From 965d3a49f5acf2dd73a4f466a39c82785337f2c8 Mon Sep 17 00:00:00 2001 From: Philippe Perrin Date: Fri, 25 Feb 2022 13:14:58 +0100 Subject: [PATCH] [NO JIRA] Remove OWASP SCA tooling --- .cirrus.yml | 28 ---------------------------- build.gradle | 38 -------------------------------------- 2 files changed, 66 deletions(-) diff --git a/.cirrus.yml b/.cirrus.yml index d7a84bdb6b6..6c2c3cd1186 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -478,31 +478,3 @@ upgd_oracle12_task: - ./private/cirrus/cirrus-qa.sh oracle12 on_failure: <<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE - -# Software Composition Analysis (SCA): check potential vulnerabilities in dependencies. -# Note that license compliance of dependencies is not checked for now. -owasp_check_task: - only_if: >- - $CIRRUS_CRON == "nightly" || - $CIRRUS_CRON == "weekly-latest" || - $CIRRUS_CRON == "weekly-lts" || - changesInclude('private/owasp/*.xml') - timeout_in: 30m - gke_container: - <<: *GKE_CONTAINER_TEMPLATE - cpu: 1.7 - memory: 4Gb - environment: - # No need to clone the full history. - # Depth of 1 is not enough because it would fail the build in case of consecutive pushes - # (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!") - CIRRUS_CLONE_DEPTH: 50 - SLACK_WEBHOOK_SQ: ENCRYPTED[dec8e4350cbea3b94d63098558bcb3ae9e79b71c2b6286fcfb9eb80c0953b6448b10f7271b07b5e75e52f362c25d7a8f] - script: - - gradle dependencyCheckAggregate - on_failure: - slack_notification_script: - - ./private/cirrus/cirrus-owasp-notification.sh - always: - reports_artifacts: - path: "build/reports/*" diff --git a/build.gradle b/build.gradle index 61684efd83f..cdd45978d97 100644 --- a/build.gradle +++ b/build.gradle @@ -9,7 +9,6 @@ plugins { id 'com.github.node-gradle.node' version '2.2.4' apply false id 'io.spring.dependency-management' version '1.0.10.RELEASE' id "com.asarkar.gradle.build-time-tracker" version "2.0.4" apply false - id 'org.owasp.dependencycheck' version '6.1.6' id 'org.sonarqube' version '3.0' id "de.undercouch.download" version "4.1.1" apply false } @@ -29,38 +28,6 @@ if (!JavaVersion.current().java11Compatible) { throw new GradleException("JDK 11+ is required to perform this build. It's currently " + System.getProperty("java.home") + ".") } -apply plugin: 'org.owasp.dependencycheck' -dependencyCheck { - analyzers { - assemblyEnabled = false - autoconfEnabled = false - bundleAuditEnabled = false - cmakeEnabled = false - cocoapodsEnabled = false - composerEnabled = false - cocoapodsEnabled = false - golangDepEnabled = false - golangModEnabled = false - nodeAudit { - skipDevDependencies = true - } - nuspecEnabled = false - nugetconfEnabled = false - rubygemsEnabled = false - swiftEnabled = false - } - format = 'ALL' - junitFailOnCVSS = 0 - failBuildOnCVSS = 0 - suppressionFiles = ["${project.rootDir}/private/owasp/suppressions.xml", "${project.rootDir}/private/owasp/vulnerabilities.xml"] - skipProjects = project.subprojects - .findAll {it.name.contains('testing') || - it.name.startsWith('it-') || - it.name.contains('-test') || - it.name == 'sonar-ws-generator'} - .collect { it.path } -} - allprojects { apply plugin: 'com.jfrog.artifactory' apply plugin: 'maven-publish' @@ -501,11 +468,6 @@ subprojects { yarnVersion = '1.22.0' download = true } - - // the OWASP tool does not support yarn, and its yarn.lock files, so node modules - // should be explicitly installed (yarn task) before running the audit - // See https://github.com/jeremylong/DependencyCheck/issues/2393 - dependencyCheckAggregate.dependsOn(yarn) } if (official) { -- 2.39.5