[NO JIRA] Remove OWASP SCA tooling

diff --git a/.cirrus.yml b/.cirrus.yml
index d7a84bdb6b61e2c9ee9db027526c4c8522056870..6c2c3cd1186fbbba143f9da45b12290dfbc2c584 100644 (file)
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -478,31 +478,3 @@ upgd_oracle12_task:
     - ./private/cirrus/cirrus-qa.sh oracle12
   on_failure:
     <<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE
-
-# Software Composition Analysis (SCA): check potential vulnerabilities in dependencies.
-# Note that license compliance of dependencies is not checked for now.
-owasp_check_task:
-  only_if: >-
-           $CIRRUS_CRON == "nightly" ||
-           $CIRRUS_CRON == "weekly-latest" ||
-           $CIRRUS_CRON == "weekly-lts" ||
-           changesInclude('private/owasp/*.xml')
-  timeout_in: 30m
-  gke_container:
-    <<: *GKE_CONTAINER_TEMPLATE
-    cpu: 1.7
-    memory: 4Gb
-  environment:
-    # No need to clone the full history.
-    # Depth of 1 is not enough because it would fail the build in case of consecutive pushes
-    # (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!")
-    CIRRUS_CLONE_DEPTH: 50
-    SLACK_WEBHOOK_SQ: ENCRYPTED[dec8e4350cbea3b94d63098558bcb3ae9e79b71c2b6286fcfb9eb80c0953b6448b10f7271b07b5e75e52f362c25d7a8f]
-  script:
-    - gradle dependencyCheckAggregate
-  on_failure:
-    slack_notification_script:
-      - ./private/cirrus/cirrus-owasp-notification.sh
-  always:
-    reports_artifacts:
-      path: "build/reports/*"

diff --git a/build.gradle b/build.gradle
index 61684efd83f7567465a19bf3a075617389960193..cdd45978d97b25403d26eee2a234c54e951be128 100644 (file)
--- a/build.gradle
+++ b/build.gradle
@@ -9,7 +9,6 @@ plugins {
   id 'com.github.node-gradle.node' version '2.2.4' apply false
   id 'io.spring.dependency-management' version '1.0.10.RELEASE'
   id "com.asarkar.gradle.build-time-tracker" version "2.0.4" apply false
-  id 'org.owasp.dependencycheck' version '6.1.6'
   id 'org.sonarqube' version '3.0'
   id "de.undercouch.download" version "4.1.1" apply false
 }
@@ -29,38 +28,6 @@ if (!JavaVersion.current().java11Compatible) {
   throw new GradleException("JDK 11+ is required to perform this build. It's currently " + System.getProperty("java.home") + ".")
 }
 
-apply plugin: 'org.owasp.dependencycheck'
-dependencyCheck {
-  analyzers {
-    assemblyEnabled = false
-    autoconfEnabled = false
-    bundleAuditEnabled = false
-    cmakeEnabled = false
-    cocoapodsEnabled = false
-    composerEnabled = false
-    cocoapodsEnabled = false
-    golangDepEnabled = false
-    golangModEnabled = false
-    nodeAudit {
-      skipDevDependencies = true
-    }
-    nuspecEnabled = false
-    nugetconfEnabled = false
-    rubygemsEnabled = false
-    swiftEnabled = false
-  }
-  format = 'ALL'
-  junitFailOnCVSS = 0
-  failBuildOnCVSS = 0
-  suppressionFiles = ["${project.rootDir}/private/owasp/suppressions.xml", "${project.rootDir}/private/owasp/vulnerabilities.xml"]
-  skipProjects = project.subprojects
-      .findAll {it.name.contains('testing') ||
-          it.name.startsWith('it-') ||
-          it.name.contains('-test') ||
-          it.name == 'sonar-ws-generator'}
-      .collect { it.path }
-}
-
 allprojects {
   apply plugin: 'com.jfrog.artifactory'
   apply plugin: 'maven-publish'
@@ -501,11 +468,6 @@ subprojects {
       yarnVersion = '1.22.0'
       download = true
     }
-
-    // the OWASP tool does not support yarn, and its yarn.lock files, so node modules
-    // should be explicitly installed (yarn task) before running the audit
-    // See https://github.com/jeremylong/DependencyCheck/issues/2393
-    dependencyCheckAggregate.dependsOn(yarn)
   }
 
   if (official) {