chore: [DevOps] Update OWASP Workflow (#190)

* Update workflow

* Updated CVE Check Process

* update schedule

* Add missing API key

* Update .github/workflows/fosstars-report.yml

Co-authored-by: Charles Dubois <[email protected]>

* Update .github/workflows/fosstars-report.yml

Co-authored-by: Charles Dubois <[email protected]>

* Exclude provided scope

---------

Co-authored-by: Charles Dubois <[email protected]>

Author: MatKuhr

.github/workflows/fosstars-report.yml

@@ -2,11 +2,14 @@ name: "Fosstars (Security)"
 on:
   workflow_dispatch:
   schedule:
-    - cron: "0 0 * * *" # every day at midnight
+    - cron: '42 03 * * MON-FRI' # 03:42 on weekdays, a somewhat random time to avoid producing load spikes on the GH actions infrastructure
 
 env:
   MVN_MULTI_THREADED_ARGS: --batch-mode --no-transfer-progress --fail-at-end --show-version --threads 1C
   JAVA_VERSION: 17
+  CVE_CACHE_KEY: cve-db
+  CVE_CACHE_DIR: ~/.m2/repository/org/owasp/dependency-check-data
+  CVE_CACHE_REF: refs/heads/main
 
 jobs:
   create_fosstars_report:
@@ -22,29 +25,47 @@ jobs:
           distribution: "temurin"
           java-version: ${{ env.JAVA_VERSION }}
           cache: 'maven'
+
       - name: Restore CVE Database
         uses: actions/cache/restore@v4
         with:
           path: ${{ env.CVE_CACHE_DIR }}
           key: ${{ env.CVE_CACHE_KEY }}
-          fail-on-cache-miss: true
+#          fail-on-cache-miss: true
 
       - name: "Build SDK"
         run: |
           MVN_ARGS="${{ env.MVN_MULTI_THREADED_ARGS }} clean install -DskipTests -DskipFormatting"
           mvn $MVN_ARGS
 
-      - name: "OWASP Dependency check"
-        run: mvn org.owasp:dependency-check-maven:10.0.4:check -DnvdApiKey=$NVD_API_KEY -DfailBuildOnCVSS=7 -DskipProvidedScope=true -DsuppressionFile=.pipeline/dependency-check-suppression.xml
-        env:
-          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
-
-      - name: "Fosstars rating"
+      - name: "Fosstars Rating"
         uses: SAP/[email protected]
         with:
           report-branch: fosstars-report
           token: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: "CVE Scan"
+        env:
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+        run: |
+          mvn -T1 --no-transfer-progress dependency-check:check
+
+      - name: Delete Old CVE Cache
+        run: |
+          CACHE_IDS=$(gh cache list --key "${{ env.CVE_CACHE_KEY }}" --ref "${{ env.CVE_CACHE_REF }}" --json id | jq -r '.[] | .id')
+          for CACHE_ID in $CACHE_IDS; do
+              echo "Deleting cache with ID: $CACHE_ID"
+              gh cache delete "${CACHE_ID}"
+          done
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create Updated CVE Cache
+        uses: actions/cache/save@v4
+        with:
+          path: ${{ env.CVE_CACHE_DIR }}
+          key: ${{ env.CVE_CACHE_KEY }}
+
       - name: "Slack Notification"
         if: failure()
         uses: slackapi/[email protected]

.github/workflows/update-vulnerability-database.yaml

@@ -587,6 +587,20 @@ https://gitbox.apache.org/repos/asf?p=maven-pmd-plugin.git;a=blob_plain;f=src/ma
         <artifactId>maven-resources-plugin</artifactId>
         <version>3.3.1</version>
       </plugin>
+      <plugin>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-maven</artifactId>
+        <version>11.1.0</version>
+        <configuration>
+          <connectionTimeout>60000</connectionTimeout>
+          <nvdMaxRetryCount>10</nvdMaxRetryCount>
+          <failBuildOnCVSS>7</failBuildOnCVSS>
+          <nvdApiKeyEnvironmentVariable>NVD_API_KEY</nvdApiKeyEnvironmentVariable>
+          <suppressionFile>${project.rootdir}/.pipeline/dependency-check-suppression.xml</suppressionFile>
+          <nvdValidForHours>46</nvdValidForHours>
+          <skipProvidedScope>true</skipProvidedScope>
+        </configuration>
+      </plugin>
       <plugin>
         <groupId>org.codehaus.mojo</groupId>
         <artifactId>license-maven-plugin</artifactId>