Skip to content

Added OWASP Dependency check #82

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
CharlesDuboisSAP merged 6 commits into from
Oct 7, 2024
Merged

Added OWASP Dependency check #82

CharlesDuboisSAP merged 6 commits into from
Oct 7, 2024

Conversation

@CharlesDuboisSAP
Copy link
Contributor

@CharlesDuboisSAP CharlesDuboisSAP commented Oct 2, 2024
edited
Loading

Context

AI/ai-sdk-java-backlog#65.

This is the equivalent of blackduck. It scans our dependencies and compares it to the National Vulnerability Database.
This is done on every commit.

Feature scope:

@CharlesDuboisSAP CharlesDuboisSAP self-assigned this Oct 2, 2024
newtork
newtork reviewed Oct 2, 2024
View reviewed changes
dependency-check-suppression.xml
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[This is a JS dependency.]]></notes>
<cve>CVE-2021-41251</cve>
Copy link
Contributor

@newtork newtork Oct 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Major/Question)

How exactly is the JS dependency recognized?
If we are affected by this false-positive(?) then all other users of "owasp" will have a similar experience, right?

Copy link
Contributor Author

@CharlesDuboisSAP CharlesDuboisSAP Oct 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It linked me to a dependency called cloud-sdk-js@core 1.0. I guessed it saw our openAI module use com.sap.ai.sdk:core:0.1.0-SNAPSHOT and thought it was good enough of a match...
I don't think this plugin is great, just better than blackduck hopefully.

@jjtang1985
Copy link
Contributor

jjtang1985 commented Oct 2, 2024

This is the equivalent of blackduck

@CharlesDuboisSAP , is this specifically for the vulnerability?
I guess blackduck does more than vulnerability, e.g., license check.

newtork
newtork reviewed Oct 4, 2024
View reviewed changes
newtork
newtork reviewed Oct 4, 2024
View reviewed changes
newtork
newtork reviewed Oct 7, 2024
View reviewed changes
.github/workflows/fosstars-report.yml
- name: "Build SDK"
run: |
MVN_ARGS="${{ env.MVN_MULTI_THREADED_ARGS }} clean install -DskipTests -DskipFormatting"
mvn $MVN_ARGS
Copy link
Contributor

@newtork newtork Oct 7, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Explanation)

mvn install is necessary, otherwise the dependency-check will fail on missing core:0.1.0-SNAPSHOT.

newtork
newtork reviewed Oct 7, 2024
View reviewed changes
.github/workflows/continuous-integration.yaml
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
#TODO: Blackduck and security rating steps
Copy link
Contributor

@newtork newtork Oct 7, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Explanation)

With this change, we're not running dependency checks on PR commits.
Instead it's happening on main commits (merges).

newtork
newtork reviewed Oct 7, 2024
View reviewed changes
.github/workflows/fosstars-report.yml
mvn $MVN_ARGS
- name: "OWASP Dependency check"
run: mvn org.owasp:dependency-check-maven:10.0.4:check -DnvdApiKey=$NVD_API_KEY -DfailBuildOnCVSS=7 -DskipProvidedScope=true -DsuppressionFile=.pipeline/dependency-check-suppression.xml
Copy link
Contributor

@newtork newtork Oct 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Comment)

Be aware, having static plugin version in yaml (instead of pom) increases maintenance.

@CharlesDuboisSAP CharlesDuboisSAP merged commit 11ecf97 into main Oct 7, 2024
@CharlesDuboisSAP CharlesDuboisSAP deleted the owasp branch October 7, 2024 13:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@newtork newtork newtork approved these changes

Assignees

@CharlesDuboisSAP CharlesDuboisSAP

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@CharlesDuboisSAP @jjtang1985 @newtork