Feat/dep check (#67)

* feat: weekly dependency checking and on push to main

* fix: code smells

.github/workflows/ci-dependency-check.yml

@@ -0,0 +1,40 @@
+name: ci-main
+on:
+  schedule:
+    - cron: '0 1 * * 0' # Each Sunday at 01:00 UTC
+  push:
+    branches:
+      - main
+jobs:
+  build:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/setup-java@v2
+      with:
+        java-version: 11
+        distribution: adopt
+    - uses: actions/checkout@v2
+      with:
+        fetch-depth: 0
+    - uses: actions/cache@v2
+      with:
+        path: |
+          ~/.m2/repository
+        key: ${{ runner.os }}-${{ hashFiles('**/pom.xml') }}
+    - name: version
+      run: |-
+        APP_SHA=$(git rev-parse --short ${GITHUB_SHA})
+        APP_LATEST_REV=$(git rev-list --tags --max-count=1)
+        APP_LATEST_TAG=$(git describe --tags ${APP_LATEST_REV} 2> /dev/null || echo 0.0.0)
+        echo "APP_VERSION=${APP_LATEST_TAG}-${APP_SHA}" >> ${GITHUB_ENV}
+    - name: mvn
+      run: |-
+        mvn dependency-check:check \
+        --batch-mode \
+        --file ./pom.xml \
+        --settings ./settings.xml \
+        --define app.packages.username="${APP_PACKAGES_USERNAME}" \
+        --define app.packages.password="${APP_PACKAGES_PASSWORD}" \
+      env:
+        APP_PACKAGES_USERNAME: ${{ github.actor }}
+        APP_PACKAGES_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

owasp/suppressions.xml

@@ -11,7 +11,19 @@
     <cve>CVE-2012-5055</cve>
   </suppress>
   <suppress>
-    <notes>see https://tomcat.apache.org/security-9.html#Apache_Tomcat_9.x_vulnerabilities vulnerability is fixed in tomcat 9.0.38</notes>
+    <notes>see https://tomcat.apache.org/security-9.html#Apache_Tomcat_9.x_vulnerabilities vulnerability is fixed in
+      tomcat 9.0.38
+    </notes>
     <cve>CVE-2020-13943</cve>
   </suppress>
+  <suppress>
+    <!-- spring-boot and spring are excluded from cfenv artifact. Related issues can be omitted. -->
+    <notes><![CDATA[file name: java-cfenv-boot-2.3.0.jar]]></notes>
+    <sha1>da214a6f44ee5811c97f3b53a6dda31edf25ac9e</sha1>
+    <cve>CVE-2016-9878</cve>
+    <cve>CVE-2018-1270</cve>
+    <cve>CVE-2018-1271</cve>
+    <cve>CVE-2018-1272</cve>
+    <cve>CVE-2020-5421</cve>
+  </suppress>
 </suppressions>

pom.xml

@@ -25,7 +25,7 @@
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
     <!-- dependencies -->
     <dgclib.version>0.4.0</dgclib.version>
-    <owasp.version>6.1.1</owasp.version>
+    <owasp.version>6.1.6</owasp.version>
     <spring.boot.version>2.4.4</spring.boot.version>
     <spring.cloud.version>2020.0.2</spring.cloud.version>
     <spring.test.version>5.3.5</spring.test.version>
@@ -262,6 +262,12 @@
       <groupId>io.pivotal.cfenv</groupId>
       <artifactId>java-cfenv-boot</artifactId>
       <version>2.3.0</version>
+      <exclusions>
+        <exclusion>
+          <groupId>org.springframework.boot</groupId>
+          <artifactId>spring-boot</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>com.google.code.gson</groupId>
@@ -332,19 +338,9 @@
         <artifactId>dependency-check-maven</artifactId>
         <version>${owasp.version}</version>
         <configuration>
-          <skip>true</skip>
           <suppressionFile>./owasp/suppressions.xml</suppressionFile>
           <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
         </configuration>
-        <executions>
-          <execution>
-            <id>check</id>
-            <phase>validate</phase>
-            <goals>
-              <goal>check</goal>
-            </goals>
-          </execution>
-        </executions>
       </plugin>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>

src/main/java/eu/europa/ec/dgc/issuance/config/btp/SapCredentialStoreCfEnvProcessor.java

@@ -30,8 +30,9 @@ public class SapCredentialStoreCfEnvProcessor implements CfEnvProcessor {
 
     @Override
     public boolean accept(CfService service) {
-        return service.existsByTagIgnoreCase("credstore", "securestore", "keystore", "credentials")
-            || service.existsByLabelStartsWith("credstore") || service.existsByUriSchemeStartsWith(CRED_STORE_SCHEME);
+        return service.existsByTagIgnoreCase(CRED_STORE_SCHEME, "securestore", "keystore", "credentials")
+            || service.existsByLabelStartsWith(CRED_STORE_SCHEME)
+            || service.existsByUriSchemeStartsWith(CRED_STORE_SCHEME);
     }
 
     @Override

src/main/java/eu/europa/ec/dgc/issuance/restapi/controller/CertController.java

@@ -39,9 +39,7 @@
 import org.springframework.web.bind.annotation.RestController;
 
 /**
- * The endpoint here are not public API and should be used only for developing testing
- * purposes.
- * Only available for spring dev profile
+ * The endpoint here are not public API and should be used only for developing testing purposes.
  */
 @RestController
 @RequestMapping("/cert")
@@ -74,15 +72,14 @@ public ResponseEntity<String> decodeCbor(@RequestBody String cbor) throws IOExce
      *
      * @param prefixedEncodedCompressedCose edgc
      * @return decode result
-     * @throws IOException IOException
      */
     @Operation(
         summary = "decode edgc, developing tool",
         description = "decode and validate edgc raw string, extract raw data of each decode stage"
     )
     @PostMapping(value = "decodeEGC", consumes = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<EgcDecodeResult> decodeEgCert(
-        @RequestBody String prefixedEncodedCompressedCose) throws IOException {
+        @RequestBody String prefixedEncodedCompressedCose) {
 
         EgcDecodeResult egcDecodeResult = edgcValidator.decodeEdgc(prefixedEncodedCompressedCose);
         return ResponseEntity.ok(egcDecodeResult);