add OWASP dependencyCheck

2022-08-04 12:26:41 +02:00 · 2022-08-04 12:26:41 +02:00 · 80b1e0ff25
commit 80b1e0ff25
parent d9ee0017dd
3 changed files with 39 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -266,6 +266,7 @@ Underneath of rbac and hs, the structure is business oriented, NOT technical / l

 Some of these rules are checked with *ArchUnit* unit tests.

+
 ### Spotless Code Formatting

 Code formatting for Java is checked via *spotless*.
@ -275,7 +276,7 @@ The formatting style can be checked with this command:
 gw spotlessCheck
 ```

-This task is also included in `gw build`.
+This task is also included in `gw build` and `gw check`.

 To apply formatting rules, use:

@ -283,6 +284,23 @@ To apply formatting rules, use:
 gw spotlessApply
 ```

+### OWASP Security Vulnerability Check
+
+An OWASP security vulnerability is configured and can be utilized by running:
+
+```shell
+gw dependencyCheckAnalyze
+```
+
+This task is also included in `gw build` and `gw check`.
+It is configured in [build.gradle](build.gradle).
+
+Often vulnerability reports don't apply to our use cases.
+Therefore, reports can be [suppressed](./etc/owasp-dependency-check-suppression.xml).
+In case of suppression, a note must be added to explain why it does not apply to us.
+
+See also: https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/index.html.
+

 ## How To

--- a/build.gradle
+++ b/build.gradle
@ -72,3 +72,13 @@ spotless {
        toggleOffOn()
    }
 }
+project.tasks.check.dependsOn(spotlessCheck)
+
+dependencyCheck {
+    cveValidForHours=4
+    format = 'ALL'
+    suppressionFile = 'etc/owasp-dependency-check-suppression.xml'
+    failOnError = true
+    failBuildOnCVSS = 7
+}
+project.tasks.check.dependsOn(dependencyCheckAnalyze)
--- a/etc/owasp-dependency-check-suppression.xml
+++ b/etc/owasp-dependency-check-suppression.xml
@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress>
+        <notes><![CDATA[
+            We don't use the Spring HTTP invoker which causes this vulnerability due to Java deserialization.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework/spring-web@.*$</packageUrl>
+        <cve>CVE-2016-1000027</cve>
+    </suppress>
+</suppressions>