Skip to content

CI - OWASP Dependency Check #418

CI - OWASP Dependency Check

CI - OWASP Dependency Check #418

#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
name: CI - OWASP Dependency Check
on:
schedule:
- cron: '15 0 * * *'
workflow_dispatch:
env:
MAVEN_OPTS: -Xss1500k -Xmx1024m -Daether.connector.http.reuseConnections=false -Daether.connector.requestTimeout=60000 -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.http.retryHandler.requestSentEnabled=true -Dmaven.wagon.http.serviceUnavailableRetryStrategy.class=standard -Dmaven.wagon.rto=60000
jobs:
run-owasp-dependency-check:
if: ${{ github.repository == 'apache/pulsar' || github.event_name == 'workflow_dispatch' }}
name: Check ${{ matrix.branch }}
env:
JOB_NAME: Check ${{ matrix.branch }}
GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GE_ACCESS_TOKEN }}
runs-on: ubuntu-22.04
timeout-minutes: 45
strategy:
fail-fast: false
matrix:
include:
- branch: master
- branch: branch-3.0
- branch: branch-2.11
- branch: branch-2.10
jdk: 11
- branch: branch-2.9
jdk: 11
- branch: branch-2.8
jdk: 11
steps:
- name: checkout
uses: actions/checkout@v3
with:
ref: ${{ matrix.branch }}
- name: Tune Runner VM
uses: ./.github/actions/tune-runner-vm
- name: Cache local Maven repository
uses: actions/cache@v3
timeout-minutes: 5
with:
path: |
~/.m2/repository/*/*/*
!~/.m2/repository/org/apache/pulsar
key: ${{ runner.os }}-m2-dependencies-owasp-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-m2-dependencies-all-${{ hashFiles('**/pom.xml') }}
${{ runner.os }}-m2-dependencies-core-modules-${{ hashFiles('**/pom.xml') }}
${{ runner.os }}-m2-dependencies-core-modules-
- name: Set up JDK ${{ matrix.jdk || '17' }}
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: ${{ matrix.jdk || '17' }}
- name: run install by skip tests
run: mvn -B -ntp clean install -DskipTests -Dspotbugs.skip=true -Dlicense.skip=true -Dcheckstyle.skip=true -Drat.skip=true -DskipDocker=true
- name: run OWASP Dependency Check for distribution/server (-DfailBuildOnAnyVulnerability=true)
run: mvn -B -ntp -Pmain,skip-all,skipDocker,owasp-dependency-check initialize verify -pl distribution/server -DfailBuildOnAnyVulnerability=true
- name: run OWASP Dependency Check for distribution/offloaders, distribution/io and pulsar-sql/presto-distribution
run: mvn -B -ntp -Pmain,skip-all,skipDocker,owasp-dependency-check initialize verify -pl distribution/offloaders,distribution/io,pulsar-sql/presto-distribution
- name: Upload OWASP Dependency Check reports
uses: actions/upload-artifact@v3
if: always()
with:
name: owasp-dependency-check-reports-${{ matrix.branch }}
path: |
distribution/server/target/dependency-check-report.html
distribution/offloaders/target/dependency-check-report.html
distribution/io/target/dependency-check-report.html
pulsar-sql/presto-distribution/target/dependency-check-report.html