[NO JIRA] Remove OWASP SCA tooling

diff --git a/.cirrus.yml b/.cirrus.yml
index 07458754602acf0edb2e554778ea81eeb6230fe4..646b360fcde1309fa2d6c54950bbef36dec3b76a 100644 (file)
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -621,31 +621,6 @@ upgd_oracle12_task:
   on_failure:
     <<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE
 
-# Software Composition Analysis (SCA): check potential vulnerabilities in dependencies.
-# Note that license compliance of dependencies is not checked for now.
-owasp_check_task:
-  only_if: >-
-    $CIRRUS_CRON == "nightly" ||
-    $CIRRUS_CRON == "weekly-latest" ||
-    $CIRRUS_CRON == "weekly-lts" ||
-    changesInclude('private/owasp/*.xml')
-  <<: *YARN_CACHE_TEMPLATE
-  <<: *GRADLE_CACHE_TEMPLATE
-  timeout_in: 30m
-  gke_container:
-    <<: *GKE_CONTAINER_TEMPLATE
-    cpu: 1.7
-    memory: 4Gb
-    SLACK_WEBHOOK_SQ: ENCRYPTED[dec8e4350cbea3b94d63098558bcb3ae9e79b71c2b6286fcfb9eb80c0953b6448b10f7271b07b5e75e52f362c25d7a8f]
-  script:
-    - gradle dependencyCheckAggregate
-  on_failure:
-    slack_notification_script:
-      - ./private/cirrus/cirrus-owasp-notification.sh
-  always:
-    reports_artifacts:
-      path: "build/reports/*"
-
 ws_scan_task:
   only_if: >-
     $CIRRUS_CRON == "nightly" ||

diff --git a/.github/renovate.json b/.github/renovate.json
index 272a5baa6219cd9df2c1967d48e7ec2cf338bcd3..20710518b4a4a9cd09348ec12bbc85207ec55231 100644 (file)
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -10,7 +10,6 @@
   "separateMajorMinor": false,
   "ignoreDeps": [
     "io.spring.dependency-management",
-    "org.owasp.dependencycheck",
     "com.jfrog.artifactory",
     "org.ajoberstar.grgit",
     "com.github.ben-manes.versions",

diff --git a/build.gradle b/build.gradle
index aed914a0d00a4221290d69b6a576c9e60d922ecc..ebfb044f42899bd0d2a4d67736da5d555c293b0d 100644 (file)
--- a/build.gradle
+++ b/build.gradle
@@ -9,7 +9,6 @@ plugins {
   id 'com.google.protobuf' version '0.8.18' apply false
   id 'com.jfrog.artifactory' version '4.24.23'
   id 'io.spring.dependency-management' version '1.0.11.RELEASE'
-  id 'org.owasp.dependencycheck' version '6.3.2'
   id 'org.sonarqube' version '3.3'
   id "de.undercouch.download" version "5.0.1" apply false
 }
@@ -18,38 +17,6 @@ if (!JavaVersion.current().java11Compatible) {
   throw new GradleException("JDK 11+ is required to perform this build. It's currently " + System.getProperty("java.home") + ".")
 }
 
-apply plugin: 'org.owasp.dependencycheck'
-dependencyCheck {
-  analyzers {
-    assemblyEnabled = false
-    autoconfEnabled = false
-    bundleAuditEnabled = false
-    cmakeEnabled = false
-    cocoapodsEnabled = false
-    composerEnabled = false
-    cocoapodsEnabled = false
-    golangDepEnabled = false
-    golangModEnabled = false
-    nodeAudit {
-      skipDevDependencies = true
-    }
-    nuspecEnabled = false
-    nugetconfEnabled = false
-    rubygemsEnabled = false
-    swiftEnabled = false
-  }
-  format = 'ALL'
-  junitFailOnCVSS = 0
-  failBuildOnCVSS = 0
-  suppressionFiles = ["${project.rootDir}/private/owasp/suppressions.xml", "${project.rootDir}/private/owasp/vulnerabilities.xml"]
-  skipProjects = project.subprojects
-      .findAll {it.name.contains('testing') ||
-          it.name.startsWith('it-') ||
-          it.name.contains('-test') ||
-          it.name == 'sonar-ws-generator'}
-      .collect { it.path }
-}
-
 allprojects {
   apply plugin: 'com.jfrog.artifactory'
   apply plugin: 'maven-publish'
@@ -673,11 +640,6 @@ dependencyUpdates {
 }
 
 gradle.projectsEvaluated { gradle ->
-  // Execute dependencyCheckAggregate prerequisites before the actual check
-  allprojects
-    .findResults { it -> it.tasks.findByName('dependencyCheckAggregate_prerequisites') }
-    .each { t -> dependencyCheckAggregate.dependsOn(t) }
-
   // yarn_run tasks can't all run in parallel without random issues
   // this script ensure all yarn_run tasks run sequentially
   def yarnRunTasks = allprojects.findResults { it -> it.tasks.findByName('yarn_run') }

diff --git a/server/sonar-docs/build.gradle b/server/sonar-docs/build.gradle
index e2aeb66bee48692481d5a7ab02e6795cb14e5b01..aabb3cc87a23d76a1a46ee42729e33e881c95e0e 100644 (file)
--- a/server/sonar-docs/build.gradle
+++ b/server/sonar-docs/build.gradle
@@ -109,13 +109,6 @@ task dependency_audit(type: Exec) {
   commandLine osAdaptiveCommand(['npm', 'run', 'audit-ci'])
 }
 
-task dependencyCheckAggregate_prerequisites(type: Exec) {
-  // the OWASP tool does not support yarn and its yarn.lock files, so node modules
-  // should be explicitly installed (yarn install) before running the audit
-  // See https://github.com/jeremylong/DependencyCheck/issues/2393
-  commandLine osAdaptiveCommand(['yarn', 'install', '--immutable'])
-}
-
 task zip(type: Zip) {
   def archiveDir = "$version"
   duplicatesStrategy DuplicatesStrategy.EXCLUDE

diff --git a/server/sonar-web/build.gradle b/server/sonar-web/build.gradle
index ab7e19fcedd659ea1ca4863416b91ea002e4b71b..196296376de9aacb46556cf86b04e4a31c34e249 100644 (file)
--- a/server/sonar-web/build.gradle
+++ b/server/sonar-web/build.gradle
@@ -76,13 +76,6 @@ task dependency_audit(type: Exec) {
   commandLine osAdaptiveCommand(['npm', 'run', 'audit-ci'])
 }
 
-task dependencyCheckAggregate_prerequisites(type: Exec) {
-  // the OWASP tool does not support yarn and its yarn.lock files, so node modules
-  // should be explicitly installed (yarn install) before running the audit
-  // See https://github.com/jeremylong/DependencyCheck/issues/2393
-  commandLine osAdaptiveCommand(['yarn', 'install', '--immutable'])
-}
-
 def sources = fileTree(dir: "src") + fileTree(dir: "scripts") + fileTree(dir: "config") + fileTree(dir: "__mocks__")
 
 task licenseCheckWeb(type: com.hierynomus.gradle.license.tasks.LicenseCheck) {