chore : update dependency-check to use latest (#4731) (CP: 24.1) (#4789)

* chore : update dependency-check to use latest (#4731) * chore: update dependency-check to use 9.0.0 * Update sbom.yml * Update generateAndCheckSBOM.js --------- Co-authored-by: Manuel Carrasco Moñino <[email protected]> * update dependency to fix CVE-2023-6378 (#4759) * chore: update logback-classic to 1.4.14 [skip ci] (#4776) * chore: update logback-classic to 1.4.14 * Update pom.xml --------- Co-authored-by: Zhe Sun <[email protected]> Co-authored-by: Manuel Carrasco Moñino <[email protected]>
vaadin · Dec 7, 2023 · 64eec63 · 64eec63
1 parent e2e4cb3
commit 64eec63
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 5 deletions.
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -73,12 +73,12 @@ jobs:
           sudo dpkg -i bomber_0.4.7_linux_amd64.deb
         name: Install bomber-0.4.7
       - run: |
-          # Install dependency-check-8.2.2
+          # Install dependency-check-9.0.2
           cd /tmp
-          wget -q https://github.com/jeremylong/DependencyCheck/releases/download/v8.4.2/dependency-check-8.4.2-release.zip
-          unzip dependency-check-8.4.2-release.zip
+          wget -q https://github.com/jeremylong/DependencyCheck/releases/download/v9.0.2/dependency-check-9.0.2-release.zip
+          unzip dependency-check-9.0.2-release.zip
           sudo ln -s /tmp/dependency-check/bin/dependency-check.sh /usr/bin/dependency-check
-        name: Install dependency-check-8.4.2
+        name: Install dependency-check-9.0.2
       - run: |
           mkdir -p ~/.vaadin/
           echo '{"username":"'`echo ${{secrets.TB_LICENSE}} | cut -d / -f1`'","proKey":"'`echo ${{secrets.TB_LICENSE}} | cut -d / -f2`'"}' > ~/.vaadin/proKey
@@ -98,6 +98,7 @@ jobs:
         env:
          OSSINDEX_USER: ${{secrets.OSSINDEX_USER}}
          OSSINDEX_TOKEN: ${{secrets.OSSINDEX_TOKEN}}
+         NVD_API_KEY: ${{secrets.NVD_API_KEY}}
       - if: ${{always() && env.DEPENDENCIES_REPORT && github.event.pull_request}}
         uses: thollander/actions-comment-pull-request@v2
         with:

diff --git a/scripts/generateAndCheckSBOM.js b/scripts/generateAndCheckSBOM.js
@@ -516,7 +516,7 @@ async function main() {
     // https://github.com/jeremylong/DependencyCheck/issues/4293
     // https://github.com/jeremylong/DependencyCheck/issues/1947
     fs.existsSync('package-lock.json') && fs.unlinkSync('package-lock.json')
-    !cmd.quick && await run('mvn org.owasp:dependency-check-maven:8.4.2:check -Dformat=JSON -q', { throw: false });
+    !cmd.quick && await run(`mvn org.owasp:dependency-check-maven:check -DnvdApiKey=${process.env.NVD_API_KEY} -DnvdApiDelay=6000 -Dformat=JSON -q`, { throw: false });
     sumarizeOWASP('target/dependency-check-report.json', vulnerabilities);
   }
 

diff --git a/vaadin-spring-boot-starter/pom.xml b/vaadin-spring-boot-starter/pom.xml
@@ -65,8 +65,24 @@
                     <groupId>org.yaml</groupId>
                     <artifactId>snakeyaml</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>ch.qos.logback</groupId>
+                    <artifactId>logback-classic</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
+        <!-- CVE-2023-6378, should be removed after spring-boot fix. 
+        https://github.com/spring-projects/spring-boot/blob/main/spring-boot-project/spring-boot-dependencies/build.gradle#L849  -->
+        <dependency>
+            <groupId>ch.qos.logback</groupId>
+            <artifactId>logback-classic</artifactId>
+            <version>1.4.14</version>
+        </dependency>
+        <dependency>
+            <groupId>ch.qos.logback</groupId>
+            <artifactId>logback-core</artifactId>
+            <version>1.4.14</version>
+        </dependency>
         <!-- End Spring -->
     </dependencies>
 </project>