Skip to content

Commit

Permalink
Add OWASP Dependency Checker to the GH CI workflows (apache#13972)
Browse files Browse the repository at this point in the history
  • Loading branch information
@dlg99
dlg99 authored Feb 1, 2022
1 parent a65c887 commit 3c29c7e
Showing 12 changed files with 312 additions and 4 deletions.
94 changes: 94 additions & 0 deletions .github/workflows/ci-owasp-dep-check.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#

name: CI - Misc - OWASP Dependency Check
on:
pull_request:
branches:
- master
push:
branches:
- branch-*

env:
MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3

jobs:

owasp-dep-check:
name:
runs-on: ubuntu-latest
timeout-minutes: 120

steps:
- name: checkout
uses: actions/checkout@v2

- name: Tune Runner VM
uses: ./.github/actions/tune-runner-vm

- name: Detect changed pom files
id: changes
uses: apache/pulsar-test-infra/paths-filter@master
with:
filters: |
poms:
- 'pom.xml'
- '**/pom.xml'
- name: Cache local Maven repository
if: ${{ steps.changes.outputs.poms == 'true' }}
uses: actions/cache@v2
with:
path: |
~/.m2/repository/*/*/*
!~/.m2/repository/org/apache/pulsar
key: ${{ runner.os }}-m2-dependencies-all-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-m2-dependencies-core-modules-${{ hashFiles('**/pom.xml') }}
${{ runner.os }}-m2-dependencies-core-modules-
- name: Set up JDK 11
uses: actions/setup-java@v2
if: ${{ steps.changes.outputs.poms == 'true' }}
with:
distribution: 'temurin'
java-version: 11

- name: clean disk
if: ${{ steps.changes.outputs.poms == 'true' }}
run: |
sudo swapoff -a
sudo rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc
sudo apt clean
docker rmi $(docker images -q) -f
df -h
# Projects dependent on flume, hdfs, hbase, and presto currently excluded from the scan.
- name: run "clean install verify" to trigger dependency check
if: ${{ steps.changes.outputs.poms == 'true' }}
run: mvn -q -B -ntp clean install verify -PskipDocker,owasp-dependency-check -DskipTests -pl '!pulsar-sql,!distribution/io,!distribution/offloaders,!tiered-storage/file-system,!pulsar-io/flume,!pulsar-io/hbase,!pulsar-io/hdfs2,!pulsar-io/hdfs3,!pulsar-io/docs'

- name: Upload report
uses: actions/upload-artifact@v2
if: ${{ cancelled() || failure() }}
continue-on-error: true
with:
name: dependency report
path: target/dependency-check-report.html
25 changes: 25 additions & 0 deletions distribution/io/pom.xml
View file
Original file line number Diff line number Diff line change
@@ -125,6 +125,31 @@
</plugins>
</build>
</profile>
<!--
The only working way for OWASP dependency checker plugin
to exclude module when failBuildOnCVSS is used
in the root pom's plugin.
-->
<profile>
<id>owasp-dependency-check</id>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${dependency-check-maven.version}</version>
<executions>
<execution>
<goals>
<goal>aggregate</goal>
</goals>
<phase>none</phase>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>

</project>
1 change: 0 additions & 1 deletion distribution/pom.xml
View file
Original file line number Diff line number Diff line change
@@ -53,7 +53,6 @@
<module>server</module>
</modules>
</profile>

</profiles>

<build>
1 change: 1 addition & 0 deletions pom.xml
View file
Original file line number Diff line number Diff line change
@@ -2326,6 +2326,7 @@ flexible messaging model and an intuitive client API.</description>
<suppressionFile>${pulsar.basedir}/src/owasp-dependency-check-false-positives.xml</suppressionFile>
<suppressionFile>${pulsar.basedir}/src/owasp-dependency-check-suppressions.xml</suppressionFile>
</suppressionFiles>
<failBuildOnCVSS>7</failBuildOnCVSS>
<msbuildAnalyzerEnabled>false</msbuildAnalyzerEnabled>
<nodeAnalyzerEnabled>false</nodeAnalyzerEnabled>
<yarnAuditAnalyzerEnabled>false</yarnAuditAnalyzerEnabled>
27 changes: 27 additions & 0 deletions pulsar-io/docs/pom.xml
View file
Original file line number Diff line number Diff line change
@@ -215,5 +215,32 @@
</plugin>
</plugins>
</build>
<profiles>
<!--
The only working way for OWASP dependency checker plugin
to exclude module when failBuildOnCVSS is used
in the root pom's plugin.
-->
<profile>
<id>owasp-dependency-check</id>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${dependency-check-maven.version}</version>
<executions>
<execution>
<goals>
<goal>aggregate</goal>
</goals>
<phase>none</phase>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>

