src/@orb.yml

version: 2.1

description: |
  An orb for running OWASP vulnerability checks through command-line or tasks configured in Gradle and Maven builds.
  Reports are persisted as artifacts under the directory 'Report/OWASP'.
  Source: https://github.com/entur/owasp-orb

examples:
  gradle:
    description: |
      If you have a standard Gradle project, you can use this orb to run through
      a common Gradle worklow.
    usage:
      version: 2.1

      orbs:
        owasp: entur/owasp@0.0.x

      workflows:
        owasp:
          jobs:
            - owasp/gradle_owasp_dependency_check:
                executor: java_11
                context: global

  maven:
    description: |
      If you have a standard Maven project, you can use this orb to run through
      a common Maven worklow.
    usage:
      version: 2.1

      orbs:
        owasp: entur/owasp@0.0.x

      workflows:
        owasp:
          jobs:
            - owasp/maven_owasp_dependency_check:
                executor: java_11
                context: global

  commandline:
    description: |
      If you need to scan using the command line tool, you can use this orb to invoke it with custom arguments.
    usage:
      version: 2.1

      orbs:
        owasp: entur/owasp@0.0.x

      workflows:
        owasp:
          jobs:
            - owasp/commandline_owasp_dependency_check:
                executor: java_11
                arguments: "--scan ./ --failOnCVSS 7 --suppression ./dependency-check-suppressions.xml"
                context: global

orbs:
  gradle: circleci/gradle@3.0.0
  maven: circleci/maven@1.2.0

executors:
  default:
    description: |
       This default Docker image is highly cached on CircleCI and contains most necessary tools needed for Gradle related projects.
    docker:
      - image: cimg/openjdk:<<parameters.tag>>
        # NB! Add $DOCKERHUB_LOGIN and $DOCKERHUB_PASSWORD credentials in your context to log in to Docker hub
        auth:
          username: $DOCKERHUB_LOGIN
          password: $DOCKERHUB_PASSWORD
        environment:
          TERM: dumb
    parameters:
      tag:
        default: "11.0.13"
        description: |
          Pick a specific cimg/openjdk image tag: https://hub.docker.com/r/cimg/openjdk/tags
        type: string

aliases:
  - &gradle_owasp_dependency_check
    description: |
      Run OWASP dependency check for a Gradle project
    parameters:
      executor:
        description: The name of custom executor to use.
        type: executor
        default: default
      cve_data_directory:
        description: The plugin database directory.
        type: string
        default: "~/.gradle/dependency-check-data"
      task:
        description: Task name.
        type: string
        default: "dependencyCheckAnalyze"
      cache_key:
        description: Specify a custom cache key.
        type: string
        default: "v1"
      no_output_timeout:
        description: Specify period of time has passed with no output.
        type: string
        default: "15m"
      persist_to_workspace:
        description: Persist reports to workspace for further processing.
        type: boolean
        default: false
      wrapped_pre_steps:
        description: |
          Pre-processing steps to run in order to prepare the dependency check.
          Not to be confused with the regular 'pre-steps' parameter, this runs after the Gradle cache has been restored and the OWASP database is updated.
        type: steps
        default: []
    executor: <<parameters.executor>>
    steps:
      - checkout
      - wrapped_gradle_steps:
          cve_data_directory: <<parameters.cve_data_directory>>
          cache_key: <<parameters.cache_key>>
          persist_to_workspace: <<parameters.persist_to_workspace>>
          wrapped_pre_steps: <<parameters.wrapped_pre_steps>>
          wrapped_steps:
            - run:
                name: Run OWASP Dependency-Check Analyzer
                no_output_timeout: << parameters.no_output_timeout >>
                command: ./gradlew <<parameters.task>> --info

