atlas-code-github-workflows/.github/workflows/backend_owasp_dependency_check.yml at main · blw-ofag-ufag/atlas-code-github-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
name: OWASP Dependency Check ensure no vulnerable dependencies
run-name: OWASP Dependency Check
on:
  workflow_call:
    inputs:
      enable:
        description: 'Enable OWASP dependency check'
        required: false
        default: true
        type: boolean
    secrets:
      NIST_OWASP_API_KEY:
        description: "API Key for the national vulnerability database used by OWASP Dependency Check"
        required: true
jobs:
  owasp-dependency-check:
    name: OWASP Dependency Check
    runs-on: ubuntu-latest
    timeout-minutes: 100
    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Set up JDK 25
        uses: actions/setup-java@v5
        with:
          java-version: '25'
          distribution: 'corretto'

      - name: Restore Maven Cache
        uses: actions/cache/restore@v5
        with:
          path: ~/.m2/repository
          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
          restore-keys: |
            ${{ runner.os }}-maven-

      - name: Maven install
        run: mvn -B install -DskipTests -T 1C

      - name: Get Date for OWASP Cache
        id: get-cache-date
        run: |
          echo "date=$(/bin/date -u "+%Y%m%d%H")" >> $GITHUB_OUTPUT
        shell: bash

      - name: Restore Dependency-Check Cache
        if: inputs.enable
        uses: actions/cache/restore@v5
        with:
          path: ${{ github.workspace }}/.dependency-check
          key: ${{ runner.os }}-dependency-check-${{ steps.get-cache-date.outputs.date }}
          restore-keys: |
            ${{ runner.os }}-dependency-check-

      - name: Run OWASP Dependency Check
        if: inputs.enable
        run: |
          mvn org.owasp:dependency-check-maven:check \
            -DdataDirectory="${{ github.workspace }}/.dependency-check" \
            -DossindexAnalyzerEnabled=false \
            -DnvdApiKey=${{ secrets.NIST_OWASP_API_KEY }} \
            -DpnpmAuditAnalyzerEnabled=false \
            -DnodeAuditAnalyzerEnabled=false \
            -DyarnAuditAnalyzerEnabled=false

      - name: Save Dependency-Check Cache
        uses: actions/cache/save@v5
        if: inputs.enable
        with:
          path: ${{ github.workspace }}/.dependency-check
          key: ${{ runner.os }}-dependency-check-${{ steps.get-cache-date.outputs.date }}

      - name: Save Maven Cache
        uses: actions/cache/save@v5
        if: success()
        with:
          path: ~/.m2/repository
          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}