From 98b7cec500dcc4e0b3c75bdbf49bd82fc00c05f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Mathieu?= <loikeseke@gmail.com>
Date: Thu, 18 Jul 2024 15:10:13 +0200
Subject: [PATCH] feat: OWASP dependency check

Check for known vulnerabilities each day thanks to the OWASP Dependency Check Gradle plugin.
---
 .github/workflows/dependency-check.yml | 39 ++++++++++++++++++++++++++
 build.gradle                           | 21 ++++++++++++++
 owasp-dependency-suppressions.xml      | 27 ++++++++++++++++++
 3 files changed, 87 insertions(+)
 create mode 100644 .github/workflows/dependency-check.yml
 create mode 100644 owasp-dependency-suppressions.xml

diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml
new file mode 100644
index 0000000000..649d456f77
--- /dev/null
+++ b/.github/workflows/dependency-check.yml
@@ -0,0 +1,39 @@
+name: Dependency Checks
+
+on:
+  schedule:
+    - cron: "0 0 * * *"  # Every day
+  workflow_dispatch: {}
+
+env:
+  JAVA_VERSION: '21'
+
+jobs:
+  dependency-check:
+    name: Dependency Check
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      # Checkout GitHub Actions
+      - uses: actions/checkout@v4
+        with:
+          repository: kestra-io/actions
+          path: actions
+          ref: main
+
+      # Setup build
+      - uses: ./actions/.github/actions/setup-build
+        id: build
+        with:
+          java-enabled: true
+          node-enabled: true
+          caches-enabled: true
+
+      # Run OWASP dependency check plugin
+      - name: Run Dependency Check
+        run: |
+          ./gradlew dependencyCheckAggregate
\ No newline at end of file
diff --git a/build.gradle b/build.gradle
index 1d7d8d673d..a2a0b55996 100644
--- a/build.gradle
+++ b/build.gradle
@@ -36,6 +36,9 @@ plugins {
     id 'signing'
     id 'ru.vyarus.pom' version '3.0.0' apply false
     id 'ru.vyarus.github-info' version '2.0.0' apply false
+
+    // OWASP dependency check
+    id "org.owasp.dependencycheck" version "10.0.3" apply false
 }
 
 idea {
@@ -308,6 +311,24 @@ sonar {
     }
 }
 
+/**********************************************************************************************************************\
+ * OWASP Dependency check
+ **********************************************************************************************************************/
+apply plugin: 'org.owasp.dependencycheck'
+
+dependencyCheck {
+    // fail only on HIGH and CRITICAL vulnerabilities, we may want to lower to 5 (mid-medium) later
+    failBuildOnCVSS = 7
+
+    // disable the .NET assembly analyzer as otherwise it wants to analyze EXE file
+    analyzers {
+        assemblyEnabled = false
+    }
+
+    // configure a suppression file
+    suppressionFile = "$projectDir/owasp-dependency-suppressions.xml"
+}
+
 /**********************************************************************************************************************\
  * Micronaut
  **********************************************************************************************************************/
diff --git a/owasp-dependency-suppressions.xml b/owasp-dependency-suppressions.xml
new file mode 100644
index 0000000000..c240ba000c
--- /dev/null
+++ b/owasp-dependency-suppressions.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <!--
+        This is a CPE/CVE suppression file for the Gradle dependency check plugin.
+        Each CPE that is found by error (false positive) needs to be suppressed for a specific jar using it's GAV.
+        If a CVE is disputed or cannot be fixed, it needs to be suppressed by it's CVE identifier.
+        See https://jeremylong.github.io/DependencyCheck/general/suppression.html
+     -->
+    <suppress>
+        <notes>
+            <![CDATA[
+                Suppress the false positive CPE for Kestra jdbc-mysql to mysql itself
+            ]]>
+        </notes>
+        <gav regex="true">io\.kestra:jdbc-mysql.*</gav>
+        <cpe>cpe:/a:mysql:mysql</cpe>
+    </suppress>
+    <suppress>
+        <notes>
+            <![CDATA[
+                Suppress the false positive CPE for plexus-component-annotations, plexus-interpolation and plexus-utils to codehaus-plexus
+            ]]>
+        </notes>
+        <gav regex="true">org\.codehaus\.plexus:plexus.*</gav>
+        <cpe>cpe:/a:codehaus-plexus_project:codehaus-plexus</cpe>
+    </suppress>
+</suppressions>
\ No newline at end of file