Add owasp dependency check workflow (#1701)

Author: trask

.github/workflows/owasp-dependency-check-daily.yml

@@ -0,0 +1,48 @@
+# the benefit of this over renovate is that this also analyzes transitive dependencies
+# while renovate (at least currently) only analyzes top-level dependencies
+name: OWASP dependency check (daily)
+
+on:
+  schedule:
+    # daily at 1:30 UTC
+    - cron: "30 1 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up JDK for running Gradle
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
+        with:
+          distribution: temurin
+          java-version: 17
+
+      - name: Increase gradle daemon heap size
+        run: |
+          sed -i "s/org.gradle.jvmargs=/org.gradle.jvmargs=-Xmx3g /" gradle.properties
+
+      - uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
+
+      - run: ./gradlew dependencyCheckAnalyze
+        env:
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+
+      - name: Upload report
+        if: always()
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          path: "**/build/reports"
+
+  workflow-notification:
+    needs:
+      - analyze
+    if: always()
+    uses: ./.github/workflows/reusable-workflow-notification.yml
+    with:
+      success: ${{ needs.analyze.result == 'success' }}

all/build.gradle.kts

@@ -58,3 +58,7 @@ afterEvaluate {
     }
   }
 }
+
+dependencyCheck {
+  skip = true
+}

buildSrc/build.gradle.kts

@@ -15,6 +15,7 @@ dependencies {
   implementation("com.diffplug.spotless:spotless-plugin-gradle:7.0.2")
   implementation("net.ltgt.gradle:gradle-errorprone-plugin:4.1.0")
   implementation("net.ltgt.gradle:gradle-nullaway-plugin:2.2.0")
+  implementation("org.owasp:dependency-check-gradle:12.0.2")
 }
 
 spotless {

buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts

@@ -7,6 +7,7 @@ plugins {
 
   id("otel.errorprone-conventions")
   id("otel.spotless-conventions")
+  id("org.owasp.dependencycheck")
 }
 
 val otelJava = extensions.create<OtelJavaExtension>("otelJava")
@@ -188,3 +189,10 @@ afterEvaluate {
     }
   }
 }
+
+dependencyCheck {
+  scanConfigurations = mutableListOf("runtimeClasspath")
+  failBuildOnCVSS = 7.0f // fail on high or critical CVE
+  nvd.apiKey = System.getenv("NVD_API_KEY")
+  nvd.delay = 3500 // until next dependency check release (https://github.com/jeremylong/DependencyCheck/pull/6333)
+}