commands:
  restore_owasp_cache:
    parameters:
      cache_key:
        type: string
        default: "v1"
    steps:
      - restore_cache:
          name: Restore OWASP Dependency-Check Database from CircleCI cache
          keys:
            - cve-cache-<< parameters.cache_key >>-{{ checksum "/tmp/key" }}-{{ checksum "/tmp/year" }}-{{ checksum "/tmp/twelveWeeks" }}-{{ checksum "/tmp/fourWeeks" }}-{{ checksum "/tmp/week" }}-{{ checksum "/tmp/day" }}-{{ checksum "/tmp/twelveHoursOfDay" }}-{{ checksum "/tmp/fourHoursOfDay" }}
            - cve-cache-<< parameters.cache_key >>-{{ checksum "/tmp/key" }}-{{ checksum "/tmp/year" }}-{{ checksum "/tmp/twelveWeeks" }}-{{ checksum "/tmp/fourWeeks" }}-{{ checksum "/tmp/week" }}-{{ checksum "/tmp/day" }}-{{ checksum "/tmp/twelveHoursOfDay" }}
            - cve-cache-<< parameters.cache_key >>-{{ checksum "/tmp/key" }}-{{ checksum "/tmp/year" }}-{{ checksum "/tmp/twelveWeeks" }}-{{ checksum "/tmp/fourWeeks" }}-{{ checksum "/tmp/week" }}-{{ checksum "/tmp/day" }}
            - cve-cache-<< parameters.cache_key >>-{{ checksum "/tmp/key" }}-{{ checksum "/tmp/year" }}-{{ checksum "/tmp/twelveWeeks" }}-{{ checksum "/tmp/fourWeeks" }}-{{ checksum "/tmp/week" }}
            - cve-cache-<< parameters.cache_key >>-{{ checksum "/tmp/key" }}-{{ checksum "/tmp/year" }}-{{ checksum "/tmp/twelveWeeks" }}-{{ checksum "/tmp/fourWeeks" }}
            - cve-cache-<< parameters.cache_key >>-{{ checksum "/tmp/key" }}-{{ checksum "/tmp/year" }}-{{ checksum "/tmp/twelveWeeks" }}
            - cve-cache-<< parameters.cache_key >>-{{ checksum "/tmp/key" }}-{{ checksum "/tmp/year" }}
            - cve-cache-<< parameters.cache_key >>-{{ checksum "/tmp/key" }}
  store_owasp_cache:
    parameters:
      cve_data_directory:
        type: string
      cache_key:
        type: string
        default: "v1"
    steps:
      - save_cache:
          name: Save OWASP Dependency-Check Database to CircleCI cache
          key: cve-cache-<< parameters.cache_key >>-{{ checksum "/tmp/key" }}-{{ checksum "/tmp/year" }}-{{ checksum "/tmp/twelveWeeks" }}-{{ checksum "/tmp/fourWeeks" }}-{{ checksum "/tmp/week" }}-{{ checksum "/tmp/day" }}-{{ checksum "/tmp/twelveHoursOfDay" }}-{{ checksum "/tmp/fourHoursOfDay" }}
          paths:
            - <<parameters.cve_data_directory>>

  generate_cache_keys:
    parameters:
      cache_key:
        description: Unique cache key.
        type: string
        default: "v1"
    steps:
      - run:
          name: Generate OWASP Dependency-Check Database CircleCI cache keys
          command: |
            echo <<parameters.cache_key>> >> /tmp/key
            echo $(date +"%Y") >> /tmp/year
            echo $(( $(date +"%_j") / 84)) >> /tmp/twelveWeeks
            echo $(( $(date +"%_j") / 28)) >> /tmp/fourWeeks
            echo $(( $(date +"%_j") / 7)) >> /tmp/week
            echo $(( $(date +"%_j"))) >> /tmp/day
            echo $(( $(date +"%_H") / 12)) >> /tmp/twelveHoursOfDay
            echo $(( $(date +"%_H") / 4)) >> /tmp/fourHoursOfDay

