SONAR-13912 Add owasp_check_task to Cirrus CI.

.cirrus.yml

@@ -401,3 +401,31 @@ upgd_oracle12_task:
     - ./private/cirrus/cirrus-qa.sh oracle12
   on_failure:
     <<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE
+
+# Software Composition Analysis (SCA): check potential vulnerabilities in dependencies.
+# Note that license compliance of dependencies is not checked for now.
+owasp_check_task:
+  only_if:  $CIRRUS_CRON == "nightly"
+  timeout_in: 30m
+  gke_container:
+    <<: *GKE_CONTAINER_TEMPLATE
+    cpu: 1.7
+    memory: 2Gb
+  environment:
+    # No need to clone the full history.
+    # Depth of 1 is not enough because it would fail the build in case of consecutive pushes
+    # (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!")
+    CIRRUS_CLONE_DEPTH: 50
+    SLACK_WEBHOOK_SQ: ENCRYPTED[dec8e4350cbea3b94d63098558bcb3ae9e79b71c2b6286fcfb9eb80c0953b6448b10f7271b07b5e75e52f362c25d7a8f]
+  nvd_cache:
+    # The NVD repository of vulnerabilities is big and should be cached so
+    # that consecutive runs download only changes, but not the whole repository.
+    folder: ~/.gradle/dependency-check-data
+    reupload_on_changes: true
+  script:
+    - gradle dependencyCheckAggregate
+  always:
+    slack_notification_script:
+      - ./private/cirrus/cirrus-owasp-notification.sh
+    reports_artifacts:
+      path: "build/reports/*"

build.gradle

@@ -486,6 +486,11 @@ subprojects {
       yarnVersion = '1.22.0'
       download = true
     }
+
+    // the OWASP tool does not support yarn, and its yarn.lock files, so node modules
+    // should be explicitly installed (yarn task) before running the audit
+    // See https://github.com/jeremylong/DependencyCheck/issues/2393
+    dependencyCheckAggregate.dependsOn(yarn)
   }
 
   if (official) {