Skip to content

Commit

Permalink
[fix][ci] Fix OWASP Dependency Check download by using NVD API key (#…
Browse files Browse the repository at this point in the history
…22999)

(cherry picked from commit 8b7754f)
  • Loading branch information
lhotari committed Jul 5, 2024
1 parent e01e90f commit 29d7150
Show file tree
Hide file tree
Showing 10 changed files with 79 additions and 46 deletions.
83 changes: 58 additions & 25 deletions .github/workflows/ci-owasp-dependency-check.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,9 @@ on:
workflow_dispatch:

env:
MAVEN_OPTS: -Xss1500k -Xmx1024m -Daether.connector.http.reuseConnections=false -Daether.connector.requestTimeout=60000 -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.http.retryHandler.requestSentEnabled=true -Dmaven.wagon.http.serviceUnavailableRetryStrategy.class=standard -Dmaven.wagon.rto=60000
MAVEN_OPTS: -Xss1500k -Xmx1500m -Daether.connector.http.reuseConnections=false -Daether.connector.requestTimeout=60000 -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.http.retryHandler.requestSentEnabled=true -Dmaven.wagon.http.serviceUnavailableRetryStrategy.class=standard -Dmaven.wagon.rto=60000
JDK_DISTRIBUTION: corretto
NIST_NVD_API_KEY: ${{ secrets.NIST_NVD_API_KEY }}

jobs:
run-owasp-dependency-check:
Expand All @@ -33,66 +35,97 @@ jobs:
env:
JOB_NAME: Check ${{ matrix.branch }}
GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GE_ACCESS_TOKEN }}
runs-on: ubuntu-20.04
timeout-minutes: 45
runs-on: ubuntu-22.04
timeout-minutes: 75
strategy:
fail-fast: false
max-parallel: 1
matrix:
include:
- branch: master
- branch: branch-3.3
- branch: branch-3.2
- branch: branch-3.0
- branch: branch-2.11
- branch: branch-2.10
jdk: 11
- branch: branch-2.9
jdk: 11
- branch: branch-2.8
jdk: 11

steps:
- name: checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
ref: ${{ matrix.branch }}

- name: Tune Runner VM
uses: ./.github/actions/tune-runner-vm

- name: Cache local Maven repository
uses: actions/cache@v3
- name: Restore Maven repository cache
uses: actions/cache/restore@v4
timeout-minutes: 5
with:
path: |
~/.m2/repository/*/*/*
!~/.m2/repository/org/apache/pulsar
key: ${{ runner.os }}-m2-dependencies-owasp-${{ hashFiles('**/pom.xml') }}
key: ${{ runner.os }}-m2-dependencies-all-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-m2-dependencies-all-${{ hashFiles('**/pom.xml') }}
${{ runner.os }}-m2-dependencies-core-modules-${{ hashFiles('**/pom.xml') }}
${{ runner.os }}-m2-dependencies-core-modules-
- name: Set up JDK ${{ matrix.jdk || '17' }}
uses: actions/setup-java@v3
uses: actions/setup-java@v4
with:
distribution: 'temurin'
distribution: ${{ env.JDK_DISTRIBUTION }}
java-version: ${{ matrix.jdk || '17' }}

- name: run install by skip tests
run: mvn -B -ntp clean install -DskipTests -Dspotbugs.skip=true -Dlicense.skip=true -Dcheckstyle.skip=true -Drat.skip=true -DskipDocker=true
run: mvn -B -ntp clean install -DskipTests -Dspotbugs.skip=true -Dlicense.skip=true -Dcheckstyle.skip=true -Drat.skip=true -DskipDocker=true -DnarPluginPhase=none -pl '!distribution/io,!distribution/offloaders'

- name: OWASP cache key weeknum
id: get-weeknum
run: |
echo "weeknum=$(date -u +"%Y-%U")" >> $GITHUB_OUTPUT
shell: bash

