Add sbt-dependency-check

apache · May 5, 2023 · 261efb4 · 261efb4
1 parent 878ee61
commit 261efb4
Show file tree

Hide file tree

Showing 6 changed files with 70 additions and 0 deletions.
diff --git a/build.sbt b/build.sbt
@@ -7,6 +7,9 @@ scalaVersion := Dependencies.allScalaVersions.head
 ThisBuild / apacheSonatypeProjectProfile := "pekko"
 sourceDistName := "incubating-pekko"
 
+dependencyCheckOutputDirectory := Some(baseDirectory.value / "dependency-check")
+dependencyCheckSuppressionFile := Some(baseDirectory.value / "dependency-check" / "suppression.xml")
+
 enablePlugins(
   UnidocRoot,
   UnidocWithPrValidation,

diff --git a/dependency-check/suppression.xml b/dependency-check/suppression.xml
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+</suppressions>
diff --git a/docs/src/main/paradox/security/index.md b/docs/src/main/paradox/security/index.md
@@ -1,5 +1,13 @@
 # Security Announcements
 
+@@toc { depth=2 }
+
+@@@ index
+
+* [dependency-check-report](dependency-check-report.md)
+
+@@@
+
 ## Receiving Security Advisories
 
 The best way to receive any and all security announcements is to subscribe to the [Apache Announce Mailing List](https://lists.apache.org/list.html?announce@apache.org).
@@ -17,6 +25,15 @@ Please follow the [guidelines](https://www.apache.org/security/) laid down by th
 Ideally, any issues affecting Apache Pekko and Akka should be reported to Apache team first. We will share the
 report with the Lightbend Akka team.
 
+## Dependency check scanner
+
+This project uses [sbt-dependency-check](https://github.com/albuch/sbt-dependency-check) in order to scan the
+projects dependencies against [OWASP](https://owasp.org/) to create a @ref:[dependency-check-report](dependency-check-report.md)
+of any potential security issues.
+
+If you want to suppress the checking of some dependencies then there is a [supression](github:dependency-check/suppression.xml)
+file. The format of this file is documented [here](https://jeremylong.github.io/DependencyCheck/general/suppression.html).
+
 ## Security Related Documentation
 
  * [Akka security fixes]($pekko.doc.dns$/docs/pekko/current/security/index.html)

diff --git a/project/DependencyCheck.scala b/project/DependencyCheck.scala
@@ -0,0 +1,26 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * license agreements; and to You under the Apache License, version 2.0:
+ *
+ *   https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * This file is part of the Apache Pekko project, derived from Akka.
+ */
+
+import net.vonbuchholtz.sbt.dependencycheck.DependencyCheckPlugin
+import sbt.AutoPlugin
+import sbt.Keys.baseDirectory
+import sbt.Keys._
+import sbt._
+import net.vonbuchholtz.sbt.dependencycheck.DependencyCheckPlugin.autoImport._
+
+object DependencyCheck extends AutoPlugin {
+  override lazy val buildSettings = Seq(
+    LocalRootProject / dependencyCheckSuppressionFile := Some(
+      baseDirectory.value / "dependency-check" / "suppression.xml"))
+
+  override def requires = plugins.JvmPlugin && DependencyCheckPlugin
+
+  override def trigger = allRequirements
+
+}
diff --git a/project/Paradox.scala b/project/Paradox.scala
@@ -17,6 +17,7 @@ import com.lightbend.paradox.sbt.ParadoxPlugin
 import com.lightbend.paradox.sbt.ParadoxPlugin.autoImport._
 import com.lightbend.paradox.apidoc.ApidocPlugin
 import com.lightbend.sbt.publishrsync.PublishRsyncPlugin.autoImport._
+import net.vonbuchholtz.sbt.dependencycheck.DependencyCheckPlugin.autoImport._
 import org.apache.pekko.PekkoParadoxPlugin.autoImport._
 import sbt.Keys._
 import sbt._
@@ -90,13 +91,32 @@ object Paradox {
 
   val parsingSettings = Seq(Compile / paradoxParsingTimeout := 5.seconds)
 
+  val sourceGeneratorSettings = Seq(
+    Compile / paradoxMarkdownToHtml / sourceGenerators += Def.taskDyn {
+      val targetFile = (Compile / paradox / sourceManaged).value / "security" / "dependency-check-report.md"
+      val sourceFile = (LocalRootProject / dependencyCheckOutputDirectory).value.get / "dependency-check-report.html"
+
+      (LocalRootProject / dependencyCheckAggregate).map { _ =>
+        val data = IO.readLines(sourceFile)
+        IO.delete(targetFile) // Since we are appending lets clear any existing files if they exist
+        IO.writeLines(targetFile,
+          List(
+            "# Dependency Check Report",
+            "```raw"), append = true)
+        IO.writeLines(targetFile, data, append = true)
+        IO.writeLines(targetFile, List("```"), append = true)
+        List(targetFile)
+      }
+    }.taskValue)
+
   val settings =
     propertiesSettings ++
     rootsSettings ++
     includesSettings ++
     groupsSettings ++
     parsingSettings ++
     themeSettings ++
+    sourceGeneratorSettings ++
     Seq(
       Compile / paradox / name := "Pekko",
       resolvers += Resolver.jcenterRepo,

diff --git a/project/plugins.sbt b/project/plugins.sbt
@@ -22,6 +22,7 @@ addSbtPlugin("com.lightbend.sbt" % "sbt-publish-rsync" % "0.2")
 addSbtPlugin("com.github.pjfanning" % "sbt-source-dist" % "0.1.5")
 addSbtPlugin("org.mdedetrich" % "sbt-apache-sonatype" % "0.1.6")
 addSbtPlugin("com.github.reibitto" % "sbt-welcome" % "0.2.2")
+addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % "5.1.0")
 
 // allow access to snapshots for pekko-sbt-paradox
 resolvers += Resolver.ApacheMavenSnapshotsRepo