You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dolphinscheduler.apache.org by zh...@apache.org on 2022/06/13 06:27:04 UTC
[dolphinscheduler] branch dev updated: [CI] Add OWASP Dependency Check (#10058)
This is an automated email from the ASF dual-hosted git repository.
zhongjiajie pushed a commit to branch dev
in repository https://gitbox.apache.org/repos/asf/dolphinscheduler.git
The following commit(s) were added to refs/heads/dev by this push:
new 190f253083 [CI] Add OWASP Dependency Check (#10058)
190f253083 is described below
commit 190f253083e2b1d50f235b07c53fbbe6b66c1aa2
Author: Kirs <ki...@apache.org>
AuthorDate: Mon Jun 13 14:26:59 2022 +0800
[CI] Add OWASP Dependency Check (#10058)
---
.github/workflows/owasp-dependency-check.yaml | 48 +++++++++++++++++++++++++++
pom.xml | 25 ++++++++++++++
2 files changed, 73 insertions(+)
diff --git a/.github/workflows/owasp-dependency-check.yaml b/.github/workflows/owasp-dependency-check.yaml
new file mode 100644
index 0000000000..729036da91
--- /dev/null
+++ b/.github/workflows/owasp-dependency-check.yaml
@@ -0,0 +1,48 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name: OWASP Dependency Check
+
+on:
+ push:
+ pull_request:
+ paths:
+ - '**/pom.xml'
+env:
+ MAVEN_OPTS: -Dmaven.wagon.httpconnectionManager.ttlSeconds=25 -Dmaven.wagon.http.retryHandler.count=3
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ with:
+ submodules: true
+ - name: Set up JDK 8
+ uses: actions/setup-java@v2
+ with:
+ java-version: 8
+ distribution: 'adopt'
+ - name: Run OWASP Dependency Check
+ run: ./mvnw -B clean install verify dependency-check:check -DskipDepCheck=false -Dmaven.test.skip=true -Dcheckstyle.skip=true
+ - name: Upload report
+ uses: actions/upload-artifact@v3
+ if: ${{ cancelled() || failure() }}
+ continue-on-error: true
+ with:
+ name: dependency report
+ path: target/dependency-check-report.html
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 5d493de04c..2efa54d5df 100644
--- a/pom.xml
+++ b/pom.xml
@@ -131,6 +131,7 @@
<hibernate.validator.version>6.2.2.Final</hibernate.validator.version>
<aws.sdk.version>1.12.160</aws.sdk.version>
<joda-time.version>2.10.13</joda-time.version>
+ <owasp-dependency-check-maven.version>7.0.4</owasp-dependency-check-maven.version>
<lombok.version>1.18.20</lombok.version>
<docker.hub>apache</docker.hub>
<docker.repo>${project.name}</docker.repo>
@@ -139,6 +140,7 @@
<docker.push.skip>true</docker.push.skip>
<python.sign.skip>true</python.sign.skip>
+ <skipDepCheck>true</skipDepCheck>
</properties>
<dependencyManagement>
@@ -984,10 +986,33 @@
</execution>
</executions>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>${owasp-dependency-check-maven.version}</version>
+ <configuration>
+ <skip>${skipDepCheck}</skip>
+ <skipProvidedScope>true</skipProvidedScope>
+ <skipRuntimeScope>true</skipRuntimeScope>
+ <skipSystemScope>true</skipSystemScope>
+ <failBuildOnCVSS>7</failBuildOnCVSS>
+ </configuration>
+ <executions>
+ <execution>
+ <goals>
+ <goal>aggregate</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
</plugins>
</pluginManagement>
<plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ </plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>