Dependency updates and add OWASP check

rjeberhard · rjeberhard · commit 5bddfaba1c8e · 2023-09-06T10:53:38.000-04:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -9,3 +9,7 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "daily"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -10,7 +10,7 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
       - name: Set up JDK
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -18,7 +18,7 @@ jobs:
           VERSION=${GITHUB_REF_NAME#v}
           echo "VERSION=$VERSION" >> $GITHUB_ENV
           echo "IMAGE_NAME=${{ env.REGISTRY }}/${{ env.BASE_IMAGE_NAME }}:$VERSION" >> $GITHUB_ENV
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
       - name: Set up JDK
diff --git a/dependency-check-suppression.xml b/dependency-check-suppression.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress>
+        <notes><![CDATA[
+        This CVE does not apply because the POM verifies a Maven version that is not affected.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.maven/maven-artifact-manager@.*$</packageUrl>
+        <vulnerabilityName>CVE-2021-26291</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        This CVE does not apply because the utility is only used to read project files at build time.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-utils@.*$</packageUrl>
+        <vulnerabilityName>CVE-2017-1000487</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        This CVE does not apply because this CVE refers to an unrelated project.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.netty/netty-handler@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
+    </suppress>
+</suppressions>
diff --git a/owaspDependencyCheck.sh b/owaspDependencyCheck.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# Copyright (c) 2020, 2021, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+# Generate report of known issues in dependencies
+
+set -e
+
+mvn ${MAVEN_ARGS} -Dorg.slf4j.simpleLogger.defaultLogLevel=WARN org.owasp:dependency-check-maven:aggregate
diff --git a/pom.xml b/pom.xml
@@ -60,9 +60,12 @@
         <maven-war-plugin-version>3.4.0</maven-war-plugin-version>
         <maven-resources-plugin-version>3.3.1</maven-resources-plugin-version>
         <maven-dependency-plugin-version>3.6.0</maven-dependency-plugin-version>
+        <dependency-check-version>8.4.0</dependency-check-version>
+
+        <skip.dependency-check>false</skip.dependency-check>
 
         <java.version.range>17</java.version.range>
-        <maven.version.range>[3.6.1,)</maven.version.range>
+        <maven.version.range>[3.8.1,)</maven.version.range>
     </properties>
 
     <build>
@@ -142,6 +145,11 @@
                         <useModulePath>false</useModulePath>
                     </configuration>
                 </plugin>
+                <plugin>
+                    <groupId>org.owasp</groupId>
+                    <artifactId>dependency-check-maven</artifactId>
+                    <version>${dependency-check-version}</version>
+                </plugin>
                 <plugin>
                     <groupId>org.jacoco</groupId>
                     <artifactId>jacoco-maven-plugin</artifactId>
@@ -240,6 +248,26 @@
                 <artifactId>maven-deploy-plugin</artifactId>
                 <version>${maven-deploy-plugin-version}</version>
             </plugin>
+
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <version>${dependency-check-version}</version>
+                <configuration>
+                    <skip>${skip.dependency-check}</skip>
+                    <skipTestScope>true</skipTestScope>
+                    <failBuildOnCVSS>0</failBuildOnCVSS>
+                    <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
+                    <formats>
+                        <format>HTML</format>
+                        <format>CSV</format>
+                    </formats>
+                    <suppressionFiles>
+                        <suppressionFile>dependency-check-suppression.xml</suppressionFile>
+                    </suppressionFiles>
+                </configuration>
+            </plugin>
+
         </plugins>
     </build>
 
@@ -281,6 +309,11 @@
                 <artifactId>commons-io</artifactId>
                 <version>2.13.0</version>
             </dependency>
+            <dependency>
+                <groupId>io.netty</groupId>
+                <artifactId>netty-handler</artifactId>
+                <version>4.1.97.Final</version>
+            </dependency>
 
             <!-- unit test dependencies -->
 
