-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DAT-16650 Automate OWASP scanner #6008
Conversation
…cy-Check scanner to check for vulnerabilities in project dependencies
…ipt to use the correct path for executing the tool
…Check for Liquibase project
…rect path for the executable script to run OWASP Dependency-Check scanner.
…ng OWASP Dependency-Check for better visibility and debugging purposes
…the entire project directory instead of a specific subdirectory
…component for artifact scanning 🔧 (owasp-scanner.yml): Modify download step to use inputs for version and component to fetch the artifact zip file 🔧 (owasp-scanner.yml): Adjust OWASP Dependency-Check command to use the component name as the project identifier
…e NVD API key for scanning dependencies securely 🔧 (owasp-scanner.yml): add step to upload OWASP Dependency-Check results as an artifact for further analysis
…roved functionality and compatibility
…d adjust formatting 🔧 (.github/workflows): update owasp-scanner.yml to make 'component' parameter optional
.github/workflows/owasp-scanner.yml
Outdated
|
||
- name: Download OWASP Dependency-Check | ||
run: | | ||
wget https://github.com/jeremylong/DependencyCheck/releases/download/v9.2.0/dependency-check-9.2.0-release.zip |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see dependencycheck has a maven plugin is there a reason we're downloading the release zip instead of using that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's because @jandroav automated the manual process that we did before, and it was done using this external tool. But @abrackx got a really good point! Should be add a new profile and just run it?
I think it would be easier to track owasp versions this ways as dependabot would maintain it for us.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, good point. but where to execute it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also keep in mind that this workflow can work with every other future component like extensions without adding maven plugins to anywhere
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense for me.
…PR label or event type, set environment variables for PR branch and SHA, update workflow inputs with new environment variables 🔧 (pom.xml): Update hsqldb, sqlite versions 📝 (initstartH2.test.groovy): Add documentation for new 'detached' parameter in Liquibase command 📝 (Liquibase.java): Update Liquibase class with new annotations and refactor method documentation for better clarity and consistency. Add support for Lombok annotations @getter and @Setter to improve code readability and maintainability. Update import statements for StringUtils and remove unnecessary imports. Improve method descriptions and deprecate outdated methods. ♻️ (update method): remove @deprecated annotation from update method to comply with modern coding standards and practices 📝 (Liquibase.java): Update method calls to use LoggingExecutorTextUtil for output headers to improve code readability and maintainability ♻️ (Liquibase.java): Refactor setOutput method calls to use WriterOutputStream builder for better configurability and consistency ♻️ (Liquibase.java): Remove deprecated methods and refactor code for better maintainability and readability. ♻️ (Liquibase.java): Refactor method signature to use generic type for ScopedRunner to improve type safety and readability 📝 (Liquibase.java): Remove deprecated generateChangeLog method and associated Javadoc comment to clean up the codebase and encourage usage of the new method with CommandScope 📝 (ChangeLogParameters.java): Add support for java property arguments and default-file properties to changelog parameters 📝 (StartH2CommandStep.java): Introduce DETACHED parameter to allow running H2 database in a new thread without blocking 📝 (StopH2CommandStep.java): Add command step to stop H2 database threads created by StartH2CommandStep 📝 (DatabaseChangelogCommandStep.java): Update method to add java property arguments to use the new method in ChangeLogParameters class ⬆️ (pom.xml): Upgrade hsqldb version from 2.7.2 to 2.7.3 and sqlite-jdbc version from 3.45.3.0 to 3.46.0.0 for testing purposes.
.github/workflows/owasp-scanner.yml
Outdated
|
||
- name: Download OWASP Dependency-Check | ||
run: | | ||
wget https://github.com/jeremylong/DependencyCheck/releases/download/v9.2.0/dependency-check-9.2.0-release.zip |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense for me.
…ASP vulnerabilities 🔧 (owasp-scanner.yml): Update OWASP Scanner workflow to scan branches for OWASP vulnerabilities using Dependency-Check and upload results
…Hub Repository publishing 🔧 (owasp-scanner.yml): configure Maven settings for Liquibase repositories with authentication using secrets
…rameter names for output directory, NVD API key, and fail on error flag
…in 'actions/checkout' step configuration
…to target directory for consistency and clarity
…and skip tests to improve build process efficiency
…sts' command to improve workflow efficiency
…arameter for flexibility in specifying the repository to scan. Update the 'component' parameter to 'repository' for consistency and clarity.
…se/build-logic to align with new repository structure 🔧 (owasp-scanner.yml): remove owasp-scanner workflow as it is no longer needed and has been replaced by a different workflow for scanning dependencies
Impact
Description
Things to be aware of
Things to worry about
Additional Context