adds Snyk CVE check (#98)

.github/workflows/snyk.yml

@@ -0,0 +1,25 @@
+name: Snyk
+on:
+  push:
+    branches: [ 'main' ]
+  pull_request:
+    branches: [ 'main' ]
+  schedule:
+    - cron: '0 0 * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  cve-check:
+    name: CVE Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@master
+      - name: Snyk Analyze
+        uses: snyk/actions/maven@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --severity-threshold=high --all-projects

README.adoc

@@ -2,6 +2,7 @@
 
 image:https://github.com/codyfrehr/xpdf-api/actions/workflows/ci.yml/badge.svg?event=push&branch=main[]
 image:https://github.com/codyfrehr/xpdf-api/actions/workflows/codeql.yml/badge.svg?event=schedule&branch=main[]
+image:https://snyk.io/test/github/codyfrehr/xpdf-api/main/badge.svg[]
 
 {empty}
 

SCRIBBLES

@@ -16,6 +16,11 @@
 - new binaries should be extracted from source archives. project resource structure matches that of source archives, but unrelated files removed (specifically, non-pdftotext bins and docs)
 - new classes should have correct license header, java docs, comments, etc (what else? make specific checklist when you formalize these notes)
 - new modules/poms should have correct license header, pom metadata, etc
+- any newly added dependencies must be put in 1 of the 3 correct sections (normal deps, test deps, or cve deps), and must adhere to parent pom versioning strategy
+- any newly added dependencies must be compatible with GPL3 license.
+  if dependency license is GPL3 compatible and name of dependency license (found in dep pom) is not in exception list, then exception can be added to license check plugin on pom
+- any newly added dependencies must be free of high severity CVEs
+  override transitive dependency versions in the correct CVE dependency section in pom
 
 ## licensing, helpful links
 - another really helpful post https://opensource.stackexchange.com/q/9141

TODO

@@ -24,3 +24,6 @@
 - setup namecheap xpdf.io domain to automatically redirect to github repo, until website built https://www.namecheap.com/support/knowledgebase/article.aspx/385/2237/how-to-set-up-a-url-redirect-for-a-domain/
 - request derek to add link to your library on their webpage
 - build really basic homepage for website, resembling layout of https://kotest.io/docs or even just the simpler https://mockk.io/, or like that license plugin page
+- add dependabot to repo for automatic security updates? not sure how i feel about auto updates...
+  at very least, make sure notifications set up for failing pipeline security tests.
+  and make sure repo security well configured, and snyk configured as well as possible (login to snyk website for additional configs)

common-api/pom.xml

@@ -50,6 +50,7 @@
             <artifactId>commons-lang3</artifactId>
         </dependency>
         <!--test-->
+        <!--CVE overrides-->
     </dependencies>
 
 </project>

pdf-text-api-spring-boot-starter/pom.xml

@@ -58,6 +58,22 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>
         </dependency>
+        <!--CVE overrides-->
+        <dependency>
+            <!--spring boot starter-->
+            <groupId>ch.qos.logback</groupId>
+            <artifactId>logback-core</artifactId>
+        </dependency>
+        <dependency>
+            <!--spring boot starter-->
+            <groupId>ch.qos.logback</groupId>
+            <artifactId>logback-classic</artifactId>
+        </dependency>
+        <dependency>
+            <!--spring boot starter-->
+            <groupId>org.yaml</groupId>
+            <artifactId>snakeyaml</artifactId>
+        </dependency>
     </dependencies>
 
 </project>

pdf-text-api/pom.xml

@@ -70,6 +70,7 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>
         </dependency>
+        <!--CVE overrides-->
     </dependencies>
 
 </project>

pom.xml

@@ -183,6 +183,25 @@
                 <version>${spring-boot.version}</version>
                 <scope>test</scope>
             </dependency>
+            <!--CVE overrides-->
+            <dependency>
+                <!--spring boot starter-->
+                <groupId>ch.qos.logback</groupId>
+                <artifactId>logback-core</artifactId>
+                <version>1.2.13</version>
+            </dependency>
+            <dependency>
+                <!--spring boot starter-->
+                <groupId>ch.qos.logback</groupId>
+                <artifactId>logback-classic</artifactId>
+                <version>1.2.13</version>
+            </dependency>
+            <dependency>
+                <!--spring boot starter-->
+                <groupId>org.yaml</groupId>
+                <artifactId>snakeyaml</artifactId>
+                <version>2.0</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 
@@ -221,6 +240,7 @@
             <groupId>org.mockito</groupId>
             <artifactId>mockito-inline</artifactId>
         </dependency>
+        <!--CVE overrides-->
     </dependencies>
 
     <build>
@@ -356,6 +376,11 @@
                                 <rule>APPROVE</rule>
                                 <value>Apache-2.0</value>
                             </dependencyPolicy>
+                            <dependencyPolicy>
+                                <type>LICENSE_NAME</type>
+                                <rule>APPROVE</rule>
+                                <value>GNU Lesser General Public License</value>
+                            </dependencyPolicy>
                             <dependencyPolicy>
                                 <type>LICENSE_NAME</type>
                                 <rule>APPROVE</rule>