Skip to content

CI - OWASP Dependency Check #807

CI - OWASP Dependency Check

CI - OWASP Dependency Check #807

#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
name: CI - OWASP Dependency Check
on:
schedule:
- cron: '15 0 * * *'
env:
MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3
jobs:
run-owasp-dependency-check:
if: ${{ github.repository == 'apache/pulsar' }}
name: Run OWASP Dependency Check
runs-on: ubuntu-latest
timeout-minutes: 45
strategy:
fail-fast: false
matrix:
include:
- name: master
checkout_branch: 'master'
- name: branch-2.9
checkout_branch: 'branch-2.9'
- name: branch-2.8
checkout_branch: 'branch-2.8'
steps:
- name: checkout
uses: actions/checkout@v2
with:
ref: ${{ matrix.checkout_branch }}
- name: Tune Runner VM
uses: ./.github/actions/tune-runner-vm
- name: Cache local Maven repository
uses: actions/cache@v2
with:
path: |
~/.m2/repository/*/*/*
!~/.m2/repository/org/apache/pulsar
key: ${{ runner.os }}-m2-dependencies-owasp-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-m2-dependencies-all-${{ hashFiles('**/pom.xml') }}
${{ runner.os }}-m2-dependencies-core-modules-${{ hashFiles('**/pom.xml') }}
${{ runner.os }}-m2-dependencies-core-modules-
- name: Set up JDK 11
uses: actions/setup-java@v2
with:
distribution: 'temurin'
java-version: 11
- name: run install by skip tests
run: mvn -q -B -ntp clean install -DskipTests
- name: run OWASP Dependency Check for distribution/server (-DfailBuildOnAnyVulnerability=true)
run: mvn -B -ntp -Pmain,skip-all,skipDocker,owasp-dependency-check initialize verify -pl distribution/server -DfailBuildOnAnyVulnerability=true
- name: run OWASP Dependency Check for distribution/offloaders, distribution/io and pulsar-sql/presto-distribution
run: mvn -B -ntp -Pmain,skip-all,skipDocker,owasp-dependency-check initialize verify -pl distribution/offloaders,distribution/io,pulsar-sql/presto-distribution
- name: Upload OWASP Dependency Check reports
uses: actions/upload-artifact@v4
if: always()
with:
name: owasp-dependency-check-reports-${{ matrix.checkout_branch }}
path: |
distribution/server/target/dependency-check-report.html
distribution/offloaders/target/dependency-check-report.html
distribution/io/target/dependency-check-report.html
pulsar-sql/presto-distribution/target/dependency-check-report.html