diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index da3e929..97162ab 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,7 +1,7 @@ # Each line is a file pattern followed by one or more owners. # global -* @buchi-busireddy @tim-mwangi @surajpuvvada @avinashkolluru +* @hypertrace/platform-util-owners # GH action -.github/ @aaron-steinfeld @jbahire @kotharironak @buchi-busireddy \ No newline at end of file +.github/ @hypertrace/ci-owners \ No newline at end of file diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index c93b5a2..b1268a4 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -28,21 +28,6 @@ jobs: - name: Checkout repository uses: actions/checkout@v3 - - name: create checksum file - uses: hypertrace/github-actions/checksum@main - - - name: create checksum file - uses: hypertrace/github-actions/checksum@main - - - name: Cache packages - uses: actions/cache@v2 - with: - path: ~/.gradle - key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }} - restore-keys: | - gradle-packages-${{ runner.os }}-${{ github.job }} - gradle-packages-${{ runner.os }} - # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v2 diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index 0cea90e..55513e4 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -9,47 +9,17 @@ on: jobs: build: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - name: Check out code - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v3 with: ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} fetch-depth: 0 - - - name: create checksum file - uses: hypertrace/github-actions/checksum@main - - - name: Cache packages - id: cache-packages - uses: actions/cache@v2 - with: - path: ~/.gradle - key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }} - restore-keys: | - gradle-packages-${{ runner.os }}-${{ github.job }} - gradle-packages-${{ runner.os }} - name: Build with Gradle uses: hypertrace/github-actions/gradle@main with: args: build - - snyk-scan: - runs-on: ubuntu-20.04 - steps: - # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - - name: Check out code - uses: actions/checkout@v2.3.4 - with: - ref: ${{github.event.pull_request.head.ref}} - repository: ${{github.event.pull_request.head.repo.full_name}} - fetch-depth: 0 - - name: Setup snyk - uses: snyk/actions/setup@0.3.0 - - name: Snyk test - run: snyk test --all-sub-projects --org=hypertrace --severity-threshold=low --policy-path=.snyk --configuration-matching='^runtimeClasspath$' --remote-repo-url='https://github.com/hypertrace/java-grpc-utils.git' - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml index 749362b..f0e5619 100644 --- a/.github/workflows/pr-test.yml +++ b/.github/workflows/pr-test.yml @@ -7,26 +7,13 @@ on: jobs: test: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - name: Check out code - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v3 with: fetch-depth: 0 - - - name: create checksum file - uses: hypertrace/github-actions/checksum@main - - - name: Cache packages - id: cache-packages - uses: actions/cache@v2 - with: - path: ~/.gradle - key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }} - restore-keys: | - gradle-packages-${{ runner.os }}-${{ github.job }} - gradle-packages-${{ runner.os }} - name: Unit test uses: hypertrace/github-actions/gradle@main @@ -34,7 +21,7 @@ jobs: args: build jacocoTestReport - name: Upload coverage to Codecov - uses: codecov/codecov-action@v2 + uses: codecov/codecov-action@v3 with: name: unit test reports fail_ci_if_error: true @@ -46,15 +33,22 @@ jobs: args: copyAllReports --output-dir=/tmp/test-reports - name: Archive test reports - uses: actions/upload-artifact@v1 + uses: actions/upload-artifact@v3 with: name: test-reports path: /tmp/test-reports if: always() - name: Publish Unit Test Results - uses: docker://ghcr.io/enricomi/publish-unit-test-result-action:v1.6 + uses: EnricoMi/publish-unit-test-result-action@v2 if: always() with: github_token: ${{ secrets.GITHUB_TOKEN }} files: ./**/build/test-results/**/*.xml + + dependency-check: + runs-on: ubuntu-22.04 + steps: + - name: Dependency Check + uses: hypertrace/github-actions/dependency-check@main + diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 26eda18..1f76634 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -8,26 +8,14 @@ on: jobs: publish-artifacts: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - name: Check out code - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v3 with: fetch-depth: 0 - - name: create checksum file - uses: hypertrace/github-actions/checksum@main - - - name: Cache packages - uses: actions/cache@v2 - with: - path: ~/.gradle - key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }} - restore-keys: | - gradle-packages-${{ runner.os }}-${{ github.job }} - gradle-packages-${{ runner.os }} - - name: publish java artifacts uses: hypertrace/github-actions/gradle@main with: diff --git a/.snyk b/.snyk deleted file mode 100644 index ce0dc35..0000000 --- a/.snyk +++ /dev/null @@ -1,3 +0,0 @@ -# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. -version: v1.14.1 -patch: {} diff --git a/build.gradle.kts b/build.gradle.kts index 43f48db..404cec1 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -7,6 +7,7 @@ plugins { id("org.hypertrace.publish-plugin") version "1.0.2" apply false id("org.hypertrace.jacoco-report-plugin") version "0.2.0" apply false id("org.hypertrace.code-style-plugin") version "1.1.2" apply false + id("org.owasp.dependencycheck") version "8.2.1" } subprojects { @@ -26,3 +27,10 @@ subprojects { apply(plugin = "org.hypertrace.code-style-plugin") } + +dependencyCheck { + format = org.owasp.dependencycheck.reporting.ReportGenerator.Format.ALL.toString() + suppressionFile = "owasp-suppressions.xml" + scanConfigurations.add("runtimeClasspath") + failBuildOnCVSS = 3.0F +} \ No newline at end of file diff --git a/grpc-client-rx-utils/build.gradle.kts b/grpc-client-rx-utils/build.gradle.kts index c9b3771..32af354 100644 --- a/grpc-client-rx-utils/build.gradle.kts +++ b/grpc-client-rx-utils/build.gradle.kts @@ -6,7 +6,7 @@ plugins { } dependencies { - api(platform("io.grpc:grpc-bom:1.50.0")) + api(platform("io.grpc:grpc-bom:1.56.0")) api("io.reactivex.rxjava3:rxjava:3.1.4") api("io.grpc:grpc-stub") api(project(":grpc-context-utils")) diff --git a/grpc-client-utils/build.gradle.kts b/grpc-client-utils/build.gradle.kts index e16769f..0497653 100644 --- a/grpc-client-utils/build.gradle.kts +++ b/grpc-client-utils/build.gradle.kts @@ -7,7 +7,7 @@ plugins { dependencies { - api(platform("io.grpc:grpc-bom:1.50.0")) + api(platform("io.grpc:grpc-bom:1.56.0")) api("io.grpc:grpc-context") api("io.grpc:grpc-api") api(platform("io.netty:netty-bom:4.1.86.Final")) { diff --git a/grpc-context-utils/build.gradle.kts b/grpc-context-utils/build.gradle.kts index c3e1dcb..db75b9f 100644 --- a/grpc-context-utils/build.gradle.kts +++ b/grpc-context-utils/build.gradle.kts @@ -10,21 +10,18 @@ tasks.test { } dependencies { - api(platform("io.grpc:grpc-bom:1.50.0")) + api(platform("io.grpc:grpc-bom:1.56.0")) implementation("io.grpc:grpc-core") implementation("com.auth0:java-jwt:4.4.0") implementation("com.auth0:jwks-rsa:0.22.0") - implementation("com.google.guava:guava:31.1-jre") + implementation("com.google.guava:guava:32.0.1-jre") implementation("org.slf4j:slf4j-api:1.7.36") annotationProcessor("org.projectlombok:lombok:1.18.24") compileOnly("org.projectlombok:lombok:1.18.24") constraints { - implementation("com.fasterxml.jackson.core:jackson-databind:2.13.4.2") { - because("https://nvd.nist.gov/vuln/detail/CVE-2022-42003") - } implementation("com.google.protobuf:protobuf-java:3.21.7") { // Not used directly, but typically used together for since we always use proto and grpc together because("CVE-2022-3171") @@ -33,7 +30,7 @@ dependencies { testImplementation("org.junit.jupiter:junit-jupiter:5.8.2") testImplementation("org.mockito:mockito-core:4.4.0") - testImplementation("com.fasterxml.jackson.core:jackson-annotations:2.13.4") + testImplementation("com.fasterxml.jackson.core:jackson-annotations:2.15.2") testAnnotationProcessor("org.projectlombok:lombok:1.18.24") testCompileOnly("org.projectlombok:lombok:1.18.24") } diff --git a/grpc-server-rx-utils/build.gradle.kts b/grpc-server-rx-utils/build.gradle.kts index c1bbe13..5003cc3 100644 --- a/grpc-server-rx-utils/build.gradle.kts +++ b/grpc-server-rx-utils/build.gradle.kts @@ -6,7 +6,7 @@ plugins { } dependencies { - api(platform("io.grpc:grpc-bom:1.50.0")) + api(platform("io.grpc:grpc-bom:1.56.0")) api("io.reactivex.rxjava3:rxjava:3.1.4") api("io.grpc:grpc-stub") @@ -14,6 +14,9 @@ dependencies { compileOnly("org.projectlombok:lombok:1.18.24") implementation("org.slf4j:slf4j-api:1.7.36") + constraints { + implementation("com.google.guava:guava:32.0.1-jre") + } testImplementation("org.junit.jupiter:junit-jupiter:5.8.2") testImplementation("org.mockito:mockito-core:4.4.0") diff --git a/grpc-server-utils/build.gradle.kts b/grpc-server-utils/build.gradle.kts index 5fa6432..2422f3a 100644 --- a/grpc-server-utils/build.gradle.kts +++ b/grpc-server-utils/build.gradle.kts @@ -10,7 +10,7 @@ tasks.test { } dependencies { - api(platform("io.grpc:grpc-bom:1.50.0")) + api(platform("io.grpc:grpc-bom:1.56.0")) api("io.grpc:grpc-context") api("io.grpc:grpc-api") diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml new file mode 100644 index 0000000..1491b06 --- /dev/null +++ b/owasp-suppressions.xml @@ -0,0 +1,3 @@ + + + \ No newline at end of file