From 5bddfaba1c8eaf1dce882bfbbd61f2b09e2aeb4e Mon Sep 17 00:00:00 2001 From: Ryan Eberhard Date: Wed, 6 Sep 2023 10:53:38 -0400 Subject: [PATCH] Dependency updates and add OWASP check --- .github/dependabot.yml | 4 ++++ .github/workflows/build.yml | 2 +- .github/workflows/release.yml | 2 +- dependency-check-suppression.xml | 24 ++++++++++++++++++++++ owaspDependencyCheck.sh | 9 ++++++++ pom.xml | 35 +++++++++++++++++++++++++++++++- 6 files changed, 73 insertions(+), 3 deletions(-) create mode 100644 dependency-check-suppression.xml create mode 100755 owaspDependencyCheck.sh diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5b063201..ea8f494e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,3 +9,7 @@ updates: directory: "/" # Location of package manifests schedule: interval: "daily" + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 91ef3b4f..0445a37e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -10,7 +10,7 @@ jobs: name: Build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - name: Set up JDK diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7b714cb9..5b09aa87 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,7 +18,7 @@ jobs: VERSION=${GITHUB_REF_NAME#v} echo "VERSION=$VERSION" >> $GITHUB_ENV echo "IMAGE_NAME=${{ env.REGISTRY }}/${{ env.BASE_IMAGE_NAME }}:$VERSION" >> $GITHUB_ENV - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - name: Set up JDK diff --git a/dependency-check-suppression.xml b/dependency-check-suppression.xml new file mode 100644 index 00000000..ed614028 --- /dev/null +++ b/dependency-check-suppression.xml @@ -0,0 +1,24 @@ + + + + + ^pkg:maven/org\.apache\.maven/maven-artifact-manager@.*$ + CVE-2021-26291 + + + + ^pkg:maven/org\.codehaus\.plexus/plexus-utils@.*$ + CVE-2017-1000487 + + + + ^pkg:maven/io\.netty/netty-handler@.*$ + CVE-2023-4586 + + \ No newline at end of file diff --git a/owaspDependencyCheck.sh b/owaspDependencyCheck.sh new file mode 100755 index 00000000..44df0ca1 --- /dev/null +++ b/owaspDependencyCheck.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# Copyright (c) 2020, 2021, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + +# Generate report of known issues in dependencies + +set -e + +mvn ${MAVEN_ARGS} -Dorg.slf4j.simpleLogger.defaultLogLevel=WARN org.owasp:dependency-check-maven:aggregate diff --git a/pom.xml b/pom.xml index 43218178..7328adc4 100644 --- a/pom.xml +++ b/pom.xml @@ -60,9 +60,12 @@ 3.4.0 3.3.1 3.6.0 + 8.4.0 + + false 17 - [3.6.1,) + [3.8.1,) @@ -142,6 +145,11 @@ false + + org.owasp + dependency-check-maven + ${dependency-check-version} + org.jacoco jacoco-maven-plugin @@ -240,6 +248,26 @@ maven-deploy-plugin ${maven-deploy-plugin-version} + + + org.owasp + dependency-check-maven + ${dependency-check-version} + + ${skip.dependency-check} + true + 0 + false + + HTML + CSV + + + dependency-check-suppression.xml + + + + @@ -281,6 +309,11 @@ commons-io 2.13.0 + + io.netty + netty-handler + 4.1.97.Final +