Feature/add dependency check in pipeline (#129)

DavidDamke · ddamke · Death111 · web-flow · commit f69e3c6f2259 · 2023-02-10T17:53:25.000+01:00
* add dependency check to pipeline
* updated dependency check to 8.0.2. fixed mvn site. added additional vulnerability suppression

---------

Co-authored-by: ddamke &lt;David.damke@doubleslash.de&gt;
Co-authored-by: Nico &lt;5772511+Death111@users.noreply.github.com&gt;
diff --git a/.github/workflows/mavenCi.yml b/.github/workflows/mavenCi.yml
@@ -14,7 +14,7 @@ on:
 
 jobs:
 
-  Analyze_Build_Upload:
+  build-analyze:
 
     runs-on: ubuntu-latest
 
@@ -30,15 +30,14 @@ jobs:
           java-version: '11'
           distribution: 'corretto'
           cache: maven
-          
-      # Initializes the CodeQL tools for scanning.
+
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v2
         with:
           languages: 'java'
-        
+
       - name: Build
-        run:  mvn -V -B clean verify org.jacoco:jacoco-maven-plugin:0.8.7:prepare-agent org.jacoco:jacoco-maven-plugin:0.8.7:report -Pcoverage -Dproject.version=${{ env.version }}-SNAPSHOT
+        run:  mvn -V -B clean package org.jacoco:jacoco-maven-plugin:0.8.7:prepare-agent org.jacoco:jacoco-maven-plugin:0.8.7:report -Pcoverage
 
       - name: Upload Build Artifact
         uses: actions/upload-artifact@v3
@@ -59,3 +58,20 @@ jobs:
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v2
+
+  dependency-check:
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up JDK 11
+        uses: actions/setup-java@v3
+        with:
+          java-version: '11'
+          distribution: 'corretto'
+          cache: maven
+
+      - name: dependencyCheck
+        run:  mvn dependency-check:check
diff --git a/dependency-check-report_suppressions.xml b/dependency-check-report_suppressions.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+   <suppress>
+      <notes>
+      <![CDATA[
+      file name: maven-core-3.0.jar
+      suppression-reason: referenced from 'maven-assembly-plugin' which is executed in build step (no runtime vulnerability). no assembly-plugin update available.
+      ]]>
+      </notes>
+      <packageUrl regex="true">^pkg:maven/org\.apache\.maven/maven\-core@.*$</packageUrl>
+      <cve>CVE-2021-26291</cve>
+   </suppress>
+   <suppress>
+      <notes>
+      <![CDATA[
+      file name: maven-settings-3.0.jar
+      suppression-reason: referenced from 'maven-assembly-plugin' which is executed in build step (no runtime vulnerability). no assembly-plugin update available.
+      ]]>
+      </notes>
+      <packageUrl regex="true">^pkg:maven/org\.apache\.maven/maven\-settings@.*$</packageUrl>
+      <vulnerabilityName>CVE-2021-26291</vulnerabilityName>
+   </suppress>
+   <suppress>
+      <notes>
+      <![CDATA[
+      file name: snakeyaml-1.30.jar
+      suppression-reason: we are not using .yaml files
+      ]]>
+      </notes>
+      <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
+      <cve>CVE-2022-1471</cve>
+   </suppress>
+</suppressions>
diff --git a/pom.xml b/pom.xml
@@ -38,7 +38,7 @@
     <maven.compiler.source>11</maven.compiler.source>
     <maven.compiler.target>11</maven.compiler.target>
 
-    <maven-dependency-check.version>6.0.5</maven-dependency-check.version>
+    <maven-dependency-check.version>8.0.2</maven-dependency-check.version>
     <!-- USING HTML,XML (comma-separated list) did not work with plugin version 5.1.0 -->
     <maven-dependency-check.format>ALL</maven-dependency-check.format>
     <maven-dependency-check.failOnError>true</maven-dependency-check.failOnError>
@@ -187,8 +187,14 @@
         </executions>
       </plugin>
 
-      <!-- see https://jeremylong.github.io/DependencyCheck/dependency-check-maven/ -->
-      <!-- https://mvnrepository.com/artifact/org.owasp/dependency-check-maven -->
+      <!-- needed for mvn site - see https://stackoverflow.com/a/51099913 -->
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-site-plugin</artifactId>
+        <version>3.12.1</version>
+      </plugin>
+
+      <!-- https://mvnrepository.com/artifact/org.owasp/dependency-check-maven (run with mvn dependency-check:check ) -->
       <plugin>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-maven</artifactId>
@@ -198,31 +204,24 @@
           <failOnError>${maven-dependency-check.failOnError}</failOnError>
           <failBuildOnCVSS>${maven-dependency-check.failBuildOnCVSS}</failBuildOnCVSS>
           <outputDirectory>target/site</outputDirectory>
-          <!--suppressionFile>${project.basedir}/dependency-check-report_suppressions.xml</suppressionFile -->
+          <suppressionFile>dependency-check-report_suppressions.xml</suppressionFile>
         </configuration>
         <executions>
-          <execution>
-            <goals>
-              <goal>update-only</goal>
-            </goals>
-          </execution>
+            <execution>
+                <goals>
+                    <goal>check</goal>
+                </goals>
+            </execution>
         </executions>
       </plugin>
-
     </plugins>
   </build>
 
+  <!-- generate site with mvn site (including dependency check) -->
   <reporting>
     <plugins>
-      <!-- needed for mvn site - see https://stackoverflow.com/a/51099913 -->
-      <plugin>
-        <groupId>org.apache.maven.plugins</groupId>
-        <artifactId>maven-site-plugin</artifactId>
-        <version>3.12.1</version>
-      </plugin>
-
       <plugin>
-        <!-- https://mvnrepository.com/artifact/org.owasp/dependency-check-maven -->
+        <!-- https://mvnrepository.com/artifact/org.owasp/dependency-check-maven (redefinition to run also with site) -->
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-maven</artifactId>
         <version>${maven-dependency-check.version}</version>
@@ -238,7 +237,7 @@
           <failOnError>${maven-dependency-check.failOnError}</failOnError>
           <failBuildOnCVSS>${maven-dependency-check.failBuildOnCVSS}</failBuildOnCVSS>
           <outputDirectory>target/site</outputDirectory>
-          <!--suppressionFile>${project.basedir}/dependency-check-report_suppressions.xml</suppressionFile -->
+          <suppressionFile>dependency-check-report_suppressions.xml</suppressionFile>
         </configuration>
       </plugin>
     </plugins>
