Add OWASP dependency check (#1347)

* Add owasp dependency scan * Add github action to upload results * Remove unused javalin dependency, also generate html reports * formats instead of format * Restore javalin dependency (make revert easier later if necessary) * Set OWASP to run on PR plus better names for sarif upload
2023-07-14 10:56:40 -04:00 · 2023-07-14 10:56:40 -04:00 · c2cb2aaa21
parent a91749760e
commit c2cb2aaa21
6 changed files with 82 additions and 8 deletions
--- a/.github/workflows/owasp.yml
+++ b/.github/workflows/owasp.yml
@ -1,9 +1,10 @@
-
+name: "OWASP Security Scans"
 name: "OWASP"
 on:
-  schedule:
+  push:
-    - cron: '0 0 * * *'
+    branches: [ "master" ]
  pull_request:
    branches: [ "master" ]
  workflow_dispatch:
@ -29,4 +30,6 @@ jobs:
        sarif_file: target/dependency-check-report.sarif
        # Optional category for the results
        # Used to differentiate multiple results for one commit
-        category: OWASP-analysis
+
        category: OWASP-dependency-check
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@ -1,4 +1,4 @@
-name: Trivy Security Scans
+name: "Trivy Security Scans"
 on:
  push:
@ -32,4 +32,4 @@ jobs:
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
-          category: 'code'
+          category: 'Trivy-security-scan'
--- a/cve-suppression.xml
+++ b/cve-suppression.xml
@ -0,0 +1,3 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
 </suppressions>
--- a/org.hl7.fhir.validation.cli/pom.xml
+++ b/org.hl7.fhir.validation.cli/pom.xml
@ -415,6 +415,24 @@
                        <skip>true</skip>
                    </configuration>
                </plugin>
                <plugin>
                    <groupId>org.owasp</groupId>
                    <artifactId>dependency-check-maven</artifactId>
                    <configuration>
                        <suppressionFiles>
                            <suppressionFile>cve-suppression.xml</suppressionFile>
                        </suppressionFiles>
                        <excludes>
                            <!-- These are our own modules, and contain test archives for zip-slip, which break owasp
                            archive extraction -->
                            <exclude>ca.uhn.hapi.fhir:org.hl7.fhir.convertors</exclude>
                            <exclude>ca.uhn.hapi.fhir:org.hl7.fhir.r4b</exclude>
                            <exclude>ca.uhn.hapi.fhir:org.hl7.fhir.r5</exclude>
                            <exclude>ca.uhn.hapi.fhir:org.hl7.fhir.utilities</exclude>
                            <exclude>ca.uhn.hapi.fhir:org.hl7.fhir.validation</exclude>
                        </excludes>
                    </configuration>
                </plugin>
        	</plugins>
        </pluginManagement>
    </build>
--- a/org.hl7.fhir.validation/pom.xml
+++ b/org.hl7.fhir.validation/pom.xml
@ -199,8 +199,9 @@
            <groupId>io.javalin</groupId>
            <artifactId>javalin</artifactId>
            <version>3.8.0</version>
-				<optional>true</optional>
+            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-simple</artifactId>
--- a/pom.xml
+++ b/pom.xml
@ -286,6 +286,18 @@
                        <redirectTestOutputToFile>false</redirectTestOutputToFile>
                    </configuration>
                </plugin>
                <plugin>
                    <groupId>org.owasp</groupId>
                    <artifactId>dependency-check-maven</artifactId>
                    <version>8.2.1</version>
                    <configuration>
                        <suppressionFiles>
                            <suppressionFile>cve-suppression.xml</suppressionFile>
                        </suppressionFiles>
                        <formats>sarif,html</formats>
                    </configuration>
                </plugin>
            </plugins>
        </pluginManagement>
        <plugins>
@ -680,5 +692,42 @@
                </plugins>
            </build>
        </profile>
        <profile>
            <id>OWASP_CHECK</id>
            <build>
                <plugins>
                    <plugin>
                        <groupId>org.owasp</groupId>
                        <artifactId>dependency-check-maven</artifactId>
                        <executions>
                            <execution>
                                <goals>
                                    <goal>check</goal>
                                </goals>
                                <configuration>
                                    <failBuildOnCVSS>10</failBuildOnCVSS>
                                    <skipTestScope>true</skipTestScope>
                                </configuration>
                            </execution>
                        </executions>
                    </plugin>
                </plugins>
            </build>
        </profile>
    </profiles>
    <reporting>
        <plugins>
            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <reportSets>
                    <reportSet>
                        <reports>
                            <report>aggregate</report>
                        </reports>
                    </reportSet>
                </reportSets>
            </plugin>
        </plugins>
    </reporting>
 </project>