cve-scanning.yml

name: Maven CVE Scanning

on:
  workflow_dispatch:
  push:
    branches:
      - "main"
      - "release-*"

jobs:

  depchecktest:
    runs-on: ubuntu-latest

    env:
      OSS_INDEX_USERNAME: ${{ secrets.OSS_INDEX_USERNAME }}
      OSS_INDEX_API_KEY: ${{ secrets.OSS_INDEX_API_KEY }}

    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Make mvnw executable
        run: chmod +x mvnw

      - name: Build project with Maven
        run: ./mvnw -B -ntp clean install -DskipTests

      - name: Run OWASP Dependency-Check on Maven subprojects
        if: ${{ env.OSS_INDEX_USERNAME != '' && env.OSS_INDEX_API_KEY != '' }}
        uses: dependency-check/Dependency-Check_Action@1e54355a8b4c8abaa8cc7d0b70aa655a3bb15a6c
        id: Depcheck
        with:
          project: "vuu"
          path: "vuu"
          format: "HTML"
          out: "reports" # this is the default, no need to specify unless you wish to override it
          args: >            
            --ossIndexUsername ${{ env.OSS_INDEX_USERNAME }}
            --ossIndexPassword ${{ env.OSS_INDEX_API_KEY }}
            --suppression allow-list.xml
            --failOnCVSS 7
            --enableRetired

      - name: Upload Test results
        if: ${{ always() }}
        uses: actions/upload-artifact@v5
        with:
          name: Depcheck report
          path: ${{ github.workspace }}/reports