Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add sbt-dependency-check #289

Closed
wants to merge 1 commit into from
Closed

Add sbt-dependency-check #289

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions dependency-check/suppression.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
</suppressions>
17 changes: 17 additions & 0 deletions docs/src/main/paradox/security/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
# Security Announcements

@@toc { depth=2 }

@@@ index

* [dependency-check-report](dependency-check-report.md)

@@@

## Receiving Security Advisories

The best way to receive any and all security announcements is to subscribe to the [Apache Announce Mailing List](https://lists.apache.org/list.html?announce@apache.org).
Expand All @@ -17,6 +25,15 @@ Please follow the [guidelines](https://www.apache.org/security/) laid down by th
Ideally, any issues affecting Apache Pekko and Akka should be reported to Apache team first. We will share the
report with the Lightbend Akka team.

## Dependency check scanner

This project uses [sbt-dependency-check](https://github.com/albuch/sbt-dependency-check) in order to scan the
projects dependencies against [OWASP](https://owasp.org/) to create a @ref:[dependency-check-report](dependency-check-report.md)
of any potential security issues.

If you want to suppress the checking of some dependencies then there is a [supression](github:dependency-check/suppression.xml)
file. The format of this file is documented [here](https://jeremylong.github.io/DependencyCheck/general/suppression.html).

## Security Related Documentation

* [Akka security fixes]($pekko.doc.dns$/docs/pekko/current/security/index.html)
Expand Down
26 changes: 26 additions & 0 deletions project/DependencyCheck.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* license agreements; and to You under the Apache License, version 2.0:
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* This file is part of the Apache Pekko project, derived from Akka.
*/

import net.vonbuchholtz.sbt.dependencycheck.DependencyCheckPlugin
import sbt.AutoPlugin
import sbt.Keys.baseDirectory
import sbt.Keys._
import sbt._
import net.vonbuchholtz.sbt.dependencycheck.DependencyCheckPlugin.autoImport._

object DependencyCheck extends AutoPlugin {
override lazy val buildSettings = Seq(
LocalRootProject / dependencyCheckSuppressionFile := Some(
baseDirectory.value / "dependency-check" / "suppression.xml"))

override def requires = plugins.JvmPlugin && DependencyCheckPlugin

override def trigger = allRequirements

}
20 changes: 20 additions & 0 deletions project/Paradox.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import com.lightbend.paradox.sbt.ParadoxPlugin
import com.lightbend.paradox.sbt.ParadoxPlugin.autoImport._
import com.lightbend.paradox.apidoc.ApidocPlugin
import com.lightbend.sbt.publishrsync.PublishRsyncPlugin.autoImport._
import net.vonbuchholtz.sbt.dependencycheck.DependencyCheckPlugin.autoImport._
import org.apache.pekko.PekkoParadoxPlugin.autoImport._
import sbt.Keys._
import sbt._
Expand Down Expand Up @@ -90,13 +91,32 @@ object Paradox {

val parsingSettings = Seq(Compile / paradoxParsingTimeout := 5.seconds)

val sourceGeneratorSettings = Seq(
Compile / paradoxMarkdownToHtml / sourceGenerators += Def.taskDyn {
val targetFile = (Compile / paradox / sourceManaged).value / "security" / "dependency-check-report.md"
val sourceFile = (LocalRootProject / dependencyCheckOutputDirectory).value.get / "dependency-check-report.html"

(LocalRootProject / dependencyCheckAggregate).map { _ =>
val data = IO.readLines(sourceFile)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are probably better/more performant ways to do this but we can also look into this later

IO.delete(targetFile) // Since we are appending lets clear any existing files if they exist
IO.writeLines(targetFile,
List(
"## Dependency Check Report",
"```raw"), append = true)
IO.writeLines(targetFile, data, append = true)
IO.writeLines(targetFile, List("```"), append = true)
List(targetFile)
}
}.taskValue)

val settings =
propertiesSettings ++
rootsSettings ++
includesSettings ++
groupsSettings ++
parsingSettings ++
themeSettings ++
sourceGeneratorSettings ++
Seq(
Compile / paradox / name := "Pekko",
resolvers += Resolver.jcenterRepo,
Expand Down
1 change: 1 addition & 0 deletions project/plugins.sbt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ addSbtPlugin("com.lightbend.sbt" % "sbt-publish-rsync" % "0.2")
addSbtPlugin("com.github.pjfanning" % "sbt-source-dist" % "0.1.5")
addSbtPlugin("org.mdedetrich" % "sbt-apache-sonatype" % "0.1.6")
addSbtPlugin("com.github.reibitto" % "sbt-welcome" % "0.2.2")
addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % "5.1.0")

// allow access to snapshots for pekko-sbt-paradox
resolvers += Resolver.ApacheMavenSnapshotsRepo
Expand Down