  collect_reports:
    description: Store reports to build artifacts and persist to workspace.
    parameters:
      persist_to_workspace:
        description: Persist reports to workspace.
        type: boolean
      store_empty_reports_as_artifacts:
        description: Keep empty reports. The CSV report type must be generated in order to make this function work as expected.
        type: boolean
        default: false
      store_reports_formats_as_artifacts:
        description: Comma-separated list of report formats (extensions) to save as artifacts, or "all" for all formats. These will normally be for human consumption.
        type: string
        default: html
    steps:
      - run:
          name: Extract OWASP Dependency-Check reports
          # Run even if a previous step returned non-zero exit code.
          # The command-line tool returns non-zero exit codes if it finds
          # vulernabilities above a certian CVSS score is detected.
          when: always
          command: |
            mkdir -p Reports/OWASP
            # copy all reports files to the target directory
            find . -path ./Reports -prune -o  -name "dependency-check*.*" -exec cp --parents \{\} Reports/OWASP/ \;
            # copy report files to parent directories for less folders (when using standard report locations)
            # gradle - two steps up
            find ./Reports -type f -path "*build/reports/dependency-check*.*" -print0 |
            while IFS= read -r -d '' file; do
                parent=$(dirname "$file")
                grandParent=$(dirname "$parent")
                grandGrandParent=$(dirname "$grandParent")
                mv "$file" "$grandGrandParent"
            done
            # maven - one step up
            find ./Reports -type f -path "*target/dependency-check*.*" -print0 |
            while IFS= read -r -d '' file; do
                parent=$(dirname "$file")
                grandParent=$(dirname "$parent")
                mv "$file" "$grandParent"
            done
      - when:
          condition: <<parameters.persist_to_workspace>>
          steps:
            - persist_to_workspace:
                name: Persist OWASP Dependency-Check reports to workspace (in 'Reports/OWASP' directory)
                root: .
                paths:
                  - Reports/OWASP
      - run:
          name: Prepare OWASP Dependency-Check reports artifacts
          when: always
          command: |
            # remove empty reports
            if [ "true" == "<< parameters.store_empty_reports_as_artifacts >>" ]; then
                echo "Keeping empty reports"
            else
                echo "Filtering out empty reports. Please note that this function requires that csv reports were generated by the dependency-check plugin."
                # search for CSV reports and check number of lines
                find ./Reports/OWASP/ -path . -prune -o  -name "dependency-check*.csv" -print0 |
                while IFS= read -r -d '' file; do
                    count=$(wc -l < "$file")
                    if [[ "$count" -eq 1 ]]; then
                        # CSV file only contains header, delete the corresponding parent directory
                        parent=$(dirname "$file")
                        rm -f "${parent}"/dependency-check-*.*
                        echo "$parent reports were empty."
                    else
                       echo "Found $count report lines in $file"
                    fi
                done
            fi
            # filter on report types
            formatsWithoutWhitespace="$(echo -e "<< parameters.store_reports_formats_as_artifacts >>" | tr -d '[:space:]' | tr '[:upper:]' '[:lower:]')"
            IFS=',' read -r -a formats \<<< "$formatsWithoutWhitespace"
            if [[ " ${formats[*]} " =~ " all " ]]; then
                ## keep all
                exit 0
            fi
            find ./Reports/OWASP/ -path . -prune -o  -name "dependency-check*.*" -print0 |
            while IFS= read -r -d '' file; do
                filename=$(basename -- "$file")
                extension="${filename##*.}"
                extensionLowercase=$(echo "$extension" | tr '[:upper:]' '[:lower:]')
                if [[ ! " ${formats[*]} " =~ " ${extensionLowercase} " ]]; then
                   rm "$file"
                fi
            done
      - store_artifacts:
          name: Store OWASP Dependency-Check reports as artifacts
          path: Reports/OWASP
          destination: .

  wrapped_maven_steps:
    description: |
      Run a set of steps with the OWASP database updated and cached using Maven
    parameters:
      cve_data_directory:
        description: The plugin database directory.
        type: string
        default: "~/.m2/repository/org/owasp/dependency-check-data"
      settings_file:
        description: Specify a custom settings file to use (optional).
        type: string
        default: ""
      cache_key:
        description: Specify a custom cache key.
        type: string
        default: "v1"
      persist_to_workspace:
        description: Persist reports to workspace for further processing.
        type: boolean
        default: false
      wrapped_pre_steps:
        description: Pre-processing steps to run in order to prepare the dependency check. Intended for multi-module builds (which require build before dependency check)
        type: steps
        default: []
      wrapped_steps:
        type: steps
        description: Steps to run in order to perform the dependency check
    steps:
      - checkout
      - maven/with_cache:
          settings_file: << parameters.settings_file >>
          verify_dependencies: false
          steps:
            - generate_cache_keys:  # for both restore and store
                cache_key: maven-<< parameters.cache_key >>-cache-key  # flow-specific key
            - restore_owasp_cache:
                cache_key: << parameters.cache_key >>
            - run:
                name: Update OWASP Dependency-Check Database
                command: mvn org.owasp:dependency-check-maven:update-only
            - store_owasp_cache:
                cve_data_directory: <<parameters.cve_data_directory>>
                cache_key: << parameters.cache_key >>
            - steps: << parameters.wrapped_pre_steps >>
            - steps: << parameters.wrapped_steps >>
            - run:
                # note: Also run purge so so that vulernability data is not cached twice.
                # Run in seperate step so not run for each submodule.
                name: OWASP Dependency-Check cache cleanup
                command: mvn org.owasp:dependency-check-maven:purge
            - collect_reports:
                persist_to_workspace: <<parameters.persist_to_workspace>>

