Update DSL version to 9.68.0, and bundle to 11.89.2 #41
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Demo Model CVE Scanning | |
| on: | |
| push: | |
| branches: | |
| - master | |
| paths: &monitored-files | |
| - '**/pom.xml' # Monitor all POM files | |
| - '.github/workflows/cve-scanning.yml' | |
| pull_request: | |
| paths: *monitored-files | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| id-token: write # Required for Workload Identity Federation | |
| contents: read # Required for actions/checkout | |
| env: | |
| JAVA_VERSION: '21' # Match the project's compiler version | |
| jobs: | |
| cve-security-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Set up Java | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: ${{ env.JAVA_VERSION }} | |
| distribution: 'temurin' | |
| - name: Authenticate to Google Cloud | |
| uses: 'google-github-actions/auth@v3' | |
| with: | |
| project_id: production-208613 | |
| workload_identity_provider: projects/211964611435/locations/global/workloadIdentityPools/artifact-registry/providers/github-actions-rosetta-models | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v2 | |
| - name: Cache Maven dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.m2 | |
| key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: ${{ runner.os }}-m2 | |
| - name: Build modules to populate local repo (no tests) | |
| run: mvn -B -ntp -U -DskipTests install | |
| - name: CVE scanning | |
| uses: dependency-check/Dependency-Check_Action@main | |
| env: | |
| JAVA_HOME: /opt/jdk | |
| with: | |
| project: 'Demo' | |
| path: '.' | |
| format: 'HTML' | |
| out: 'reports' | |
| args: > | |
| --suppression allow-list.xml | |
| --failOnCVSS 7 | |
| --centralUrl https://central.sonatype.com/solrsearch/select | |
| --ossIndexUsername ${{ secrets.OSSINDEX_USERNAME }} | |
| --ossIndexPassword ${{ secrets.OSSINDEX_TOKEN }} | |
| - name: Upload results | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: CVE Scan Report ${{ strategy.job-index }} | |
| path: ${{github.workspace}}/reports |