[NO JIRA] Remove OWASP SCA tooling

diff --git a/.cirrus.yml b/.cirrus.yml
index 5da6b2353095ad47085a24bb3524457c6645e570..e1f5cddf14a386231129f79993e36e169bc62932 100644 (file)
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -619,28 +619,4 @@ upgd_oracle12_task:
     - ./private/cirrus/cirrus-qa.sh oracle12
   on_failure:
     <<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE
-
-# Software Composition Analysis (SCA): check potential vulnerabilities in dependencies.
-# Note that license compliance of dependencies is not checked for now.
-owasp_check_task:
-  only_if: >-
-    $CIRRUS_CRON == "nightly" ||
-    $CIRRUS_CRON == "weekly-latest" ||
-    $CIRRUS_CRON == "weekly-lts" ||
-    changesInclude('private/owasp/*.xml')
-  <<: *YARN_CACHE_TEMPLATE
-  <<: *GRADLE_CACHE_TEMPLATE
-  timeout_in: 30m
-  gke_container:
-    <<: *GKE_CONTAINER_TEMPLATE
-    cpu: 1.7
-    memory: 4Gb
-    SLACK_WEBHOOK_SQ: ENCRYPTED[dec8e4350cbea3b94d63098558bcb3ae9e79b71c2b6286fcfb9eb80c0953b6448b10f7271b07b5e75e52f362c25d7a8f]
-  script:
-    - gradle dependencyCheckAggregate
-  on_failure:
-    slack_notification_script:
-      - ./private/cirrus/cirrus-owasp-notification.sh
-  always:
-    reports_artifacts:
-      path: "build/reports/*"
+    
\ No newline at end of file

diff --git a/README.md b/README.md
index 74037c1fa0c92e939b5649321ed3d3204bf41ce3..c4a5a35cf667237b279b0227b7c0a5ea3d909733 100644 (file)
--- a/README.md
+++ b/README.md
@@ -71,7 +71,6 @@ Then open the root file `build.gradle` as a project in Intellij or Eclipse.
 | ./gradlew command | Description |
 |---|---|
 | `dependencies`| list dependencies |
-| `dependencyCheckAnalyze` | list vulnerable dependencies |
 | `dependencyUpdates` | list the dependencies that could be updated |
 | `licenseFormat --rerun-tasks` | fix source headers by applying HEADER.txt |
 | `wrapper --gradle-version 5.2.1` | upgrade wrapper |

diff --git a/build.gradle b/build.gradle
index d9fd0914f559eb4d66649cc090bd695b74a47b9d..f6bd5d5cf8fb7ad92dec64b6a01ab822416f23aa 100644 (file)
--- a/build.gradle
+++ b/build.gradle
@@ -9,7 +9,6 @@ plugins {
   id 'com.google.protobuf' version '0.8.18' apply false
   id 'com.jfrog.artifactory' version '4.24.23'
   id 'io.spring.dependency-management' version '1.0.11.RELEASE'
-  id 'org.owasp.dependencycheck' version '6.3.2'
   id 'org.sonarqube' version '3.3'
   id "de.undercouch.download" version "4.1.2" apply false
 }
@@ -18,38 +17,6 @@ if (!JavaVersion.current().java11Compatible) {
   throw new GradleException("JDK 11+ is required to perform this build. It's currently " + System.getProperty("java.home") + ".")
 }
 
-apply plugin: 'org.owasp.dependencycheck'
-dependencyCheck {
-  analyzers {
-    assemblyEnabled = false
-    autoconfEnabled = false
-    bundleAuditEnabled = false
-    cmakeEnabled = false
-    cocoapodsEnabled = false
-    composerEnabled = false
-    cocoapodsEnabled = false
-    golangDepEnabled = false
-    golangModEnabled = false
-    nodeAudit {
-      skipDevDependencies = true
-    }
-    nuspecEnabled = false
-    nugetconfEnabled = false
-    rubygemsEnabled = false
-    swiftEnabled = false
-  }
-  format = 'ALL'
-  junitFailOnCVSS = 0
-  failBuildOnCVSS = 0
-  suppressionFiles = ["${project.rootDir}/private/owasp/suppressions.xml", "${project.rootDir}/private/owasp/vulnerabilities.xml"]
-  skipProjects = project.subprojects
-      .findAll {it.name.contains('testing') ||
-          it.name.startsWith('it-') ||
-          it.name.contains('-test') ||
-          it.name == 'sonar-ws-generator'}
-      .collect { it.path }
-}
-
 allprojects {
   apply plugin: 'com.jfrog.artifactory'
   apply plugin: 'maven-publish'
@@ -671,11 +638,6 @@ dependencyUpdates {
 }
 
 gradle.projectsEvaluated { gradle ->
-  // Execute dependencyCheckAggregate prerequisites before the actual check
-  allprojects
-    .findResults { it -> it.tasks.findByName('dependencyCheckAggregate_prerequisites') }
-    .each { t -> dependencyCheckAggregate.dependsOn(t) }
-
   // yarn_run tasks can't all run in parallel without random issues
   // this script ensure all yarn_run tasks run sequentially
   def yarnRunTasks = allprojects.findResults { it -> it.tasks.findByName('yarn_run') }

diff --git a/server/sonar-docs/build.gradle b/server/sonar-docs/build.gradle
index e2aeb66bee48692481d5a7ab02e6795cb14e5b01..aabb3cc87a23d76a1a46ee42729e33e881c95e0e 100644 (file)
--- a/server/sonar-docs/build.gradle
+++ b/server/sonar-docs/build.gradle
@@ -109,13 +109,6 @@ task dependency_audit(type: Exec) {
   commandLine osAdaptiveCommand(['npm', 'run', 'audit-ci'])
 }
 
-task dependencyCheckAggregate_prerequisites(type: Exec) {
-  // the OWASP tool does not support yarn and its yarn.lock files, so node modules
-  // should be explicitly installed (yarn install) before running the audit
-  // See https://github.com/jeremylong/DependencyCheck/issues/2393
-  commandLine osAdaptiveCommand(['yarn', 'install', '--immutable'])
-}
-
 task zip(type: Zip) {
   def archiveDir = "$version"
   duplicatesStrategy DuplicatesStrategy.EXCLUDE

diff --git a/server/sonar-web/build.gradle b/server/sonar-web/build.gradle
index ab7e19fcedd659ea1ca4863416b91ea002e4b71b..196296376de9aacb46556cf86b04e4a31c34e249 100644 (file)
--- a/server/sonar-web/build.gradle
+++ b/server/sonar-web/build.gradle
@@ -76,13 +76,6 @@ task dependency_audit(type: Exec) {
   commandLine osAdaptiveCommand(['npm', 'run', 'audit-ci'])
 }
 
-task dependencyCheckAggregate_prerequisites(type: Exec) {
-  // the OWASP tool does not support yarn and its yarn.lock files, so node modules
-  // should be explicitly installed (yarn install) before running the audit
-  // See https://github.com/jeremylong/DependencyCheck/issues/2393
-  commandLine osAdaptiveCommand(['yarn', 'install', '--immutable'])
-}
-
 def sources = fileTree(dir: "src") + fileTree(dir: "scripts") + fileTree(dir: "config") + fileTree(dir: "__mocks__")
 
 task licenseCheckWeb(type: com.hierynomus.gradle.license.tasks.LicenseCheck) {