open-telemetry
/
opentelemetry-java-contrib
mirror of https://github.com/open-telemetry/opentelemetry-java-contrib.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add owasp dependency check workflow (#1701)

This commit is contained in:
Trask Stalnaker 2025-02-05 23:33:11 -08:00 committed by GitHub
parent 0c1bb9aab7
commit 2c8ea61bc0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 61 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
.github/workflows/owasp-dependency-check-daily.yml vendored Normal file
View File

@ -0,0 +1,48 @@
# the benefit of this over renovate is that this also analyzes transitive dependencies
# while renovate (at least currently) only analyzes top-level dependencies
name: OWASP dependency check (daily)
on:
schedule:
# daily at 1:30 UTC
- cron: "30 1 * * *"
workflow_dispatch:
permissions:
contents: read
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up JDK for running Gradle
uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
with:
distribution: temurin
java-version: 17
- name: Increase gradle daemon heap size
run: |
sed -i "s/org.gradle.jvmargs=/org.gradle.jvmargs=-Xmx3g /" gradle.properties
- uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
- run: ./gradlew dependencyCheckAnalyze
env:
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
- name: Upload report
if: always()
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
path: "**/build/reports"
workflow-notification:
needs:
- analyze
if: always()
uses: ./.github/workflows/reusable-workflow-notification.yml
with:
success: ${{ needs.analyze.result == 'success' }}

4
all/build.gradle.kts
View File

@ -58,3 +58,7 @@ afterEvaluate {
}
}
}
dependencyCheck {
skip = true
}

1
buildSrc/build.gradle.kts
View File

@ -15,6 +15,7 @@ dependencies {
implementation("com.diffplug.spotless:spotless-plugin-gradle:7.0.2")
implementation("net.ltgt.gradle:gradle-errorprone-plugin:4.1.0")
implementation("net.ltgt.gradle:gradle-nullaway-plugin:2.2.0")
implementation("org.owasp:dependency-check-gradle:12.0.2")
}
spotless {

8
buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
View File

@ -7,6 +7,7 @@ plugins {
id("otel.errorprone-conventions")
id("otel.spotless-conventions")
id("org.owasp.dependencycheck")
}
val otelJava = extensions.create<OtelJavaExtension>("otelJava")
@ -188,3 +189,10 @@ afterEvaluate {
}
}
}
dependencyCheck {
scanConfigurations = mutableListOf("runtimeClasspath")
failBuildOnCVSS = 7.0f // fail on high or critical CVE
nvd.apiKey = System.getenv("NVD_API_KEY")
nvd.delay = 3500 // until next dependency check release (https://github.com/jeremylong/DependencyCheck/pull/6333)
}