- ./private/cirrus/cirrus-qa.sh oracle12 | - ./private/cirrus/cirrus-qa.sh oracle12 | ||||
on_failure: | on_failure: | ||||
<<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE | <<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE | ||||
# Software Composition Analysis (SCA): check potential vulnerabilities in dependencies. | |||||
# Note that license compliance of dependencies is not checked for now. | |||||
owasp_check_task: | |||||
only_if: >- | |||||
$CIRRUS_CRON == "nightly" || | |||||
$CIRRUS_CRON == "weekly-latest" || | |||||
$CIRRUS_CRON == "weekly-lts" || | |||||
changesInclude('private/owasp/*.xml') | |||||
<<: *YARN_CACHE_TEMPLATE | |||||
<<: *GRADLE_CACHE_TEMPLATE | |||||
timeout_in: 30m | |||||
gke_container: | |||||
<<: *GKE_CONTAINER_TEMPLATE | |||||
cpu: 1.7 | |||||
memory: 4Gb | |||||
SLACK_WEBHOOK_SQ: ENCRYPTED[dec8e4350cbea3b94d63098558bcb3ae9e79b71c2b6286fcfb9eb80c0953b6448b10f7271b07b5e75e52f362c25d7a8f] | |||||
script: | |||||
- gradle dependencyCheckAggregate | |||||
on_failure: | |||||
slack_notification_script: | |||||
- ./private/cirrus/cirrus-owasp-notification.sh | |||||
always: | |||||
reports_artifacts: | |||||
path: "build/reports/*" | |||||
| ./gradlew command | Description | | | ./gradlew command | Description | | ||||
|---|---| | |---|---| | ||||
| `dependencies`| list dependencies | | | `dependencies`| list dependencies | | ||||
| `dependencyCheckAnalyze` | list vulnerable dependencies | | |||||
| `dependencyUpdates` | list the dependencies that could be updated | | | `dependencyUpdates` | list the dependencies that could be updated | | ||||
| `licenseFormat --rerun-tasks` | fix source headers by applying HEADER.txt | | | `licenseFormat --rerun-tasks` | fix source headers by applying HEADER.txt | | ||||
| `wrapper --gradle-version 5.2.1` | upgrade wrapper | | | `wrapper --gradle-version 5.2.1` | upgrade wrapper | |
id 'com.google.protobuf' version '0.8.18' apply false | id 'com.google.protobuf' version '0.8.18' apply false | ||||
id 'com.jfrog.artifactory' version '4.24.23' | id 'com.jfrog.artifactory' version '4.24.23' | ||||
id 'io.spring.dependency-management' version '1.0.11.RELEASE' | id 'io.spring.dependency-management' version '1.0.11.RELEASE' | ||||
id 'org.owasp.dependencycheck' version '6.3.2' | |||||
id 'org.sonarqube' version '3.3' | id 'org.sonarqube' version '3.3' | ||||
id "de.undercouch.download" version "4.1.2" apply false | id "de.undercouch.download" version "4.1.2" apply false | ||||
} | } | ||||
throw new GradleException("JDK 11+ is required to perform this build. It's currently " + System.getProperty("java.home") + ".") | throw new GradleException("JDK 11+ is required to perform this build. It's currently " + System.getProperty("java.home") + ".") | ||||
} | } | ||||
apply plugin: 'org.owasp.dependencycheck' | |||||
dependencyCheck { | |||||
analyzers { | |||||
assemblyEnabled = false | |||||
autoconfEnabled = false | |||||
bundleAuditEnabled = false | |||||
cmakeEnabled = false | |||||
cocoapodsEnabled = false | |||||
composerEnabled = false | |||||
cocoapodsEnabled = false | |||||
golangDepEnabled = false | |||||
golangModEnabled = false | |||||
nodeAudit { | |||||
skipDevDependencies = true | |||||
} | |||||
nuspecEnabled = false | |||||
nugetconfEnabled = false | |||||
rubygemsEnabled = false | |||||
swiftEnabled = false | |||||
} | |||||
format = 'ALL' | |||||
junitFailOnCVSS = 0 | |||||
failBuildOnCVSS = 0 | |||||
suppressionFiles = ["${project.rootDir}/private/owasp/suppressions.xml", "${project.rootDir}/private/owasp/vulnerabilities.xml"] | |||||
skipProjects = project.subprojects | |||||
.findAll {it.name.contains('testing') || | |||||
it.name.startsWith('it-') || | |||||
it.name.contains('-test') || | |||||
it.name == 'sonar-ws-generator'} | |||||
.collect { it.path } | |||||
} | |||||
allprojects { | allprojects { | ||||
apply plugin: 'com.jfrog.artifactory' | apply plugin: 'com.jfrog.artifactory' | ||||
apply plugin: 'maven-publish' | apply plugin: 'maven-publish' | ||||
} | } | ||||
gradle.projectsEvaluated { gradle -> | gradle.projectsEvaluated { gradle -> | ||||
// Execute dependencyCheckAggregate prerequisites before the actual check | |||||
allprojects | |||||
.findResults { it -> it.tasks.findByName('dependencyCheckAggregate_prerequisites') } | |||||
.each { t -> dependencyCheckAggregate.dependsOn(t) } | |||||
// yarn_run tasks can't all run in parallel without random issues | // yarn_run tasks can't all run in parallel without random issues | ||||
// this script ensure all yarn_run tasks run sequentially | // this script ensure all yarn_run tasks run sequentially | ||||
def yarnRunTasks = allprojects.findResults { it -> it.tasks.findByName('yarn_run') } | def yarnRunTasks = allprojects.findResults { it -> it.tasks.findByName('yarn_run') } |
commandLine osAdaptiveCommand(['npm', 'run', 'audit-ci']) | commandLine osAdaptiveCommand(['npm', 'run', 'audit-ci']) | ||||
} | } | ||||
task dependencyCheckAggregate_prerequisites(type: Exec) { | |||||
// the OWASP tool does not support yarn and its yarn.lock files, so node modules | |||||
// should be explicitly installed (yarn install) before running the audit | |||||
// See https://github.com/jeremylong/DependencyCheck/issues/2393 | |||||
commandLine osAdaptiveCommand(['yarn', 'install', '--immutable']) | |||||
} | |||||
task zip(type: Zip) { | task zip(type: Zip) { | ||||
def archiveDir = "$version" | def archiveDir = "$version" | ||||
duplicatesStrategy DuplicatesStrategy.EXCLUDE | duplicatesStrategy DuplicatesStrategy.EXCLUDE |
commandLine osAdaptiveCommand(['npm', 'run', 'audit-ci']) | commandLine osAdaptiveCommand(['npm', 'run', 'audit-ci']) | ||||
} | } | ||||
task dependencyCheckAggregate_prerequisites(type: Exec) { | |||||
// the OWASP tool does not support yarn and its yarn.lock files, so node modules | |||||
// should be explicitly installed (yarn install) before running the audit | |||||
// See https://github.com/jeremylong/DependencyCheck/issues/2393 | |||||
commandLine osAdaptiveCommand(['yarn', 'install', '--immutable']) | |||||
} | |||||
def sources = fileTree(dir: "src") + fileTree(dir: "scripts") + fileTree(dir: "config") + fileTree(dir: "__mocks__") | def sources = fileTree(dir: "src") + fileTree(dir: "scripts") + fileTree(dir: "config") + fileTree(dir: "__mocks__") | ||||
task licenseCheckWeb(type: com.hierynomus.gradle.license.tasks.LicenseCheck) { | task licenseCheckWeb(type: com.hierynomus.gradle.license.tasks.LicenseCheck) { |