From 80b1e0ff25ccc0207dee18cdd699951093aec675 Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Thu, 4 Aug 2022 12:26:41 +0200
Subject: [PATCH] add OWASP dependencyCheck

---
 README.md                                  | 20 +++++++++++++++++++-
 build.gradle                               | 10 ++++++++++
 etc/owasp-dependency-check-suppression.xml | 10 ++++++++++
 3 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 etc/owasp-dependency-check-suppression.xml

diff --git a/README.md b/README.md
index 5830fdfa..6af22015 100644
--- a/README.md
+++ b/README.md
@@ -266,6 +266,7 @@ Underneath of rbac and hs, the structure is business oriented, NOT technical / l
 
 Some of these rules are checked with *ArchUnit* unit tests.
 
+
 ### Spotless Code Formatting
 
 Code formatting for Java is checked via *spotless*.
@@ -275,7 +276,7 @@ The formatting style can be checked with this command:
 gw spotlessCheck
 ```
 
-This task is also included in `gw build`.
+This task is also included in `gw build` and `gw check`.
 
 To apply formatting rules, use:
 
@@ -283,6 +284,23 @@ To apply formatting rules, use:
 gw spotlessApply
 ```
 
+### OWASP Security Vulnerability Check
+
+An OWASP security vulnerability is configured and can be utilized by running:
+
+```shell
+gw dependencyCheckAnalyze
+```
+
+This task is also included in `gw build` and `gw check`.
+It is configured in [build.gradle](build.gradle).
+
+Often vulnerability reports don't apply to our use cases.
+Therefore, reports can be [suppressed](./etc/owasp-dependency-check-suppression.xml).
+In case of suppression, a note must be added to explain why it does not apply to us.
+
+See also: https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/index.html.
+
 
 ## How To
 
diff --git a/build.gradle b/build.gradle
index 18c06db6..53959354 100644
--- a/build.gradle
+++ b/build.gradle
@@ -72,3 +72,13 @@ spotless {
         toggleOffOn()
     }
 }
+project.tasks.check.dependsOn(spotlessCheck)
+
+dependencyCheck {
+    cveValidForHours=4
+    format = 'ALL'
+    suppressionFile = 'etc/owasp-dependency-check-suppression.xml'
+    failOnError = true
+    failBuildOnCVSS = 7
+}
+project.tasks.check.dependsOn(dependencyCheckAnalyze)
diff --git a/etc/owasp-dependency-check-suppression.xml b/etc/owasp-dependency-check-suppression.xml
new file mode 100644
index 00000000..1776882e
--- /dev/null
+++ b/etc/owasp-dependency-check-suppression.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress>
+        <notes><![CDATA[
+            We don't use the Spring HTTP invoker which causes this vulnerability due to Java deserialization.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework/spring-web@.*$</packageUrl>
+        <cve>CVE-2016-1000027</cve>
+    </suppress>
+</suppressions>