Skip to content

CI - OWASP Dependency Check #699

CI - OWASP Dependency Check

CI - OWASP Dependency Check #699

#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
name: CI - OWASP Dependency Check
on:
schedule:
- cron: '15 0 * * *'
workflow_dispatch:
env:
MAVEN_OPTS: -Xss1500k -Xmx1500m -Daether.connector.http.reuseConnections=false -Daether.connector.requestTimeout=60000 -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.http.retryHandler.requestSentEnabled=true -Dmaven.wagon.http.serviceUnavailableRetryStrategy.class=standard -Dmaven.wagon.rto=60000
JDK_DISTRIBUTION: corretto
NIST_NVD_API_KEY: ${{ secrets.NIST_NVD_API_KEY }}
jobs:
run-owasp-dependency-check:
if: ${{ github.repository == 'apache/pulsar' || github.event_name == 'workflow_dispatch' }}
name: Check ${{ matrix.branch }}
env:
JOB_NAME: Check ${{ matrix.branch }}
GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GE_ACCESS_TOKEN }}
runs-on: ubuntu-22.04
timeout-minutes: 75
strategy:
fail-fast: false
max-parallel: 1
matrix:
include:
- branch: master
- branch: branch-3.3
- branch: branch-3.2
- branch: branch-3.0
steps:
- name: checkout
uses: actions/checkout@v4
with:
ref: ${{ matrix.branch }}
- name: Tune Runner VM
uses: ./.github/actions/tune-runner-vm
- name: Restore Maven repository cache
uses: actions/cache/restore@v4
timeout-minutes: 5
with:
path: |
~/.m2/repository/*/*/*
!~/.m2/repository/org/apache/pulsar
key: ${{ runner.os }}-m2-dependencies-all-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-m2-dependencies-core-modules-${{ hashFiles('**/pom.xml') }}
${{ runner.os }}-m2-dependencies-core-modules-
- name: Set up JDK ${{ matrix.jdk || '17' }}
uses: actions/setup-java@v4
with:
distribution: ${{ env.JDK_DISTRIBUTION }}
java-version: ${{ matrix.jdk || '17' }}
- name: run install by skip tests
run: mvn -B -ntp clean install -DskipTests -Dspotbugs.skip=true -Dlicense.skip=true -Dcheckstyle.skip=true -Drat.skip=true -DskipDocker=true -DnarPluginPhase=none -pl '!distribution/io,!distribution/offloaders'
- name: OWASP cache key weeknum
id: get-weeknum
run: |
echo "weeknum=$(date -u +"%Y-%U")" >> $GITHUB_OUTPUT
shell: bash
- name: Restore OWASP Dependency Check data
id: restore-owasp-dependency-check-data
uses: actions/cache/restore@v4
timeout-minutes: 5
with:
path: ~/.m2/repository/org/owasp/dependency-check-data
key: owasp-dependency-check-data-${{ steps.get-weeknum.outputs.weeknum }}
enableCrossOsArchive: true
restore-keys: |
owasp-dependency-check-data-
- name: Update OWASP Dependency Check data
id: update-owasp-dependency-check-data
if: ${{ matrix.branch == 'master' && (steps.restore-owasp-dependency-check-data.outputs.cache-hit != 'true' || steps.restore-owasp-dependency-check-data.outputs.cache-matched-key != steps.restore-owasp-dependency-check-data.outputs.cache-primary-key) }}
run: mvn -B -ntp -Powasp-dependency-check initialize -pl . dependency-check:update-only
- name: Save OWASP Dependency Check data
if: ${{ steps.update-owasp-dependency-check-data.outcome == 'success' }}
uses: actions/cache/save@v4
timeout-minutes: 5
with:
path: ~/.m2/repository/org/owasp/dependency-check-data
key: ${{ steps.restore-owasp-dependency-check-data.outputs.cache-primary-key }}
enableCrossOsArchive: true
- name: run OWASP Dependency Check for distribution/server (-DfailBuildOnAnyVulnerability=true)
run: mvn -B -ntp -Pmain,skip-all,skipDocker,owasp-dependency-check initialize verify -pl distribution/server -DfailBuildOnAnyVulnerability=true
- name: run OWASP Dependency Check for offloaders/tiered-storage and pulsar-io connectors (-DfailOnError=false)
if: ${{ !cancelled() }}
run: |
mvnprojects=$(mvn -B -ntp -Dscan=false initialize \
| grep -- "-< .* >-" \
| sed -E 's/.*-< (.*) >-.*/\1/' \
| grep -E 'pulsar-io-|tiered-storage-|offloader' \
| tr '\n' ',' | sed 's/,$/\n/' )
set -xe
mvn --fail-at-end -B -ntp -Pmain,skip-all,skipDocker,owasp-dependency-check initialize verify -DfailOnError=false -pl "${mvnprojects}"
- name: Upload OWASP Dependency Check reports
uses: actions/upload-artifact@v4
if: always()
with:
name: owasp-dependency-check-reports-${{ matrix.branch }}
path: |
**/target/dependency-check-report.html