add OWASP dependencyCheck

This commit is contained in:
Michael Hoennig 2022-08-04 12:26:41 +02:00
parent d9ee0017dd
commit 80b1e0ff25
3 changed files with 39 additions and 1 deletions

View File

@ -266,6 +266,7 @@ Underneath of rbac and hs, the structure is business oriented, NOT technical / l
Some of these rules are checked with *ArchUnit* unit tests.
### Spotless Code Formatting
Code formatting for Java is checked via *spotless*.
@ -275,7 +276,7 @@ The formatting style can be checked with this command:
gw spotlessCheck
```
This task is also included in `gw build`.
This task is also included in `gw build` and `gw check`.
To apply formatting rules, use:
@ -283,6 +284,23 @@ To apply formatting rules, use:
gw spotlessApply
```
### OWASP Security Vulnerability Check
An OWASP security vulnerability is configured and can be utilized by running:
```shell
gw dependencyCheckAnalyze
```
This task is also included in `gw build` and `gw check`.
It is configured in [build.gradle](build.gradle).
Often vulnerability reports don't apply to our use cases.
Therefore, reports can be [suppressed](./etc/owasp-dependency-check-suppression.xml).
In case of suppression, a note must be added to explain why it does not apply to us.
See also: https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/index.html.
## How To

View File

@ -72,3 +72,13 @@ spotless {
toggleOffOn()
}
}
project.tasks.check.dependsOn(spotlessCheck)
dependencyCheck {
cveValidForHours=4
format = 'ALL'
suppressionFile = 'etc/owasp-dependency-check-suppression.xml'
failOnError = true
failBuildOnCVSS = 7
}
project.tasks.check.dependsOn(dependencyCheckAnalyze)

View File

@ -0,0 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
We don't use the Spring HTTP invoker which causes this vulnerability due to Java deserialization.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring-web@.*$</packageUrl>
<cve>CVE-2016-1000027</cve>
</suppress>
</suppressions>