Add OWASP dependency check (#5177)

open-telemetry · Feb 7, 2023 · 07e5654 · 07e5654
1 parent 47ab46e
commit 07e5654
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 1 deletion.
diff --git a/.github/workflows/owasp-dependency-check-daily.yml b/.github/workflows/owasp-dependency-check-daily.yml
@@ -0,0 +1,30 @@
+# the benefit of this over dependabot is that this also analyzes transitive dependencies
+# while dependabot (at least currently) only analyzes top-level dependencies
+name: OWASP dependency check (daily)
+
+on:
+  schedule:
+    - cron: '30 1 * * *'
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-java@v3
+        with:
+          distribution: temurin
+          java-version: 17
+
+      - uses: gradle/gradle-build-action@v2
+        with:
+          arguments: "dependencyCheckAnalyze"
+
+      - name: Upload report
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          path: javaagent/build/reports
diff --git a/buildSrc/build.gradle.kts b/buildSrc/build.gradle.kts
@@ -20,7 +20,7 @@ spotless {
       // also very hard to find out where this happens
       "ktlint_standard_wrapping" to "disabled"
     ))
-    target("**/*.gradle.kts",)
+    target("**/*.gradle.kts")
   }
 }
 
@@ -46,6 +46,7 @@ dependencies {
   implementation("net.ltgt.gradle:gradle-errorprone-plugin:3.0.1")
   implementation("net.ltgt.gradle:gradle-nullaway-plugin:1.5.0")
   implementation("ru.vyarus:gradle-animalsniffer-plugin:1.6.0")
+  implementation("org.owasp:dependency-check-gradle:8.0.2")
 }
 
 // We can't apply conventions to this build so include important ones such as the Java compilation

diff --git a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
@@ -11,6 +11,7 @@ plugins {
   id("otel.errorprone-conventions")
   id("otel.jacoco-conventions")
   id("otel.spotless-conventions")
+  id("org.owasp.dependencycheck")
 }
 
 val otelJava = extensions.create<OtelJavaExtension>("otelJava")
@@ -39,6 +40,12 @@ checkstyle {
   configProperties["rootDir"] = rootDir
 }
 
+dependencyCheck {
+  skipConfigurations = listOf("errorprone", "checkstyle", "annotationProcessor", "animalsniffer")
+  failBuildOnCVSS = 7.0f // fail on high or critical CVE
+  analyzers.assemblyEnabled = false // not sure why its trying to analyze .NET assemblies
+}
+
 val testJavaVersion = gradle.startParameter.projectProperties.get("testJavaVersion")?.let(JavaVersion::toVersion)
 
 tasks {

diff --git a/dependencyManagement/build.gradle.kts b/dependencyManagement/build.gradle.kts
@@ -17,6 +17,7 @@ val DEPENDENCY_BOMS = listOf(
   "com.google.protobuf:protobuf-bom:3.21.12",
   "com.linecorp.armeria:armeria-bom:1.21.0",
   "com.squareup.okhttp3:okhttp-bom:4.10.0",
+  "com.squareup.okio:okio-bom:3.3.0", // applies to transitive dependencies of okhttp
   "io.grpc:grpc-bom:1.52.1",
   "io.zipkin.brave:brave-bom:5.15.0",
   "io.zipkin.reporter2:zipkin-reporter-bom:2.16.3",