add dependency-check-plügün

infeo · infeo · commit 8d369f0303a5 · 2022-03-15T17:14:05.000+01:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -20,7 +20,7 @@ jobs:
           mvn versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
       - name: Build and Test
         id: buildAndTest
-        run: mvn -B clean install
+        run: mvn -B clean install -Pdependency-check
       - uses: actions/upload-artifact@v2
         with:
           name: artifacts
diff --git a/pom.xml b/pom.xml
@@ -46,6 +46,10 @@
 
 		<!-- test dependencies -->
 		<junit.version>5.8.2</junit.version>
+
+		<!-- build plugin dependencies -->
+		<dependency-check.version>7.0.0</dependency-check.version>
+		<nexus-staging.version>1.6.8</nexus-staging.version>
 	</properties>
 
 	<dependencies>
@@ -191,6 +195,33 @@
 
 
 	<profiles>
+		<profile>
+			<id>dependency-check</id>
+			<build>
+				<plugins>
+					<plugin>
+						<groupId>org.owasp</groupId>
+						<artifactId>dependency-check-maven</artifactId>
+						<version>${dependency-check.version}</version>
+						<configuration>
+							<cveValidForHours>24</cveValidForHours>
+							<failBuildOnCVSS>0</failBuildOnCVSS>
+							<skipTestScope>true</skipTestScope>
+							<detail>true</detail>
+							<suppressionFile>suppression.xml</suppressionFile>
+						</configuration>
+						<executions>
+							<execution>
+								<goals>
+									<goal>check</goal>
+								</goals>
+							</execution>
+						</executions>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+
 		<profile>
 			<id>sign</id>
 			<build>
diff --git a/suppression.xml b/suppression.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+	<suppress>
+		<notes><![CDATA[
+        Incorrectly matched CPE, see https://github.com/jeremylong/DependencyCheck/issues/4177git
+		]]></notes>
+		<gav regex="true">^org\.cryptomator:.*$</gav>
+		<cpe>cpe:/a:cryptomator:cryptomator</cpe>
+		<cve>CVE-2022-25366</cve>
+	</suppress>
+	<suppress>
+		<notes><![CDATA[
+			False postive, because secret-service only accesses the external gnome-keyring service
+		]]></notes>
+		<gav regex="true">^de\.swiesend\:secret\-service:.*$</gav>
+		<cve>CVE-2018-19358</cve>
+		<cve>CVE-2018-20781</cve>
+	</suppress>
+</suppressions>
