Remove OWASP dependency check from CI (#4717)

Author: lhotari

.github/workflows/bk-ci.yml

@@ -61,7 +61,6 @@ jobs:
         id: check_changes
         run: |
           echo "docs_only=${{ fromJSON(steps.changes.outputs.all_count) == fromJSON(steps.changes.outputs.docs_count) && fromJSON(steps.changes.outputs.docs_count) > 0 }}" >> $GITHUB_OUTPUT
-          echo "need_owasp=${{ fromJSON(steps.changes.outputs.need_owasp) }}" >> $GITHUB_OUTPUT
 
       - name: Cache local Maven repository
         if: steps.check_changes.outputs.docs_only != 'true'
@@ -96,7 +95,6 @@ jobs:
         run: mvn -B -nsu -am -pl bookkeeper-common,bookkeeper-server,:bookkeeper-stats-api,:bookkeeper-stats-providers,:codahale-metrics-provider,:prometheus-metrics-provider javadoc:aggregate -DskipTests -Pdelombok -Dchesktyle.skip -Dspotbugs.skip
     outputs:
       docs_only: ${{ steps.check_changes.outputs.docs_only }}
-      need_owasp: ${{ steps.check_changes.outputs.need_owasp }}
 
   unit-tests:
     name: ${{ matrix.step_name }}
@@ -511,49 +509,6 @@ jobs:
       - name: Check typos
         uses: crate-ci/typos@v1.22.4
 
-  owasp-dependency-check:
-    name: OWASP Dependency Check
-    runs-on: ubuntu-latest
-    timeout-minutes: 60
-    needs: [ 'build-and-license-check' ]
-    if: ${{ needs.build-and-license-check.outputs.need_owasp == 'true' }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Tune Runner VM
-        uses: ./.github/actions/tune-runner-vm
-
-      - name: Cache local Maven repository
-        id: cache
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.m2/repository/*/*/*
-            !~/.m2/repository/org/apache/bookkeeper
-            !~/.m2/repository/org/apache/distributedlog
-          key: ${{ runner.os }}-bookkeeper-all-${{ hashFiles('**/pom.xml') }}
-
-      - name: Set up JDK 11
-        uses: actions/setup-java@v4
-        with:
-          distribution: 'temurin'
-          java-version: 21
-
-      - name: run "clean install verify" to trigger dependency check
-        # excluding dlfs because it includes hadoop lib with
-        # CVEs that we cannot patch up anyway
-        run: mvn -q -B -ntp clean install verify -Powasp-dependency-check -DskipTests -pl '!stream/distributedlog/io/dlfs,!tests'
-
-      - name: Upload report
-        uses: actions/upload-artifact@v4
-        if: ${{ cancelled() || failure() }}
-        continue-on-error: true
-        with:
-          name: dependency report
-          path: target/dependency-check-report.html
-          retention-days: 7
-
   bookkeeper-ci-checks-completed:
     name: "BookKeeper CI checks completed"
     if: ${{ always() && ((github.event_name != 'schedule') || (github.repository == 'apache/bookkeeper')) }}
@@ -565,7 +520,6 @@ jobs:
       'integration-tests',
       'jdk-compatibility-checks',
       'macos-build',
-      'owasp-dependency-check',
       'typo-check',
       'unit-tests',
       'windows-build'