Update CVE scan actions to support mandatory OSS Index authentication (#1765)

stonesmi · web-flow · commit 91681ab1659f · 2025-09-23T14:30:08.000+01:00
* Update Node CVE scanning workflow (#1764) * Update Node CVE scanning workflow (#1764) * Update Node CVE scanning workflow (#1764) * Update Node CVE scanning workflow (#1764) * Update Node CVE scanning workflow (#1764) * Update Node CVE scanning workflow (#1764) * Update Node CVE scanning workflow (#1764) * Update Node CVE scanning workflow (#1764) * Update Node CVE scanning workflow (#1764) * Update Node CVE scanning workflow (#1764) * Update Node CVE scanning workflow (#1764) * Update Node CVE scanning workflow (#1764) * Update Node CVE scanning workflow (#1764) * Update Node CVE scanning workflow (#1764) * Update Node CVE scanning workflow (#1764) * Update Node CVE scanning workflow (#1764) * Update Node CVE scanning workflow (#1764) * Update Node CVE scanning workflow (#1764) * Update Node CVE scanning workflow (#1764) * Update Node CVE scanning workflow (#1764) * Update Node CVE scanning workflow (#1764)
diff --git a/.github/workflows/cve-scanning-node.yml b/.github/workflows/cve-scanning-node.yml
@@ -5,21 +5,51 @@ on:
     paths:
       - "**/package.json"
       - ".github/workflows/cve-scanning-node.yml"
-      - "vuu-ui/allow-list.json"
+      - "vuu-ui/allow-list.xml"
 
 jobs:
-  scan-packages:
+
+  node-modules-scan:
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node-version: [20.x]
+
+    env:
+      OSS_INDEX_USERNAME: ${{ secrets.OSS_INDEX_USERNAME }}
+      OSS_INDEX_API_KEY: ${{ secrets.OSS_INDEX_API_KEY }}
+
     steps:
-      - uses: actions/checkout@v3
-      - name: Use Node.js ${{ matrix.node-version }}
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Node
         uses: actions/setup-node@v3
         with:
-          node-version: ${{ matrix.node-version }}
-      - run: npm install --production
-        working-directory: vuu-ui
-      - run: npx --yes auditjs ossi --whitelist allow-list.json
+          node-version: 20.x
+
+      - name: Build project with NPM
+        run: npm install --omit=dev
         working-directory: vuu-ui
+
+      - name: Depcheck
+        if: ${{ env.OSS_INDEX_USERNAME != '' && env.OSS_INDEX_API_KEY != '' }}
+        uses: dependency-check/Dependency-Check_Action@1b5d19fd4a32ff0ff982e8c9d8e27dbf7ac8a46c
+        id: Depcheck
+        with:
+          project: 'vuu-ui'
+          path: 'vuu-ui'
+          format: 'HTML'
+          out: 'reports'
+          args: >
+            --ossIndexUsername ${{ env.OSS_INDEX_USERNAME }}
+            --ossIndexPassword ${{ env.OSS_INDEX_API_KEY }}
+            --suppression allow-list.xml
+            --nodeAuditSkipDevDependencies
+            --nodePackageSkipDevDependencies
+            --failOnCVSS 7
+            --enableRetired
+
+      - name: Upload Test results
+        if: ${{ always() }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: Depcheck report
+          path: ${{ github.workspace }}/reports
diff --git a/.github/workflows/cve-scanning.yml b/.github/workflows/cve-scanning.yml
@@ -8,25 +8,37 @@ on:
       - ".github/workflows/cve-scanning.yml"
 
 jobs:
+
   depchecktest:
     runs-on: ubuntu-latest
-    name: depecheck_test
+
+    env:
+      OSS_INDEX_USERNAME: ${{ secrets.OSS_INDEX_USERNAME }}
+      OSS_INDEX_API_KEY: ${{ secrets.OSS_INDEX_API_KEY }}
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+
       - name: Build project with Maven
-        run: mvn clean install
-      - name: Depcheck
-        uses: dependency-check/Dependency-Check_Action@78155aab85e9867e3c35f533e9ddad8ba7cdad7b # v2
+        run: mvn clean install -DskipTests
+
+      - name: Run OWASP Dependency-Check on Maven subprojects
+        if: ${{ env.OSS_INDEX_USERNAME != '' && env.OSS_INDEX_API_KEY != '' }}
+        uses: dependency-check/Dependency-Check_Action@1b5d19fd4a32ff0ff982e8c9d8e27dbf7ac8a46c
         id: Depcheck
         with:
           project: "vuu"
-          path: "./vuu"
+          path: "vuu"
           format: "HTML"
           out: "reports" # this is the default, no need to specify unless you wish to override it
-          args: >
-            --failOnCVSS 5
+          args: >            
+            --ossIndexUsername ${{ env.OSS_INDEX_USERNAME }}
+            --ossIndexPassword ${{ env.OSS_INDEX_API_KEY }}
+            --suppression allow-list.xml
+            --failOnCVSS 7
             --enableRetired
+
       - name: Upload Test results
         if: ${{ always() }}
         uses: actions/upload-artifact@v4
diff --git a/vuu-ui/allow-list.json b/vuu-ui/allow-list.json
diff --git a/vuu-ui/allow-list.xml b/vuu-ui/allow-list.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+
+</suppressions>