  wrapped_gradle_steps:
    description: |
      Run a set of steps with the OWASP database updated and cached using Gradle
    parameters:
      cve_data_directory:
        description: The plugin database directory.
        type: string
        default: "~/.gradle/dependency-check-data"
      cache_key:
        description: Specify a custom cache key.
        type: string
        default: "v1"
      persist_to_workspace:
        description: Persist reports to workspace for further processing.
        type: boolean
        default: false
      wrapped_pre_steps:
        description: Pre-processing steps to run in order to prepare the dependency check
        type: steps
        default: []
      wrapped_steps:
        description: Steps to run in order to perform the dependency check
        type: steps
    steps:
      - checkout
      - gradle/with_cache:
          cache_key: << parameters.cache_key >>
          steps:
            - generate_cache_keys:  # for both restore and store
                cache_key: gradle-<< parameters.cache_key >>-cache-key  # flow-specific key
            - restore_owasp_cache:
                cache_key: << parameters.cache_key >>
            - run:
                name: Update OWASP Dependency-Check Database
                command: ./gradlew :dependencyCheckUpdate --info
            - store_owasp_cache:
                cve_data_directory: <<parameters.cve_data_directory>>
                cache_key: << parameters.cache_key >>
            - steps: << parameters.wrapped_pre_steps >>
            - steps: << parameters.wrapped_steps >>
            - run:
                # note: Also run purge so so that vulernability data is not cached twice.
                # Run in seperate step so not run for each submodule.
                name: OWASP Dependency-Check cache cleanup
                command: ./gradlew :dependencyCheckPurge --info
            - collect_reports:
                persist_to_workspace: <<parameters.persist_to_workspace>>

  with_commandline:
    description: |
      Run a set of steps with the OWASP Dependency-Check command-line tool. Run from ~/.owasp/dependency-check/bin/dependency-check.sh.
    parameters:
      steps:
        type: steps
      version:
        description: Dependency-check version (if not specified, the latest version will be detected automatically).
        type: string
        default: ""
      cache_key:
        description: Specify a custom cache key.
        type: string
        default: "v1"
    steps:
      - unless:
          condition: <<parameters.version>>
          steps:
            - run:
                name: Check for latest Dependency-Check command-line tool version
                command: |
                  curl --silent "$version_url" > /tmp/owasp_commandline_version
      - when:
          condition: <<parameters.version>>
          steps:
            - run:
                name: Use fixed Dependency-Check command-line tool version
                command: |
                  echo << parameters.version >> > /tmp/owasp_commandline_version
      - run:
          name: Create Dependency-Check command-line tool cache key
          command: |
            echo "$version_url" > /tmp/owasp_commandline_version_url
            echo "$executable_url" > /tmp/owasp_commandline_executable_url
      - restore_cache:
          name: Restore Dependency-Check command-line tool from cache
          key: commandline-<< parameters.cache_key >>-{{ checksum "/tmp/owasp_commandline_version" }}-{{ checksum "/tmp/owasp_commandline_version_url" }}-{{ checksum "/tmp/owasp_commandline_executable_url" }}
      - run:
          name: Download Dependency-Check command-line tool if not already cached
          command: |
            version=$(cat /tmp/owasp_commandline_version)
            executable_url_with_version=${executable_url//VERSION/$version}
            if [ -d ~/.owasp/dependency-check ]
            then
                echo "Dependency-Check command-line tool version $version from $executable_url_with_version already cached."
            else
                echo "Downloading Dependency-Check executable version $version from $executable_url_with_version .."
                wget -q -O owasp.zip "$executable_url_with_version"
                unzip -o -q owasp.zip -d ~/.owasp
            fi
      - save_cache:
          name: Save Dependency-Check command-line tool to cache
          paths:
            - ~/.owasp
          key: commandline-<< parameters.cache_key >>-{{ checksum "/tmp/owasp_commandline_version" }}-{{ checksum "/tmp/owasp_commandline_version_url" }}-{{ checksum "/tmp/owasp_commandline_executable_url" }}
      - steps: << parameters.steps >>