- name: Restore OWASP Dependency Check data
id: restore-owasp-dependency-check-data
uses: actions/cache/restore@v4
timeout-minutes: 5
with:
path: ~/.m2/repository/org/owasp/dependency-check-data
key: owasp-dependency-check-data-${{ steps.get-weeknum.outputs.weeknum }}
enableCrossOsArchive: true
restore-keys: |
owasp-dependency-check-data-
- name: Update OWASP Dependency Check data
id: update-owasp-dependency-check-data
if: ${{ matrix.branch == 'master' && (steps.restore-owasp-dependency-check-data.outputs.cache-hit != 'true' || steps.restore-owasp-dependency-check-data.outputs.cache-matched-key != steps.restore-owasp-dependency-check-data.outputs.cache-primary-key) }}
run: mvn -B -ntp -Powasp-dependency-check initialize -pl . dependency-check:update-only

- name: Save OWASP Dependency Check data
if: ${{ steps.update-owasp-dependency-check-data.outcome == 'success' }}
uses: actions/cache/save@v4
timeout-minutes: 5
with:
path: ~/.m2/repository/org/owasp/dependency-check-data
key: ${{ steps.restore-owasp-dependency-check-data.outputs.cache-primary-key }}
enableCrossOsArchive: true

- name: run OWASP Dependency Check for distribution/server (-DfailBuildOnAnyVulnerability=true)
run: mvn -B -ntp -Pmain,skip-all,skipDocker,owasp-dependency-check initialize verify -pl distribution/server -DfailBuildOnAnyVulnerability=true

- name: run OWASP Dependency Check for distribution/offloaders, distribution/io and pulsar-sql/presto-distribution
run: mvn -B -ntp -Pmain,skip-all,skipDocker,owasp-dependency-check initialize verify -pl distribution/offloaders,distribution/io,pulsar-sql/presto-distribution
- name: run OWASP Dependency Check for offloaders/tiered-storage and pulsar-io connectors (-DfailOnError=false)
if: ${{ !cancelled() }}
run: |
mvnprojects=$(mvn -B -ntp -Dscan=false initialize \
| grep -- "-< .* >-" \
| sed -E 's/.*-< (.*) >-.*/\1/' \
| grep -E 'pulsar-io-|tiered-storage-|offloader' \
| tr '\n' ',' | sed 's/,$/\n/' )
set -xe
mvn --fail-at-end -B -ntp -Pmain,skip-all,skipDocker,owasp-dependency-check initialize verify -DfailOnError=false -pl "${mvnprojects}"
- name: Upload OWASP Dependency Check reports
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
if: always()
with:
name: owasp-dependency-check-reports-${{ matrix.branch }}
path: |
distribution/server/target/dependency-check-report.html
distribution/offloaders/target/dependency-check-report.html
distribution/io/target/dependency-check-report.html
pulsar-sql/presto-distribution/target/dependency-check-report.html
**/target/dependency-check-report.html
7 changes: 3 additions & 4 deletions .github/workflows/pulsar-ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1250,6 +1250,7 @@ jobs:
if: ${{ needs.preconditions.outputs.need_owasp == 'true' }}
env:
GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GE_ACCESS_TOKEN }}
NIST_NVD_API_KEY: ${{ secrets.NIST_NVD_API_KEY }}
steps:
- name: checkout
uses: actions/checkout@v4
Expand All @@ -1265,16 +1266,14 @@ jobs:
with:
limit-access-to-actor: true

