Replace NVD with Sonatype OSS Index#2689
Conversation
Looks like a new CVE backing that better understands maven coordinates and so the suppressions we maintained previously should no longer be needed. Ported from open-telemetry/opentelemetry-java-instrumentation#16445
There was a problem hiding this comment.
Pull request overview
Replaces the NVD-backed OWASP dependency-check with Sonatype OSS Index for vulnerability scanning. OSS Index better understands Maven coordinates, eliminating the need for false-positive suppressions.
Changes:
- Swapped the OWASP dependency-check Gradle plugin for the Sonatype scan Gradle plugin across build configuration
- Removed the now-unnecessary
dependency-check-suppressions.xmlfile - Updated the daily CI workflow to use
ossIndexAuditwith new secrets and a simplified report step
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| buildSrc/build.gradle.kts | Replace OWASP plugin dependency with Sonatype scan plugin |
| buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts | Configure ossIndexAudit block replacing dependencyCheck |
| custom-checks/build.gradle.kts | Remove now-unnecessary dependencyCheck { skip = true } |
| buildscripts/dependency-check-suppressions.xml | Delete suppressions file (no longer needed) |
| .github/workflows/owasp-dependency-check-daily.yml | Update workflow to use new plugin, secrets, and reporting |
| .github/repository-settings.md | Update secret documentation |
| if: steps.audit.outcome == 'failure' | ||
| run: | | ||
| echo "=== OSS Index Vulnerability Report ===" | ||
| cat oss-index-cyclonedx-bom.json |
There was a problem hiding this comment.
Weird, I didn't see this suggestion made for the instrumentation repo. Wonder why its different here...
There was a problem hiding this comment.
I think that copilot reviews aren't enabled in the instrumentation repo
| - `NVD_API_KEY` - stored in OpenTelemetry-Java 1Password | ||
| - Generated at <https://nvd.nist.gov/developers/request-an-api-key> | ||
| - Key is associated with [@trask](https://github.com/trask)'s gmail address |
There was a problem hiding this comment.
i'll remove this secret after the PR is merged
breedx-splk
left a comment
breedx-splk
left a comment
There was a problem hiding this comment.
LGTM with a couple small questions.
| # the benefit of this over renovate is that this also analyzes transitive dependencies | ||
| # while renovate (at least currently) only analyzes top-level dependencies | ||
| name: OWASP dependency check (daily) | ||
| name: OSS Index dependency audit (daily) |
There was a problem hiding this comment.
Do we want to change the name of this workflow file too then?
| if: steps.audit.outcome == 'failure' | ||
| run: | | ||
| echo "=== OSS Index Vulnerability Report ===" | ||
| cat oss-index-cyclonedx-bom.json |
There was a problem hiding this comment.
Weird, I didn't see this suggestion made for the instrumentation repo. Wonder why its different here...
Looks like a new CVE backing that better understands maven coordinates and so the suppressions we maintained previously should no longer be needed.
Ported from open-telemetry/opentelemetry-java-instrumentation#16445