RATIS-2372. Add weekly CVE vulnerability check workflow for Apache Ratis (#1328)

Signed-off-by: OneSizeFitsQuorum <[email protected]>
Co-authored-by: Copilot <[email protected]>

Author: OneSizeFitsQuorum

.github/workflows/vulnerability-check.yaml

@@ -0,0 +1,64 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: vulnerability-check
+
+on:
+  schedule:
+    # Run at 16:00 UTC every Sunday (Monday 00:00 CST)
+    - cron: "0 16 * * 0"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3
+  MAVEN_ARGS: --batch-mode --no-transfer-progress
+
+jobs:
+  dependency-check:
+    if: ${{ github.event_name == 'workflow_dispatch' || github.repository == 'apache/ratis' }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up JDK 11
+        uses: actions/setup-java@v4
+        with:
+          distribution: corretto
+          java-version: 11
+
+      - name: Do Maven install
+        shell: bash
+        run: mvn $MAVEN_ARGS clean install -DskipTests
+
+      - name: Do the dependency-check:aggregate
+        shell: bash
+        run: mvn $MAVEN_ARGS org.owasp:dependency-check-maven:aggregate -DossIndexUsername=${{ secrets.OSS_INDEX_USER }} -DossIndexPassword=${{ secrets.OSS_INDEX_TOKEN }} -DnvdApiKey=${{ secrets.NVD_API_KEY }}
+
+      - name: Generate report date for artifact name
+        run: |
+          utc_time="${{ github.run_started_at }}"
+          target_time=$(TZ=Asia/Shanghai date -d "$utc_time" +"%Y-%m-%d")
+          echo "REPORT_DATE=$target_time" >> $GITHUB_ENV
+
+      - name: Upload Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: vulnerability-check-result-${{ env.REPORT_DATE }}
+          path: target/dependency-check-report.html
+          retention-days: 15

pom.xml

@@ -726,6 +726,11 @@
           </execution>
         </executions>
       </plugin>
+      <plugin>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-maven</artifactId>
+        <version>12.1.9</version>
+      </plugin>
     </plugins>
     <resources>
       <resource>