</project>
27 changes: 27 additions & 0 deletions pulsar-io/flume/pom.xml
View file
Original file line number Diff line number Diff line change
@@ -138,5 +138,32 @@
</plugin>
</plugins>
</build>
<profiles>
<!--
The only working way for OWASP dependency checker plugin
to exclude module when failBuildOnCVSS is used
in the root pom's plugin.
-->
<profile>
<id>owasp-dependency-check</id>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${dependency-check-maven.version}</version>
<executions>
<execution>
<goals>
<goal>aggregate</goal>
</goals>
<phase>none</phase>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>

</project>
27 changes: 27 additions & 0 deletions pulsar-io/hbase/pom.xml
View file
Original file line number Diff line number Diff line change
@@ -95,5 +95,32 @@
</plugin>
</plugins>
</build>
<profiles>
<!--
The only working way for OWASP dependency checker plugin
to exclude module when failBuildOnCVSS is used
in the root pom's plugin.
-->
<profile>
<id>owasp-dependency-check</id>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${dependency-check-maven.version}</version>
<executions>
<execution>
<goals>
<goal>aggregate</goal>
</goals>
<phase>none</phase>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>

</project>
29 changes: 28 additions & 1 deletion pulsar-io/hdfs2/pom.xml
View file
Original file line number Diff line number Diff line change
@@ -92,5 +92,32 @@
</plugin>
</plugins>
</build>

<profiles>
<!--
The only working way for OWASP dependency checker plugin
to exclude module when failBuildOnCVSS is used
in the root pom's plugin.
-->
<profile>
<id>owasp-dependency-check</id>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${dependency-check-maven.version}</version>
<executions>
<execution>
<goals>
<goal>aggregate</goal>
</goals>
<phase>none</phase>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>

</project>
29 changes: 28 additions & 1 deletion pulsar-io/hdfs3/pom.xml
View file
Original file line number Diff line number Diff line change
@@ -97,5 +97,32 @@
</plugin>
</plugins>
</build>

<profiles>
<!--
The only working way for OWASP dependency checker plugin
to exclude module when failBuildOnCVSS is used
in the root pom's plugin.
-->
<profile>
<id>owasp-dependency-check</id>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${dependency-check-maven.version}</version>
<executions>
<execution>
<goals>
<goal>aggregate</goal>
</goals>
<phase>none</phase>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>

</project>
1 change: 0 additions & 1 deletion pulsar-io/pom.xml
View file
Original file line number Diff line number Diff line change
@@ -88,7 +88,6 @@
<module>data-generator</module>
</modules>
</profile>

</profiles>

<build>
28 changes: 28 additions & 0 deletions pulsar-sql/pom.xml
View file
Original file line number Diff line number Diff line change
@@ -167,4 +167,32 @@
</plugins>
</build>

<profiles>
<!--
The only working way for OWASP dependency checker plugin
to exclude module when failBuildOnCVSS is used
in the root pom's plugin.
-->
<profile>
<id>owasp-dependency-check</id>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${dependency-check-maven.version}</version>
<executions>
<execution>
<goals>
<goal>aggregate</goal>
</goals>
<phase>none</phase>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>

</project>
27 changes: 27 additions & 0 deletions tiered-storage/file-system/pom.xml
View file
Original file line number Diff line number Diff line change
@@ -179,4 +179,31 @@
</plugin>
</plugins>
</build>
<profiles>
<!--
The only working way for OWASP dependency checker plugin
to exclude module when failBuildOnCVSS is used
in the root pom's plugin.
-->
<profile>
<id>owasp-dependency-check</id>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${dependency-check-maven.version}</version>
<executions>
<execution>
<goals>
<goal>aggregate</goal>
</goals>
<phase>none</phase>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>

0 comments on commit 3c29c7e

Please sign in to comment.