DAT-16650 Automate OWASP scanner #6008
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…cy-Check scanner to check for vulnerabilities in project dependencies
…ipt to use the correct path for executing the tool
…Check for Liquibase project
…rect path for the executable script to run OWASP Dependency-Check scanner.
…ng OWASP Dependency-Check for better visibility and debugging purposes
…the entire project directory instead of a specific subdirectory
…component for artifact scanning 🔧 (owasp-scanner.yml): Modify download step to use inputs for version and component to fetch the artifact zip file 🔧 (owasp-scanner.yml): Adjust OWASP Dependency-Check command to use the component name as the project identifier
…e NVD API key for scanning dependencies securely 🔧 (owasp-scanner.yml): add step to upload OWASP Dependency-Check results as an artifact for further analysis
…roved functionality and compatibility
…d adjust formatting 🔧 (.github/workflows): update owasp-scanner.yml to make 'component' parameter optional
abrackx
reviewed
Jun 14, 2024
.github/workflows/owasp-scanner.yml
Outdated
|
|
||
| - name: Download OWASP Dependency-Check | ||
| run: | | ||
| wget https://github.com/jeremylong/DependencyCheck/releases/download/v9.2.0/dependency-check-9.2.0-release.zip |
There was a problem hiding this comment.
I see dependencycheck has a maven plugin is there a reason we're downloading the release zip instead of using that?
There was a problem hiding this comment.
I think it's because @jandroav automated the manual process that we did before, and it was done using this external tool. But @abrackx got a really good point! Should be add a new profile and just run it?
I think it would be easier to track owasp versions this ways as dependabot would maintain it for us.
There was a problem hiding this comment.
Yeah, good point. but where to execute it?
There was a problem hiding this comment.
also keep in mind that this workflow can work with every other future component like extensions without adding maven plugins to anywhere
There was a problem hiding this comment.
Makes sense for me.
…PR label or event type, set environment variables for PR branch and SHA, update workflow inputs with new environment variables 🔧 (pom.xml): Update hsqldb, sqlite versions 📝 (initstartH2.test.groovy): Add documentation for new 'detached' parameter in Liquibase command 📝 (Liquibase.java): Update Liquibase class with new annotations and refactor method documentation for better clarity and consistency. Add support for Lombok annotations @getter and @Setter to improve code readability and maintainability. Update import statements for StringUtils and remove unnecessary imports. Improve method descriptions and deprecate outdated methods. ♻️ (update method): remove @deprecated annotation from update method to comply with modern coding standards and practices 📝 (Liquibase.java): Update method calls to use LoggingExecutorTextUtil for output headers to improve code readability and maintainability ♻️ (Liquibase.java): Refactor setOutput method calls to use WriterOutputStream builder for better configurability and consistency ♻️ (Liquibase.java): Remove deprecated methods and refactor code for better maintainability and readability. ♻️ (Liquibase.java): Refactor method signature to use generic type for ScopedRunner to improve type safety and readability 📝 (Liquibase.java): Remove deprecated generateChangeLog method and associated Javadoc comment to clean up the codebase and encourage usage of the new method with CommandScope 📝 (ChangeLogParameters.java): Add support for java property arguments and default-file properties to changelog parameters 📝 (StartH2CommandStep.java): Introduce DETACHED parameter to allow running H2 database in a new thread without blocking 📝 (StopH2CommandStep.java): Add command step to stop H2 database threads created by StartH2CommandStep 📝 (DatabaseChangelogCommandStep.java): Update method to add java property arguments to use the new method in ChangeLogParameters class ⬆️ (pom.xml): Upgrade hsqldb version from 2.7.2 to 2.7.3 and sqlite-jdbc version from 3.45.3.0 to 3.46.0.0 for testing purposes.
filipelautert
approved these changes
Jun 19, 2024
.github/workflows/owasp-scanner.yml
Outdated
|
|
||
| - name: Download OWASP Dependency-Check | ||
| run: | | ||
| wget https://github.com/jeremylong/DependencyCheck/releases/download/v9.2.0/dependency-check-9.2.0-release.zip |
There was a problem hiding this comment.
Makes sense for me.
…ASP vulnerabilities 🔧 (owasp-scanner.yml): Update OWASP Scanner workflow to scan branches for OWASP vulnerabilities using Dependency-Check and upload results
…Hub Repository publishing 🔧 (owasp-scanner.yml): configure Maven settings for Liquibase repositories with authentication using secrets
3 tasks
…rameter names for output directory, NVD API key, and fail on error flag
…in 'actions/checkout' step configuration
…to target directory for consistency and clarity
…and skip tests to improve build process efficiency
…sts' command to improve workflow efficiency
…arameter for flexibility in specifying the repository to scan. Update the 'component' parameter to 'repository' for consistency and clarity.
…se/build-logic to align with new repository structure 🔧 (owasp-scanner.yml): remove owasp-scanner workflow as it is no longer needed and has been replaced by a different workflow for scanning dependencies
filipelautert
approved these changes
Jun 20, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Impact
Description
Things to be aware of
Things to worry about
Additional Context