This is an automated email from the ASF dual-hosted git repository.
tanxinyu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ratis.git
The following commit(s) were added to refs/heads/master by this push:
new 6e1e15f0f RATIS-2372. Add weekly CVE vulnerability check workflow for
Apache Ratis (#1328)
6e1e15f0f is described below
commit 6e1e15f0f54aba0795a1d704a967e70275033e87
Author: Potato <[email protected]>
AuthorDate: Mon Dec 29 10:08:10 2025 +0800
RATIS-2372. Add weekly CVE vulnerability check workflow for Apache Ratis
(#1328)
Signed-off-by: OneSizeFitsQuorum <[email protected]>
Co-authored-by: Copilot <[email protected]>
---
.github/workflows/vulnerability-check.yaml | 64 ++++++++++++++++++++++++++++++
pom.xml | 5 +++
2 files changed, 69 insertions(+)
diff --git a/.github/workflows/vulnerability-check.yaml
b/.github/workflows/vulnerability-check.yaml
new file mode 100644
index 000000000..49d4fa80a
--- /dev/null
+++ b/.github/workflows/vulnerability-check.yaml
@@ -0,0 +1,64 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: vulnerability-check
+
+on:
+ schedule:
+ # Run at 16:00 UTC every Sunday (Monday 00:00 CST)
+ - cron: "0 16 * * 0"
+ workflow_dispatch:
+
+concurrency:
+ group: ${{ github.workflow }}-${{ github.ref }}
+ cancel-in-progress: true
+
+env:
+ MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false
-Dmaven.wagon.http.retryHandler.class=standard
-Dmaven.wagon.http.retryHandler.count=3
+ MAVEN_ARGS: --batch-mode --no-transfer-progress
+
+jobs:
+ dependency-check:
+ if: ${{ github.event_name == 'workflow_dispatch' || github.repository ==
'apache/ratis' }}
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v4
+ - name: Set up JDK 11
+ uses: actions/setup-java@v4
+ with:
+ distribution: corretto
+ java-version: 11
+
+ - name: Do Maven install
+ shell: bash
+ run: mvn $MAVEN_ARGS clean install -DskipTests
+
+ - name: Do the dependency-check:aggregate
+ shell: bash
+ run: mvn $MAVEN_ARGS org.owasp:dependency-check-maven:aggregate
-DossIndexUsername=${{ secrets.OSS_INDEX_USER }} -DossIndexPassword=${{
secrets.OSS_INDEX_TOKEN }} -DnvdApiKey=${{ secrets.NVD_API_KEY }}
+
+ - name: Generate report date for artifact name
+ run: |
+ utc_time="${{ github.run_started_at }}"
+ target_time=$(TZ=Asia/Shanghai date -d "$utc_time" +"%Y-%m-%d")
+ echo "REPORT_DATE=$target_time" >> $GITHUB_ENV
+
+ - name: Upload Artifact
+ uses: actions/upload-artifact@v4
+ with:
+ name: vulnerability-check-result-${{ env.REPORT_DATE }}
+ path: target/dependency-check-report.html
+ retention-days: 15
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 27bdd2352..41c32c7c2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -726,6 +726,11 @@
</execution>
</executions>
</plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>12.1.9</version>
+ </plugin>
</plugins>
<resources>
<resource>
