honeymoose
/
org.hl7.fhir.core
mirror of https://github.com/hapifhir/org.hl7.fhir.core.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add OWASP dependency check (#1347) 

* Add owasp dependency scan

* Add github action to upload results

* Remove unused javalin dependency, also generate html reports

* formats instead of format

* Restore javalin dependency (make revert easier later if necessary)

* Set OWASP to run on PR plus better names for sarif upload
This commit is contained in:
dotasek 2023-07-14 10:56:40 -04:00 committed by GitHub
parent a91749760e
commit c2cb2aaa21
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 82 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
.github/workflows/owasp.yml vendored
View File

@ -1,9 +1,10 @@
name: "OWASP"
name: "OWASP Security Scans"
on:
schedule:
- cron: '0 0 * * *'
push:
branches: [ "master" ]
pull_request:
branches: [ "master" ]
workflow_dispatch:
@ -29,4 +30,6 @@ jobs:
sarif_file: target/dependency-check-report.sarif
# Optional category for the results
# Used to differentiate multiple results for one commit
category: OWASP-analysis
category: OWASP-dependency-check

4
.github/workflows/trivy.yml vendored
View File

@ -1,4 +1,4 @@
name: Trivy Security Scans
name: "Trivy Security Scans"
on:
push:
@ -32,4 +32,4 @@ jobs:
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
category: 'code'
category: 'Trivy-security-scan'

3
cve-suppression.xml Normal file
View File

@ -0,0 +1,3 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
</suppressions>

18
org.hl7.fhir.validation.cli/pom.xml
View File

@ -415,6 +415,24 @@
<skip>true</skip>
</configuration>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<configuration>
<suppressionFiles>
<suppressionFile>cve-suppression.xml</suppressionFile>
</suppressionFiles>
<excludes>
<!-- These are our own modules, and contain test archives for zip-slip, which break owasp
archive extraction -->
<exclude>ca.uhn.hapi.fhir:org.hl7.fhir.convertors</exclude>
<exclude>ca.uhn.hapi.fhir:org.hl7.fhir.r4b</exclude>
<exclude>ca.uhn.hapi.fhir:org.hl7.fhir.r5</exclude>
<exclude>ca.uhn.hapi.fhir:org.hl7.fhir.utilities</exclude>
<exclude>ca.uhn.hapi.fhir:org.hl7.fhir.validation</exclude>
</excludes>
</configuration>
</plugin>
</plugins>
</pluginManagement>
</build>

3
org.hl7.fhir.validation/pom.xml
View File

@ -199,8 +199,9 @@
<groupId>io.javalin</groupId>
<artifactId>javalin</artifactId>
<version>3.8.0</version>
<optional>true</optional>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-simple</artifactId>

49
pom.xml
View File

@ -286,6 +286,18 @@
<redirectTestOutputToFile>false</redirectTestOutputToFile>
</configuration>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.2.1</version>
<configuration>
<suppressionFiles>
<suppressionFile>cve-suppression.xml</suppressionFile>
</suppressionFiles>
<formats>sarif,html</formats>
</configuration>
</plugin>
</plugins>
</pluginManagement>
<plugins>
@ -680,5 +692,42 @@
</plugins>
</build>
</profile>
<profile>
<id>OWASP_CHECK</id>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
<configuration>
<failBuildOnCVSS>10</failBuildOnCVSS>
<skipTestScope>true</skipTestScope>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>
<reporting>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<reportSets>
<reportSet>
<reports>
<report>aggregate</report>
</reports>
</reportSet>
</reportSets>
</plugin>
</plugins>
</reporting>
</project>