chore : update dependency-check to use latest (#4731) (CP:23.4) (#4791)

* chore : update dependency-check to use latest (#4731) * chore: update dependency-check to use 9.0.0 * Update sbom.yml * Update generateAndCheckSBOM.js --------- Co-authored-by: Manuel Carrasco Moñino <[email protected]> * resolve conflict --------- Co-authored-by: Manuel Carrasco Moñino <[email protected]>
vaadin · Dec 7, 2023 · 2bcf905 · 2bcf905
1 parent 064a091
commit 2bcf905
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 6 deletions.
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -1,7 +1,7 @@
 name: SBOM
 on:
   push:
-    branches: ["master", "24.0", "23.3"]
+    branches: ["master", "24.0", "23.4"]
   pull_request:
     types: [opened, synchronize, reopened, edited]
     paths: ["versions.json", "**/pom.xml", ".github/workflows/sbom.yml", "scripts/generateAndCheckSBOM.js", "scripts/generator/templates/*.xml"]
@@ -75,12 +75,12 @@ jobs:
           sudo dpkg -i bomber_0.4.7_linux_amd64.deb
         name: Install bomber-0.4.7
       - run: |
-          # Install dependency-check-8.2.2
+          # Install dependency-check-9.0.2
           cd /tmp
-          wget -q https://github.com/jeremylong/DependencyCheck/releases/download/v8.2.1/dependency-check-8.2.1-release.zip
-          unzip dependency-check-8.2.1-release.zip
+          wget -q https://github.com/jeremylong/DependencyCheck/releases/download/v9.0.2/dependency-check-9.0.2-release.zip
+          unzip dependency-check-9.0.2-release.zip
           sudo ln -s /tmp/dependency-check/bin/dependency-check.sh /usr/bin/dependency-check
-        name: Install dependency-check-8.2.1
+        name: Install dependency-check-9.0.2
       - run: |
           mkdir -p ~/.vaadin/
           echo '{"username":"'`echo ${{secrets.TB_LICENSE}} | cut -d / -f1`'","proKey":"'`echo ${{secrets.TB_LICENSE}} | cut -d / -f2`'"}' > ~/.vaadin/proKey
@@ -100,6 +100,7 @@ jobs:
         env:
          OSSINDEX_USER: ${{secrets.OSSINDEX_USER}}
          OSSINDEX_TOKEN: ${{secrets.OSSINDEX_TOKEN}}
+         NVD_API_KEY: ${{secrets.NVD_API_KEY}}
       - if: ${{always() && env.DEPENDENCIES_REPORT && github.event.pull_request}}
         uses: thollander/actions-comment-pull-request@v2
         with:

diff --git a/scripts/generateAndCheckSBOM.js b/scripts/generateAndCheckSBOM.js
@@ -512,7 +512,7 @@ async function main() {
     // https://github.com/jeremylong/DependencyCheck/issues/4293
     // https://github.com/jeremylong/DependencyCheck/issues/1947
     fs.existsSync('package-lock.json') && fs.unlinkSync('package-lock.json')
-    !cmd.quick && await run('mvn org.owasp:dependency-check-maven:8.4.2:check -Dformat=JSON -q', { throw: false });
+    !cmd.quick && await run(`mvn org.owasp:dependency-check-maven:check -DnvdApiKey=${process.env.NVD_API_KEY} -DnvdApiDelay=6000 -Dformat=JSON -q`, { throw: false });
     sumarizeOWASP('target/dependency-check-report.json', vulnerabilities);
   }