Add dependency check to Circle CI (#75)

elasticio · Apr 7, 2022 · 730380d · 730380d
1 parent ac50de6
commit 730380d
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 3 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -11,7 +11,9 @@ jobs:
     steps:
 
       - checkout
-
+      - run:
+          name: Audit Dependencies
+          command: ./gradlew dependencyCheckAnalyze
       - run: export TERM=${TERM:-dumb} && ./gradlew build --refresh-dependencies uploadArchives -PsonatypeUsername=$SONATYPE_USERNAME -PsonatypePassword=$SONATYPE_PASSWORD
 
       - store_test_results:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,8 @@
+## 3.3.9 (April 8, 2022)
+
+* Get rid of high vulnerabilities in dependencies
+* Add dependency check job to Circle CI
+
 ## 3.3.8 (February 11, 2022)
 
 * Get rid of high and critical vulnerabilities in dependencies

diff --git a/build.gradle b/build.gradle
@@ -5,8 +5,10 @@ apply plugin: 'groovy'
 apply plugin: 'maven'
 apply plugin: 'signing'
 
+apply plugin: org.owasp.dependencycheck.gradle.DependencyCheckPlugin
+
 group = 'io.elastic'
-version = '3.3.8-SNAPSHOT'
+version = '3.3.9-SNAPSHOT'
 ext.isReleaseVersion = !version.endsWith("SNAPSHOT")
 
 sourceCompatibility = 1.8
@@ -35,7 +37,7 @@ dependencies {
     compile "ch.qos.logback:logback-classic:1.2.10"
     compile "ch.qos.logback.contrib:logback-json-classic:0.1.5"
     compile "ch.qos.logback.contrib:logback-jackson:0.1.5"
-    compile "com.fasterxml.jackson.core:jackson-databind:2.13.0"
+    compile "com.fasterxml.jackson.core:jackson-databind:2.13.2.2"
 
     testRuntime 'org.codehaus.groovy:groovy-all:2.0.5'
     testCompile "org.spockframework:spock-core:1.3-groovy-2.4"
@@ -134,3 +136,23 @@ jar {
                 "Implementation-Version": version)
     }
 }
+
+check.dependsOn dependencyCheckAnalyze
+
+dependencyCheck {
+    format = 'ALL'
+    // Dependency Check script will fail in case there are critical (9.0-10.0) vulnerabilities.
+    // It should be configured to 7 (high and critical), but so far is not possible as 'axis' library
+    // and log4j issues which does not have any updates that solve the problem
+    failBuildOnCVSS = 7
+    suppressionFile='./dependencycheck-base-suppression.xml'
+}
+
+buildscript {
+    repositories {
+        mavenCentral()
+    }
+    dependencies {
+        classpath 'org.owasp:dependency-check-gradle:6.0.3'
+    }
+}
diff --git a/dependencycheck-base-suppression.xml b/dependencycheck-base-suppression.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <suppress>
+    <notes><![CDATA[
+      file name: logback-jackson-0.1.5.jar
+      ]]>
+    </notes>
+    <packageUrl regex="true">^pkg:maven/ch\.qos\.logback\.contrib/logback\-jackson@.*$</packageUrl>
+    <cve>CVE-2017-5929</cve>
+    <cve>CVE-2021-42550</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+      file name: logback-json-classic-0.1.5.jar
+      ]]>
+    </notes>
+    <packageUrl regex="true">^pkg:maven/ch\.qos\.logback\.contrib/logback\-json\-classic@.*$</packageUrl>
+    <cpe>cpe:/a:qos:logback</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+      file name: logback-json-core-0.1.5.jar
+      ]]>
+    </notes>
+    <packageUrl regex="true">^pkg:maven/ch\.qos\.logback\.contrib/logback\-json\-core@.*$</packageUrl>
+    <cpe>cpe:/a:qos:logback</cpe>
+  </suppress>
+</suppressions>