Add OWASP dependency check (#6978)

See comment in the github action that explains why I think this is helpful: > the benefit of this over dependabot is that this also analyzes transitive dependencies > while dependabot (at least currently) only analyzes top-level dependencies
2022-10-27 19:21:38 -07:00 · 2022-10-27 19:21:38 -07:00 · cd95517ddc
parent 56229fbdf7
commit cd95517ddc
4 changed files with 48 additions and 0 deletions
--- a/.github/workflows/owasp-dependency-check-daily.yml
+++ b/.github/workflows/owasp-dependency-check-daily.yml
@ -0,0 +1,31 @@
+# the benefit of this over dependabot is that this also analyzes transitive dependencies
+# while dependabot (at least currently) only analyzes top-level dependencies
+name: OWASP dependency check (daily)
+
+on:
+  schedule:
+    - cron: '30 1 * * *'
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Java 11
+        uses: actions/setup-java@v3
+        with:
+          distribution: temurin
+          java-version: 11
+
+      - uses: gradle/gradle-build-action@v2
+        with:
+          arguments: ":javaagent:dependencyCheckAnalyze"
+
+      - name: Upload report
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          path: javaagent/build/reports
--- a/buildscripts/dependency-check-suppressions.xml
+++ b/buildscripts/dependency-check-suppressions.xml
@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <suppress>
+    <!-- this suppresses opentelemetry instrumentation modules and artifacts which get misidentified
+         as real dependencies like dubbo and prometheus -->
+    <packageUrl regex="true">^pkg:maven/io\.opentelemetry[./].*</packageUrl>
+    <vulnerabilityName regex="true">^CVE-.*</vulnerabilityName>
+  </suppress>
+</suppressions>
--- a/conventions/build.gradle.kts
+++ b/conventions/build.gradle.kts
@ -46,6 +46,7 @@ dependencies {
  implementation("org.ow2.asm:asm-tree:9.4")
  implementation("org.apache.httpcomponents:httpclient:4.5.13")
  implementation("org.gradle:test-retry-gradle-plugin:1.4.1")
+  implementation("org.owasp:dependency-check-gradle:7.3.0")
  implementation("ru.vyarus:gradle-animalsniffer-plugin:1.6.0")
  // When updating, also update dependencyManagement/build.gradle.kts
  implementation("net.bytebuddy:byte-buddy-gradle-plugin:1.12.18")
--- a/conventions/src/main/kotlin/otel.java-conventions.gradle.kts
+++ b/conventions/src/main/kotlin/otel.java-conventions.gradle.kts
@ -13,6 +13,7 @@ plugins {

  id("otel.errorprone-conventions")
  id("otel.spotless-conventions")
+  id("org.owasp.dependencycheck")
 }

 val otelJava = extensions.create<OtelJavaExtension>("otelJava")
@ -355,6 +356,12 @@ checkstyle {
  maxWarnings = 0
 }

+dependencyCheck {
+  skipConfigurations = listOf("errorprone", "checkstyle", "annotationProcessor")
+  suppressionFile = "buildscripts/dependency-check-suppressions.xml"
+  failBuildOnCVSS = 7.0f // fail on high or critical CVE
+}
+
 idea {
  module {
    isDownloadJavadoc = false