fdc3-dotnet/.github/workflows/cve-scanning.yml at 6b8bc6b7d51659af16d24b080c00b2ba37e654d1 · finos/fdc3-dotnet · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
name: CVE Scanning

on:
  push:
  workflow_dispatch:

jobs:
  dotnet-modules-scan:
    name: dotnet-scan
    runs-on: ubuntu-latest
    continue-on-error: false

    steps:
      - name: Checkout
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - name: Setup .NET
        uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
        with:
          dotnet-version: 8.x
      - name: Build project with dotnet
        run: dotnet build --configuration Release
        working-directory: 'src'
      - name: List vulnerable libraries
        run: dotnet list package --vulnerable --include-transitive
        working-directory: 'src'
      - name: Depcheck
        uses: dependency-check/Dependency-Check_Action@3102a65fd5f36d0000297576acc56a475b0de98d
        id: Depcheck
        with:
          project: '.'
          path: '.'
          format: 'HTML'
          out: 'reports'
          args: >
            --suppression .cve/allow-list.xml
            --failOnCVSS 7
            --enableRetired
      - name: Upload Test results
        if: ${{ always() }}
        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: Depcheck report
          path: ${{ github.workspace }}/reports