This is an automated email from the ASF dual-hosted git repository.

benjobs pushed a commit to branch dev
in repository https://gitbox.apache.org/repos/asf/incubator-streampark.git


The following commit(s) were added to refs/heads/dev by this push:
     new d84864106 [Feature-3783] Add OWASP Dependency Check in CI (#3784)
d84864106 is described below

commit d848641064b2d2575fa2d95f3ebddf182fed3e6d
Author: xiangzihao <[email protected]>
AuthorDate: Thu Jun 20 18:40:03 2024 +0800

    [Feature-3783] Add OWASP Dependency Check in CI (#3784)
    
    * add feature 3783
---
 .github/workflows/owasp-dependency-check.yaml | 53 +++++++++++++++++++++++++++
 pom.xml                                       |  5 ++-
 2 files changed, 56 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/owasp-dependency-check.yaml 
b/.github/workflows/owasp-dependency-check.yaml
new file mode 100644
index 000000000..3cb4ad76b
--- /dev/null
+++ b/.github/workflows/owasp-dependency-check.yaml
@@ -0,0 +1,53 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name: OWASP Dependency Check
+
+on:
+  push:
+    branches:
+      - dev
+  pull_request:
+    paths:
+      - '**/pom.xml'
+
+env:
+  MAVEN_OPTS: -Dmaven.wagon.httpconnectionManager.ttlSeconds=25 
-Dmaven.wagon.http.retryHandler.count=3
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    timeout-minutes: 120
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+      - name: Set up JDK 8
+        uses: actions/setup-java@v4
+        with:
+          java-version: 8
+          distribution: 'adopt'
+      - name: Run OWASP Dependency Check
+        run: ./mvnw -B clean install dependency-check:check 
-DskipDependencyCheck==false -Dspotless.skip=true
+      - name: Upload report
+        uses: actions/upload-artifact@v4
+        if: ${{ cancelled() || failure() }}
+        continue-on-error: true
+        with:
+          name: dependency report
+          path: target/dependency-check-report.html
+          retention-days: 3
diff --git a/pom.xml b/pom.xml
index 185c4b74b..cec35312c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -138,7 +138,7 @@
         <maven-apache-rat-plugin.version>0.13</maven-apache-rat-plugin.version>
         <spotless.scalafmt.version>3.4.3</spotless.scalafmt.version>
         
<maven-checkstyle-plugin.version>3.2.0</maven-checkstyle-plugin.version>
-        
<owasp-dependency-check-maven.version>8.2.1</owasp-dependency-check-maven.version>
+        
<owasp-dependency-check-maven.version>9.2.0</owasp-dependency-check-maven.version>
         
<build-helper-maven-plugin.version>3.3.0</build-helper-maven-plugin.version>
         
<streampark.shaded.package>org.apache.streampark.shaded</streampark.shaded.package>
         
<flink.table.uber.artifact.id>flink-table-uber_${scala.binary.version}</flink.table.uber.artifact.id>
@@ -783,9 +783,10 @@
                     <version>${owasp-dependency-check-maven.version}</version>
                     <configuration>
                         <skip>${skipDependencyCheck}</skip>
-                        <format>ALL</format>
                         <skipProvidedScope>true</skipProvidedScope>
+                        <skipRuntimeScope>true</skipRuntimeScope>
                         <skipSystemScope>true</skipSystemScope>
+                        <failBuildOnCVSS>7</failBuildOnCVSS>
                     </configuration>
                     <executions>
                         <execution>

Reply via email to