This is an automated email from the ASF dual-hosted git repository.
benjobs pushed a commit to branch dev
in repository https://gitbox.apache.org/repos/asf/incubator-streampark.git
The following commit(s) were added to refs/heads/dev by this push:
new d84864106 [Feature-3783] Add OWASP Dependency Check in CI (#3784)
d84864106 is described below
commit d848641064b2d2575fa2d95f3ebddf182fed3e6d
Author: xiangzihao <[email protected]>
AuthorDate: Thu Jun 20 18:40:03 2024 +0800
[Feature-3783] Add OWASP Dependency Check in CI (#3784)
* add feature 3783
---
.github/workflows/owasp-dependency-check.yaml | 53 +++++++++++++++++++++++++++
pom.xml | 5 ++-
2 files changed, 56 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/owasp-dependency-check.yaml
b/.github/workflows/owasp-dependency-check.yaml
new file mode 100644
index 000000000..3cb4ad76b
--- /dev/null
+++ b/.github/workflows/owasp-dependency-check.yaml
@@ -0,0 +1,53 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name: OWASP Dependency Check
+
+on:
+ push:
+ branches:
+ - dev
+ pull_request:
+ paths:
+ - '**/pom.xml'
+
+env:
+ MAVEN_OPTS: -Dmaven.wagon.httpconnectionManager.ttlSeconds=25
-Dmaven.wagon.http.retryHandler.count=3
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ timeout-minutes: 120
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ submodules: true
+ - name: Set up JDK 8
+ uses: actions/setup-java@v4
+ with:
+ java-version: 8
+ distribution: 'adopt'
+ - name: Run OWASP Dependency Check
+ run: ./mvnw -B clean install dependency-check:check
-DskipDependencyCheck==false -Dspotless.skip=true
+ - name: Upload report
+ uses: actions/upload-artifact@v4
+ if: ${{ cancelled() || failure() }}
+ continue-on-error: true
+ with:
+ name: dependency report
+ path: target/dependency-check-report.html
+ retention-days: 3
diff --git a/pom.xml b/pom.xml
index 185c4b74b..cec35312c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -138,7 +138,7 @@
<maven-apache-rat-plugin.version>0.13</maven-apache-rat-plugin.version>
<spotless.scalafmt.version>3.4.3</spotless.scalafmt.version>
<maven-checkstyle-plugin.version>3.2.0</maven-checkstyle-plugin.version>
-
<owasp-dependency-check-maven.version>8.2.1</owasp-dependency-check-maven.version>
+
<owasp-dependency-check-maven.version>9.2.0</owasp-dependency-check-maven.version>
<build-helper-maven-plugin.version>3.3.0</build-helper-maven-plugin.version>
<streampark.shaded.package>org.apache.streampark.shaded</streampark.shaded.package>
<flink.table.uber.artifact.id>flink-table-uber_${scala.binary.version}</flink.table.uber.artifact.id>
@@ -783,9 +783,10 @@
<version>${owasp-dependency-check-maven.version}</version>
<configuration>
<skip>${skipDependencyCheck}</skip>
- <format>ALL</format>
<skipProvidedScope>true</skipProvidedScope>
+ <skipRuntimeScope>true</skipRuntimeScope>
<skipSystemScope>true</skipSystemScope>
+ <failBuildOnCVSS>7</failBuildOnCVSS>
</configuration>
<executions>
<execution>
