Merge pull request #20 from NovatecConsulting/feature-dependency-checks

add security and new version checks for dependencies
NovatecConsulting · Nov 13, 2023 · 6b33379 · 6b33379
2 parents 4bd700c + 1dc24e3
commit 6b33379
Show file tree

Hide file tree

Showing 7 changed files with 98 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -143,3 +143,8 @@ however the `http_status` will not be used for differentiation.
 
 To generate a software bill of materials (SBOM), execute the gradle task `cyclonedxBom`.
 It will save the BOM into the folder build/reports.
+
+##### How to Release
+
+Important tasks to check first are `dependencyUpdates` and `dependencyUpdates[Major|Minor]` for newer (patch, minor, major)
+versions and `dependencyCheckAnalyze` for security issues in the used dependencies. 
diff --git a/build.gradle b/build.gradle
@@ -1,14 +1,20 @@
+import com.github.benmanes.gradle.versions.updates.DependencyUpdatesTask
+
 plugins {
     id 'org.springframework.boot' version "${springBootVersion}"
     id 'java'
     id "org.cyclonedx.bom" version "1.7.4"
     id "org.owasp.dependencycheck" version "8.4.0"
+    id "com.github.ben-manes.versions" version "0.49.0"
 }
 apply plugin: 'io.spring.dependency-management'
 
 group 'de.novatec'
 version '2.2'
-sourceCompatibility = '17'
+
+java {
+    sourceCompatibility = '17'
+}
 
 repositories {
     mavenCentral()
@@ -52,6 +58,66 @@ dependencies {
     )
 }
 
+dependencyCheck {
+    failBuildOnCVSS = 6
+    analyzers {
+        assemblyEnabled = false
+        ossIndex {
+            enabled = true
+        }
+    }
+}
+
+def isNonStable = { String candidate ->
+    def stableKeyword = ['RELEASE', 'FINAL', 'GA', 'JRE'].any { it -> candidate.toUpperCase().contains(it) }
+    def versionRegex = /^[0-9,.v-]+(-r)?$/
+    return !stableKeyword && !(candidate ==~ versionRegex)
+}
+
+def isNotSameMajorMinor = { String current, String candidate, boolean matchMinor ->
+    if(current.equals(candidate)) return false
+
+    def firstDot = current.indexOf('.')
+    def secondDot = current.indexOf('.', firstDot + 1)
+    def major = current.substring(0, firstDot)
+    def minor = current.substring(firstDot + 1, secondDot)
+    def majorRegex = /^$major\..*/
+    def minorRegex = /^$major\.${minor}\..*/
+    return !((candidate ==~ majorRegex) && (!matchMinor || (candidate ==~ minorRegex)))
+}
+
+tasks.named("dependencyUpdates").configure {
+    rejectVersionIf {
+        // only patch updates
+        isNonStable(it.candidate.version) || isNotSameMajorMinor(it.currentVersion, it.candidate.version, true)
+    }
+}
+
+tasks.register('dependencyUpdatesMinor', DependencyUpdatesTask) {
+    rejectVersionIf {
+        // only minor updates
+        isNonStable(it.candidate.version) || isNotSameMajorMinor(it.currentVersion, it.candidate.version, false)
+    }
+}
+
+tasks.register('dependencyUpdatesMajor', DependencyUpdatesTask) {
+    rejectVersionIf {
+        // all updates including major updates
+        isNonStable(it.candidate.version)
+    }
+}
+
+tasks.withType(DependencyUpdatesTask).configureEach {
+    // default settings
+    revision = 'milestone'
+    gradleReleaseChannel = "current"
+    checkConstraints = true
+    checkBuildEnvironmentConstraints = true
+    outputFormatter = 'json,plain'
+    outputDir = 'build/reports'
+    reportfileName = 'dependencyUpdates'
+}
+
 cyclonedxBom {
     includeConfigs = ["runtimeClasspath"]
     schemaVersion = "1.4"

diff --git a/gradle.properties b/gradle.properties
@@ -1,5 +1,5 @@
 # Spring Boot
-springBootVersion=3.1.3
+springBootVersion=3.1.4
 
 # If indluxdb-java is updated, check new version of the transitive dependency okio-jvm
 # If there is a higher new version, remove the dependency override of okio-jvm

diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
@@ -1,5 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.0.2-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.4-bin.zip
+networkTimeout=10000
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
diff --git a/gradlew b/gradlew
@@ -55,7 +55,7 @@
 #       Darwin, MinGW, and NonStop.
 #
 #   (3) This script is generated from the Groovy template
-#       https://github.com/gradle/gradle/blob/master/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
 #       within the Gradle project.
 #
 #       You can find Gradle at https://github.com/gradle/gradle/.
@@ -80,10 +80,10 @@ do
     esac
 done
 
-APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
-
-APP_NAME="Gradle"
+# This is normally unused
+# shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
+APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
 
 # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
 DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
@@ -143,12 +143,16 @@ fi
 if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
     case $MAX_FD in #(
       max*)
+        # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
+        # shellcheck disable=SC3045
         MAX_FD=$( ulimit -H -n ) ||
             warn "Could not query maximum file descriptor limit"
     esac
     case $MAX_FD in  #(
       '' | soft) :;; #(
       *)
+        # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
+        # shellcheck disable=SC3045
         ulimit -n "$MAX_FD" ||
             warn "Could not set maximum file descriptor limit to $MAX_FD"
     esac
@@ -205,6 +209,12 @@ set -- \
         org.gradle.wrapper.GradleWrapperMain \
         "$@"
 
+# Stop when "xargs" is not available.
+if ! command -v xargs >/dev/null 2>&1
+then
+    die "xargs is not available"
+fi
+
 # Use "xargs" to parse quoted args.
 #
 # With -n1 it outputs one arg per line, with the quotes and backslashes removed.

diff --git a/gradlew.bat b/gradlew.bat
@@ -14,7 +14,7 @@
 @rem limitations under the License.
 @rem
 
-@if "%DEBUG%" == "" @echo off
+@if "%DEBUG%"=="" @echo off
 @rem ##########################################################################
 @rem
 @rem  Gradle startup script for Windows
@@ -25,7 +25,8 @@
 if "%OS%"=="Windows_NT" setlocal
 
 set DIRNAME=%~dp0
-if "%DIRNAME%" == "" set DIRNAME=.
+if "%DIRNAME%"=="" set DIRNAME=.
+@rem This is normally unused
 set APP_BASE_NAME=%~n0
 set APP_HOME=%DIRNAME%
 
@@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome
 
 set JAVA_EXE=java.exe
 %JAVA_EXE% -version >NUL 2>&1
-if "%ERRORLEVEL%" == "0" goto execute
+if %ERRORLEVEL% equ 0 goto execute
 
 echo.
 echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
@@ -75,13 +76,15 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
 
 :end
 @rem End local scope for the variables with windows NT shell
-if "%ERRORLEVEL%"=="0" goto mainEnd
+if %ERRORLEVEL% equ 0 goto mainEnd
 
 :fail
 rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
 rem the _cmd.exe /c_ return code!
-if  not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
-exit /b 1
+set EXIT_CODE=%ERRORLEVEL%
+if %EXIT_CODE% equ 0 set EXIT_CODE=1
+if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE%
+exit /b %EXIT_CODE%
 
 :mainEnd
 if "%OS%"=="Windows_NT" endlocal