-
Notifications
You must be signed in to change notification settings - Fork 1
/
build.gradle
135 lines (112 loc) · 3.7 KB
/
build.gradle
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
import com.github.benmanes.gradle.versions.updates.DependencyUpdatesTask
plugins {
id 'org.springframework.boot' version "${springBootVersion}"
id 'java'
id 'idea'
id "org.cyclonedx.bom" version "1.10.0"
id "org.owasp.dependencycheck" version "11.1.0"
id "com.github.ben-manes.versions" version "0.51.0"
}
apply plugin: 'io.spring.dependency-management'
group = 'de.novatec'
version = '2.4'
java {
sourceCompatibility = '17'
}
repositories {
mavenCentral()
}
test {
useJUnitPlatform()
}
// We only use snakeyaml transitively, but we want to force the
// current version due to existing CVEs.
// According to https://github.com/spring-projects/spring-boot/issues/34405
// this is a safe
ext['snakeyaml.version'] = '2.3'
dependencies {
annotationProcessor("org.projectlombok:lombok:${lombokVersion}")
compileOnly("org.projectlombok:lombok:${lombokVersion}")
implementation(
'org.springframework.boot:spring-boot-starter-web',
'org.springframework.boot:spring-boot-starter-actuator',
'org.springframework.boot:spring-boot-starter-validation',
"org.apache.commons:commons-text:${commonsTextVersion}",
"org.influxdb:influxdb-java:${influxdbJavaVersion}",
)
testImplementation("org.springframework.boot:spring-boot-starter-test")
}
dependencyCheck {
failBuildOnCVSS = 6
analyzers {
assemblyEnabled = false
ossIndex {
enabled = true
}
}
nvd {
apiKey = System.getenv("NVD_API_TOKEN")
delay = 10000
}
}
def isNonStable = { String candidate ->
def stableKeyword = ['RELEASE', 'FINAL', 'GA', 'JRE'].any { it -> candidate.toUpperCase().contains(it) }
def versionRegex = /^[0-9,.v-]+(-r)?$/
return !stableKeyword && !(candidate ==~ versionRegex)
}
def isNotSameMajorMinor = { String current, String candidate, boolean matchMinor ->
if(current.equals(candidate)) return false
def firstDot = current.indexOf('.')
def secondDot = current.indexOf('.', firstDot + 1)
def major = current.substring(0, firstDot)
def minor = current.substring(firstDot + 1, secondDot)
def majorRegex = /^$major\..*/
def minorRegex = /^$major\.${minor}\..*/
return !((candidate ==~ majorRegex) && (!matchMinor || (candidate ==~ minorRegex)))
}
tasks.named("dependencyUpdates").configure {
rejectVersionIf {
// only patch updates
isNonStable(it.candidate.version) || isNotSameMajorMinor(it.currentVersion, it.candidate.version, true)
}
}
tasks.register('dependencyUpdatesMinor', DependencyUpdatesTask) {
rejectVersionIf {
// only minor updates
isNonStable(it.candidate.version) || isNotSameMajorMinor(it.currentVersion, it.candidate.version, false)
}
}
tasks.register('dependencyUpdatesMajor', DependencyUpdatesTask) {
rejectVersionIf {
// all updates including major updates
isNonStable(it.candidate.version)
}
}
tasks.withType(DependencyUpdatesTask).configureEach {
// default settings
revision = 'milestone'
gradleReleaseChannel = "current"
checkConstraints = true
checkBuildEnvironmentConstraints = true
outputFormatter = 'json,plain'
outputDir = 'build/reports'
reportfileName = 'dependencyUpdates'
}
cyclonedxBom {
includeConfigs = ["runtimeClasspath"]
schemaVersion = "1.4"
outputName = "bom"
outputFormat = "all"
}
tasks.register("packageBoms", Zip) {
archiveFileName.set("software-bill-of-materials.zip")
from(cyclonedxBom.outputs){
include ("bom.*")
}
}
tasks.register("release", Copy) {
dependsOn packageBoms
from(bootJar.outputs)
from(packageBoms.outputs)
into(layout.buildDirectory.dir("release"))
}