Updated CVE Check Process

Author: MatKuhr

.github/workflows/fosstars-report.yml

@@ -7,6 +7,9 @@ on:
 env:
   MVN_MULTI_THREADED_ARGS: --batch-mode --no-transfer-progress --fail-at-end --show-version --threads 1C
   JAVA_VERSION: 17
+  CVE_CACHE_KEY: cve-db
+  CVE_CACHE_DIR: ~/.m2/repository/org/owasp/dependency-check-data
+  CVE_CACHE_REF: refs/heads/main
 
 jobs:
   create_fosstars_report:
@@ -22,29 +25,52 @@ jobs:
           distribution: "temurin"
           java-version: ${{ env.JAVA_VERSION }}
           cache: 'maven'
+
       - name: Restore CVE Database
         uses: actions/cache/restore@v4
         with:
           path: ${{ env.CVE_CACHE_DIR }}
           key: ${{ env.CVE_CACHE_KEY }}
-          fail-on-cache-miss: true
+#          fail-on-cache-miss: true
 
       - name: "Build SDK"
         run: |
           MVN_ARGS="${{ env.MVN_MULTI_THREADED_ARGS }} clean install -DskipTests -DskipFormatting"
           mvn $MVN_ARGS
 
-      - name: "OWASP Dependency check"
-        run: mvn org.owasp:dependency-check-maven:11.1.0:check -DnvdApiKey=$NVD_API_KEY -DfailBuildOnCVSS=7 -DskipProvidedScope=true -DsuppressionFile=.pipeline/dependency-check-suppression.xml -DautoUpdate=false
-        env:
-          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
-
-      - name: "Fosstars rating"
+      - name: "Fosstars Rating"
         uses: SAP/[email protected]
         with:
           report-branch: fosstars-report
           token: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: "CVE Scan"
+        run: |
+          mvn -T1 --no-transfer-progress dependency-check:check dependency-check:aggregate
+
+#      - name: "Archive CVE Report"
+#        uses: actions/upload-artifact@v4
+#        with:
+#          name: cve-report
+#          path: target/dependency-check-report.html
+#          retention-days: 7
+
+      - name: Delete Old CVE Cache
+        run: |
+          CACHE_IDS=$(gh cache list --key "${{ env.CVE_CACHE_KEY }}" --ref "${{ env.CVE_CACHE_REF }}" --json id | jq -r '.[] | .id')
+          for CACHE_ID in $CACHE_IDS; do
+              echo "Deleting cache with ID: $CACHE_ID"
+              gh cache delete "${CACHE_ID}"
+          done
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create Updated CVE Cache
+        uses: actions/cache/save@v4
+        with:
+          path: ${{ env.CVE_CACHE_DIR }}
+          key: ${{ env.CVE_CACHE_KEY }}
+
       - name: "Slack Notification"
         if: failure()
         uses: slackapi/[email protected]

.github/workflows/update-vulnerability-database.yaml

@@ -584,6 +584,19 @@ https://gitbox.apache.org/repos/asf?p=maven-pmd-plugin.git;a=blob_plain;f=src/ma
         <artifactId>maven-resources-plugin</artifactId>
         <version>3.3.1</version>
       </plugin>
+      <plugin>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-maven</artifactId>
+        <version>11.1.0</version>
+        <configuration>
+          <connectionTimeout>60000</connectionTimeout>
+          <nvdMaxRetryCount>10</nvdMaxRetryCount>
+          <failBuildOnCVSS>7</failBuildOnCVSS>
+          <nvdApiKeyEnvironmentVariable>NVD_API_KEY</nvdApiKeyEnvironmentVariable>
+          <suppressionFile>${project.rootdir}/.pipeline/dependency-check-suppression.xml</suppressionFile>
+          <nvdValidForHours>46</nvdValidForHours>
+        </configuration>
+      </plugin>
     </plugins>
   </build>
   <profiles>