update dependecy-check to 9.0.4 and refactor it to own workflow

cryptomator · Dec 12, 2023 · 7d9827e · 7d9827e
1 parent 30f8a25
commit 7d9827e
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 4 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -15,10 +15,10 @@ jobs:
  cache: 'maven'
  - name: Ensure to use tagged version
  if: startsWith(github.ref, 'refs/tags/')
- run: mvn versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
+ run: mvn -B versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
  - name: Build and Test
  id: buildAndTest
- run: mvn -B clean install jacoco:report -Pcoverage,dependency-check
+ run: mvn -B clean install jacoco:report -Pcoverage
  - uses: actions/upload-artifact@v3
  with:
  name: artifacts

diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml
@@ -0,0 +1,54 @@
+name: OWASP Maven Dependency Check
+on:
+ schedule:
+ - cron: '0 7 * * 0'
+ push:
+ branches:
+ - 'release/**'
+ workflow_dispatch:
+
+
+jobs:
+ check-dependencies:
+ name: Check dependencies
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ show-progress: false
+ - name: Setup Java
+ uses: actions/setup-java@v4
+ with:
+ distribution: 'temurin'
+ java-version: 11
+ cache: 'maven'
+ - name: Run org.owasp:dependency-check plugin
+ id: dependency-check
+ continue-on-error: true
+ run: mvn -B verify -Pdependency-check -DskipTests
+ env:
+ NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+ - name: Upload report on failure
+ if: steps.dependency-check.outcome == 'failure'
+ uses: actions/upload-artifact@v3
+ with:
+ name: dependency-check-report
+ path: target/dependency-check-report.html
+ if-no-files-found: error
+ - name: Slack Notification on regular check
+ if: github.event_name == 'schedule' && steps.dependency-check.outcome == 'failure'
+ uses: rtCamp/action-slack-notify@v2
+ env:
+ SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
+ SLACK_USERNAME: 'Cryptobot'
+ SLACK_ICON: false
+ SLACK_ICON_EMOJI: ':bot:'
+ SLACK_CHANNEL: 'cryptomator-desktop'
+ SLACK_TITLE: "Vulnerabilities in ${{ github.event.repository.name }} detected."
+ SLACK_MESSAGE: "Download the <https://github.com/${{ github.repository }}/actions/run/${{ github.run_id }}|report> for more details."
+ SLACK_FOOTER: false
+ MSG_MINIMAL: true
+ - name: Failing workflow on release branch
+ if: github.event_name == 'push' && steps.dependency-check.outcome == 'failure'
+ shell: bash
+ run: exit 1
diff --git a/pom.xml b/pom.xml
@@ -27,6 +27,9 @@
  <junit.jupiter.version>5.10.1</junit.jupiter.version>
  <mockito.version>5.7.0</mockito.version>
  <hamcrest.version>2.2</hamcrest.version>
+
+ <!-- mvn plugins -->
+ <dependency-check.version>9.0.4</dependency-check.version>
  </properties>
 
  <licenses>
@@ -177,10 +180,10 @@
  <plugin>
  <groupId>org.owasp</groupId>
  <artifactId>dependency-check-maven</artifactId>
- <version>8.4.3</version>
+ <version>${dependency-check.version}</version>
  <configuration>
- <cveValidForHours>24</cveValidForHours>
  <failBuildOnCVSS>6</failBuildOnCVSS>
+ <nvdApiKey>${env.NVD_API_KEY}</nvdApiKey>
  </configuration>
  <executions>
  <execution>