[Chore] Improve owasp dependency check (#16305)

* improve owasp dependency check
4 months ago · d13abe6b26
4 changed files with 18 additions and 8 deletions
--- a/.github/workflows/backend.yml
+++ b/.github/workflows/backend.yml
@ -67,7 +67,7 @@ jobs:
        with:
          submodules: true
      - name: Set up JDK ${{ matrix.java }}
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v4
        with:
          java-version: ${{ matrix.java }}
          distribution: 'adopt'
@ -160,7 +160,7 @@ jobs:
        version: ["3.1.9", "3.2.0"]
    steps:
      - name: Set up JDK 8
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v4
        with:
          java-version: 8
          distribution: 'adopt'
--- a/.github/workflows/owasp-dependency-check.yaml
+++ b/.github/workflows/owasp-dependency-check.yaml
@ -22,7 +22,7 @@ on:
    branches:
      - '[0-9]+.[0-9]+.[0-9]+-prepare'
      - '[0-9]+.[0-9]+.[0-9]+-release'
-  pull_request:
+  pull_request_target:
    paths:
      - '**/pom.xml'
 env:
@ -30,6 +30,9 @@ env:

 jobs:
  build:
+    permissions:
+      contents: read
+      pull-requests: write
    runs-on: ubuntu-latest
    timeout-minutes: 120
    steps:
@ -37,12 +40,18 @@ jobs:
        with:
          submodules: true
      - name: Set up JDK 8
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v4
        with:
          java-version: 8
          distribution: 'adopt'
      - name: Run OWASP Dependency Check
-        run: ./mvnw -B clean install verify dependency-check:check -DskipDepCheck=false -Dmaven.test.skip=true -Dspotless.skip=true
+        run: |
+          ./mvnw -B clean install verify dependency-check:check \
+          -DskipDepCheck=false \
+          -Dmaven.test.skip=true \
+          -Dspotless.skip=true
+        env:
+          NIST_NVD_API_KEY: ${{ secrets.NIST_NVD_API_KEY }}
      - name: Upload report
        uses: actions/upload-artifact@v4
        if: ${{ cancelled() || failure() }}
--- a/.github/workflows/unit-test.yml
+++ b/.github/workflows/unit-test.yml
@ -66,7 +66,7 @@ jobs:
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up JDK ${{ matrix.java }}
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v4
        with:
          java-version: ${{ matrix.java }}
          distribution: 'adopt'
@ -95,7 +95,7 @@ jobs:
          restore-keys: ${{ runner.os }}-maven-
      # Set up JDK 17 for SonarCloud.
      - name: Set up JDK 17
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v4
        with:
          java-version: 17
          distribution: 'adopt'
--- a/pom.xml
+++ b/pom.xml
@ -86,7 +86,7 @@
        <jacoco.skip>false</jacoco.skip>
        <maven-jar-plugin.version>3.2.0</maven-jar-plugin.version>
        <exec-maven-plugin.version>3.0.0</exec-maven-plugin.version>
-        <owasp-dependency-check-maven.version>9.2.0</owasp-dependency-check-maven.version>
+        <owasp-dependency-check-maven.version>10.0.2</owasp-dependency-check-maven.version>
        <lombok.version>1.18.20</lombok.version>
        <awaitility.version>4.2.0</awaitility.version>
        <truth.version>1.4.2</truth.version>
@ -545,6 +545,7 @@
                        <skipRuntimeScope>true</skipRuntimeScope>
                        <skipSystemScope>true</skipSystemScope>
                        <failBuildOnCVSS>7</failBuildOnCVSS>
+                        <nvdApiKeyEnvironmentVariable>NIST_NVD_API_KEY</nvdApiKeyEnvironmentVariable>
                    </configuration>
                    <executions>
                        <execution>