[Chore] Improve owasp dependency check (apache#16305)

SbloodyS · web-flow · commit d13abe6b26ac · 2024-07-12T16:13:06.000+08:00
* improve owasp dependency check
diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml
@@ -67,7 +67,7 @@ jobs:
         with:
           submodules: true
       - name: Set up JDK ${{ matrix.java }}
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v4
         with:
           java-version: ${{ matrix.java }}
           distribution: 'adopt'
@@ -160,7 +160,7 @@ jobs:
         version: ["3.1.9", "3.2.0"]
     steps:
       - name: Set up JDK 8
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v4
         with:
           java-version: 8
           distribution: 'adopt'
diff --git a/.github/workflows/owasp-dependency-check.yaml b/.github/workflows/owasp-dependency-check.yaml
@@ -22,27 +22,36 @@ on:
     branches:
       - '[0-9]+.[0-9]+.[0-9]+-prepare'
       - '[0-9]+.[0-9]+.[0-9]+-release'
-  pull_request:
+  pull_request_target:
     paths:
       - '**/pom.xml'
 env:
   MAVEN_OPTS: -Dmaven.wagon.httpconnectionManager.ttlSeconds=25 -Dmaven.wagon.http.retryHandler.count=3
 
 jobs:
   build:
+    permissions:
+      contents: read
+      pull-requests: write
     runs-on: ubuntu-latest
     timeout-minutes: 120
     steps:
       - uses: actions/checkout@v4
         with:
           submodules: true
       - name: Set up JDK 8
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v4
         with:
           java-version: 8
           distribution: 'adopt'
       - name: Run OWASP Dependency Check
-        run: ./mvnw -B clean install verify dependency-check:check -DskipDepCheck=false -Dmaven.test.skip=true -Dspotless.skip=true
+        run: |
+          ./mvnw -B clean install verify dependency-check:check \
+          -DskipDepCheck=false \
+          -Dmaven.test.skip=true \
+          -Dspotless.skip=true
+        env:
+          NIST_NVD_API_KEY: ${{ secrets.NIST_NVD_API_KEY }}
       - name: Upload report
         uses: actions/upload-artifact@v4
         if: ${{ cancelled() || failure() }}
diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml
@@ -66,7 +66,7 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Set up JDK ${{ matrix.java }}
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v4
         with:
           java-version: ${{ matrix.java }}
           distribution: 'adopt'
@@ -95,7 +95,7 @@ jobs:
           restore-keys: ${{ runner.os }}-maven-
       # Set up JDK 17 for SonarCloud.
       - name: Set up JDK 17
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v4
         with:
           java-version: 17
           distribution: 'adopt'
diff --git a/pom.xml b/pom.xml
@@ -86,7 +86,7 @@
         <jacoco.skip>false</jacoco.skip>
         <maven-jar-plugin.version>3.2.0</maven-jar-plugin.version>
         <exec-maven-plugin.version>3.0.0</exec-maven-plugin.version>
-        <owasp-dependency-check-maven.version>9.2.0</owasp-dependency-check-maven.version>
+        <owasp-dependency-check-maven.version>10.0.2</owasp-dependency-check-maven.version>
         <lombok.version>1.18.20</lombok.version>
         <awaitility.version>4.2.0</awaitility.version>
         <truth.version>1.4.2</truth.version>
@@ -545,6 +545,7 @@
                         <skipRuntimeScope>true</skipRuntimeScope>
                         <skipSystemScope>true</skipSystemScope>
                         <failBuildOnCVSS>7</failBuildOnCVSS>
+                        <nvdApiKeyEnvironmentVariable>NIST_NVD_API_KEY</nvdApiKeyEnvironmentVariable>
                     </configuration>
                     <executions>
                         <execution>
