diff options
-rw-r--r-- | .cirrus.yml | 28 | ||||
-rw-r--r-- | build.gradle | 5 |
2 files changed, 33 insertions, 0 deletions
diff --git a/.cirrus.yml b/.cirrus.yml index efea6e4cded..aa76d281daa 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -401,3 +401,31 @@ upgd_oracle12_task: - ./private/cirrus/cirrus-qa.sh oracle12 on_failure: <<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE + +# Software Composition Analysis (SCA): check potential vulnerabilities in dependencies. +# Note that license compliance of dependencies is not checked for now. +owasp_check_task: + only_if: $CIRRUS_CRON == "nightly" + timeout_in: 30m + gke_container: + <<: *GKE_CONTAINER_TEMPLATE + cpu: 1.7 + memory: 2Gb + environment: + # No need to clone the full history. + # Depth of 1 is not enough because it would fail the build in case of consecutive pushes + # (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!") + CIRRUS_CLONE_DEPTH: 50 + SLACK_WEBHOOK_SQ: ENCRYPTED[dec8e4350cbea3b94d63098558bcb3ae9e79b71c2b6286fcfb9eb80c0953b6448b10f7271b07b5e75e52f362c25d7a8f] + nvd_cache: + # The NVD repository of vulnerabilities is big and should be cached so + # that consecutive runs download only changes, but not the whole repository. + folder: ~/.gradle/dependency-check-data + reupload_on_changes: true + script: + - gradle dependencyCheckAggregate + always: + slack_notification_script: + - ./private/cirrus/cirrus-owasp-notification.sh + reports_artifacts: + path: "build/reports/*"
\ No newline at end of file diff --git a/build.gradle b/build.gradle index 1a25f8b9a29..9ce84e4edb8 100644 --- a/build.gradle +++ b/build.gradle @@ -486,6 +486,11 @@ subprojects { yarnVersion = '1.22.0' download = true } + + // the OWASP tool does not support yarn, and its yarn.lock files, so node modules + // should be explicitly installed (yarn task) before running the audit + // See https://github.com/jeremylong/DependencyCheck/issues/2393 + dependencyCheckAggregate.dependsOn(yarn) } if (official) { |