jobs:
  owasp_dependency_check: *gradle_owasp_dependency_check  # default to gradle
  gradle_owasp_dependency_check: *gradle_owasp_dependency_check
  maven_owasp_dependency_check:
    description: |
      Run OWASP dependency check for a Maven project
    parameters:
      executor:
        description: The name of custom executor to use.
        type: executor
        default: default
      cve_data_directory:
        description: The plugin database directory.
        type: string
        default: "~/.m2/repository/org/owasp/dependency-check-data"
      no_output_timeout:
        description: Specify period of time has passed with no output.
        type: string
        default: "15m"
      task:
        description: Task name.
        type: string
        default: "check"
      settings_file:
        description: Specify a custom settings file to use (optional).
        type: string
        default: ""
      cache_key:
        description: Specify a custom cache key.
        type: string
        default: "v1"
      persist_to_workspace:
        description: Persist reports to workspace for further processing.
        type: boolean
        default: false
      wrapped_pre_steps:
        description: |
          Pre-processing steps to run in order to prepare the dependency check.
          Not to be confused with the regular 'pre-steps' parameter, this runs after the Maven cache has been restored and the OWASP database is updated.
          Multi-module projects might consider running the command "mvn clean install -Dmaven.test.skip=true" so that the dependency-check plugin can resolve all artifacts.
        type: steps
        default: []
    executor: <<parameters.executor>>
    steps:
      - checkout
      - wrapped_maven_steps:
          cve_data_directory: <<parameters.cve_data_directory>>
          settings_file: <<parameters.settings_file>>
          cache_key: <<parameters.cache_key>>
          persist_to_workspace: <<parameters.persist_to_workspace>>
          wrapped_pre_steps: <<parameters.wrapped_pre_steps>>
          wrapped_steps:
            - run:
                name: Run OWASP Dependency-Check Analyzer
                no_output_timeout: << parameters.no_output_timeout >>
                command: mvn org.owasp:dependency-check-maven:<<parameters.task>>

  commandline_owasp_dependency_check:
    parameters:
      executor:
        description: The name of custom executor to use.
        type: executor
        default: default
      cve_data_directory:
        description: The data directory for vulernabilities.
        type: string
        default: "~/.owasp/dependency-check-data"
      no_output_timeout:
        description: Specify period of time has passed with no output.
        type: string
        default: "15m"
      arguments:
        description: Command line arguments. Note that '--format', '--data' and '--noupdate' arguments are already appended by this orb (updating the database is performed in a previous step).
        type: string
        default: "--scan ./"
      cache_key:
        description: Specify a custom cache key (optional).
        type: string
        default: "default"
      persist_to_workspace:
        description: Persist reports to workspace for further processing.
        type: boolean
        default: false
      version:
        description: Dependency-check version (if not specified, the latest version will be detected automatically).
        type: string
        default: ""
    executor: << parameters.executor >>
    environment:
      version_url: "https://jeremylong.github.io/DependencyCheck/current.txt"
      executable_url: "https://github.com/jeremylong/DependencyCheck/releases/download/vVERSION/dependency-check-VERSION-release.zip"
    steps:
      - checkout
      - with_commandline:
          version: << parameters.version >>
          cache_key: << parameters.cache_key >>
          steps:
            - generate_cache_keys:  # time-based keys for both restore and store
                cache_key: commmandline-<< parameters.cache_key >>-cache-key  # flow-specific key
            - restore_owasp_cache:
                cache_key: << parameters.cache_key >>
            - run:
                name: Update OWASP Dependency-Check Database
                command: ~/.owasp/dependency-check/bin/dependency-check.sh --data << parameters.cve_data_directory >> --updateonly
            - store_owasp_cache:
                cve_data_directory: <<parameters.cve_data_directory>>
                cache_key: << parameters.cache_key >>
            - run:
                name: Run OWASP Dependency-Check Analyzer
                no_output_timeout: << parameters.no_output_timeout >>
                command: ~/.owasp/dependency-check/bin/dependency-check.sh --data << parameters.cve_data_directory >> --format ALL --noupdate << parameters.arguments >>
            - collect_reports:
                persist_to_workspace: << parameters.persist_to_workspace >>