- name: Cache Maven dependencies
uses: actions/cache@v4
- name: Restore Maven repository cache
uses: actions/cache/restore@v4
timeout-minutes: 5
with:
path: |
~/.m2/repository/*/*/*
!~/.m2/repository/org/apache/pulsar
!~/.m2/repository/org/owasp/dependency-check-data
key: ${{ runner.os }}-m2-dependencies-core-modules-${{ hashFiles('**/pom.xml') }}
lookup-only: true
restore-keys: |
${{ runner.os }}-m2-dependencies-core-modules-
- name: Set up JDK ${{ matrix.jdk || '17' }}
Expand Down
1 change: 0 additions & 1 deletion distribution/io/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,6 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${dependency-check-maven.version}</version>
<executions>
<execution>
<goals>
Expand Down
14 changes: 11 additions & 3 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -307,7 +307,7 @@ flexible messaging model and an intuitive client API.</description>
<errorprone-slf4j.version>0.1.4</errorprone-slf4j.version>
<j2objc-annotations.version>1.3</j2objc-annotations.version>
<lightproto-maven-plugin.version>0.4</lightproto-maven-plugin.version>
<dependency-check-maven.version>9.1.0</dependency-check-maven.version>
<dependency-check-maven.version>10.0.1</dependency-check-maven.version>
<roaringbitmap.version>0.9.44</roaringbitmap.version>
<extra-enforcer-rules.version>1.6.1</extra-enforcer-rules.version>
<oshi.version>6.4.0</oshi.version>
Expand Down Expand Up @@ -2137,6 +2137,16 @@ flexible messaging model and an intuitive client API.</description>
<artifactId>build-helper-maven-plugin</artifactId>
<version>${build-helper-maven-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${dependency-check-maven.version}</version>
<configuration>
<nvdApiKeyEnvironmentVariable>NIST_NVD_API_KEY</nvdApiKeyEnvironmentVariable>
<!-- Uncomment the following to use the NVD data feed provided by the Dependency-Check project -->
<!-- <nvdDatafeedUrl>https://jeremylong.github.io/DependencyCheck/hb_nvd/</nvdDatafeedUrl> -->
</configuration>
</plugin>
</plugins>
</pluginManagement>
<extensions>
Expand Down Expand Up @@ -2566,7 +2576,6 @@ flexible messaging model and an intuitive client API.</description>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${dependency-check-maven.version}</version>
<configuration>
<suppressionFiles>
<suppressionFile>${pulsar.basedir}/src/owasp-dependency-check-false-positives.xml</suppressionFile>
Expand Down Expand Up @@ -2601,7 +2610,6 @@ flexible messaging model and an intuitive client API.</description>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${dependency-check-maven.version}</version>
<reportSets>
<reportSet>
<reports>
Expand Down
1 change: 0 additions & 1 deletion pulsar-io/docs/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -253,7 +253,6 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${dependency-check-maven.version}</version>
<executions>
<execution>
<goals>
Expand Down
1 change: 0 additions & 1 deletion pulsar-io/flume/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,6 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${dependency-check-maven.version}</version>
<executions>
<execution>
<goals>
Expand Down
1 change: 0 additions & 1 deletion pulsar-io/hbase/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,6 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${dependency-check-maven.version}</version>
<executions>
<execution>
<goals>
Expand Down
7 changes: 3 additions & 4 deletions pulsar-io/hdfs2/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -27,14 +27,14 @@
</parent>
<artifactId>pulsar-io-hdfs2</artifactId>
<name>Pulsar IO :: Hdfs2</name>

<dependencies>
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>pulsar-io-core</artifactId>
<version>${project.version}</version>
</dependency>

<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
Expand Down Expand Up @@ -74,7 +74,7 @@
<artifactId>commons-lang3</artifactId>
</dependency>
</dependencies>

<build>
<plugins>
<plugin>
Expand Down Expand Up @@ -113,7 +113,6 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${dependency-check-maven.version}</version>
<executions>
<execution>
<goals>
Expand Down
9 changes: 4 additions & 5 deletions pulsar-io/hdfs3/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -27,14 +27,14 @@
</parent>
<artifactId>pulsar-io-hdfs3</artifactId>
<name>Pulsar IO :: Hdfs3</name>

<dependencies>
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>pulsar-io-core</artifactId>
<version>${project.version}</version>
</dependency>

<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
Expand All @@ -49,7 +49,7 @@
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
</dependency>

<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-client</artifactId>
Expand Down Expand Up @@ -80,7 +80,7 @@
</dependency>

</dependencies>

<build>
<plugins>
<plugin>
Expand Down Expand Up @@ -119,7 +119,6 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${dependency-check-maven.version}</version>
<executions>
<execution>
<goals>
Expand Down
1 change: 0 additions & 1 deletion tiered-storage/file-system/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -205,7 +205,6 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${dependency-check-maven.version}</version>
<executions>
<execution>
<goals>
Expand Down

0 comments on commit 29d7150

Please sign in to comment.