday end of the day (0 0 * * 0,3), twice per week, in order to keep the system stress to the minimum and then, with your update, a Friday run can be triggered manually, when running closer to one of Final releases ?

[jmartisk]

Sure, works for me

[sberyozkin]

It should be ready for review now, I can open tomorrow

[sberyozkin]

Hi @gsmet @aloubyansky, I think/hope, after @jmartisk review that it can prove to be practically useful, now that the HTML reports will be uploaded, we can continue tuning things like the action frequency (twice per week now), retention period of the uploaded reports, etc.
Have a look please if you have something else to add, it would be good to get it into 3.1.0 and work with it in the run to 3.2.0

[aloubyansky]

Is it necessary to have it configured in the root pom and here?

[sberyozkin]

Hi @aloubyansky, sorry, missed your ping, OK, right now on main, one can only run the check from the individual extensions which won't work with the action, but I can see I can run it from the extensions folder, which I believe would require setting a working-directory property to point to extensions - but I'm not sure it will be equivalent to running it from the root folder, let me experiment a bit later on and I'll get back to you with the update, thanks

[sberyozkin]

Hi Alexey @aloubyansky Sorry for a delay, I just run, on this branch, mvn -Dowasp-report in the root (not possible if the root pom does not have it configured) and in extensions (which is possible on main, for -Dowasp-check for now).
The dependency-check.html is 20 MB if created in the root, and 13 MB if created in extensions.
I think it makes sense to run from the root as it can check more dependencies, for dev tools, etc...
Do you agree ?
Thanks

[aloubyansky]

Sure, my question was about the reason why the config is duplicated. If you configure it in the pluginManagement of the root POM then here you could remove the version and the configuration element.

[sberyozkin]

@aloubyansky Oh sorry, see what you mean, totally misunderstood your question :-), I'll have a look to clean it up, thanks

[sberyozkin]

Hi @aloubyansky I removed the owasp plugin section from the build parent pom, hopefully I did it correctly, thanks.

[quarkus-bot]

Failing Jobs - Building 9ae0d45

Status	Name	Step	Failures	Logs	Raw logs
✔️	JVM Tests - JDK 11
✖	JVM Tests - JDK 17	Build	Failures	Logs	Raw logs
✔️	JVM Tests - JDK 19

Failures

⚙️ JVM Tests - JDK 17 #

- Failing: integration-tests/kafka-oauth-keycloak 

📦 integration-tests/kafka-oauth-keycloak

✖ Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:3.0.0:test (default-test) on project quarkus-integration-test-kafka-oauth-keycloak: There was a timeout in the fork

[jmartisk]

I think this is ready to go, isn't it? @sberyozkin @aloubyansky

[sberyozkin]

Thanks @aloubyansky @jmartisk @gsmet

Hopefully it will prove useful and we can optimize the action to minimize some noise in the report, etc