DPSTAT-1397 updating build for trivy (#47)

* DPSTAT-1397 updating build for trivy

* DPSTAT-1397 updating build for trivy with master configuration

* DPSTAT-1397 remove skip set up failing the build

* DPSTAT-1397 changes after PR

* DPSTAT-1397 udpated from ssb bip to gar

* DPSTAT-1397 upgrading 2 high vulnerability libraries

* DPSTAT-1397 reverting the change of profile

* DPSTAT-1397 change of profile to ssb-gar

* DPSTAT-1397 moving google authentication sequence for failed build

* DPSTAT-1397 changing profile to ssb-gar

Author: salma-tfb

.github/workflows/build.yml

@@ -14,7 +14,7 @@ jobs:
     permissions:
       contents: read
       id-token: write
-
+      security-events: write
     steps:
       - uses: actions/checkout@v3
 
@@ -33,10 +33,38 @@ jobs:
           service_account: "gh-actions-dapla-pseudo@artifact-registry-5n.iam.gserviceaccount.com"
           token_format: access_token
 
+      - name: Build with Maven
+        run: mvn --batch-mode -P ssb-gar package
+
+      - name: Fail build on High/Critical Vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          format: 'table'
+          scan-ref: '.'
+          severity: 'HIGH,CRITICAL'
+          ignore-unfixed: true
+          exit-code: 1
+
+      - name: Run Trivy vulnerability scanner (SARIF for reporting)
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          skip-setup-trivy: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: 'trivy-results.sarif'
+
       - name: Build and test with Maven
         if: github.event_name == 'pull_request'
-        run: mvn --batch-mode -P ssb-bip clean test
+        run: mvn --batch-mode -P ssb-gar clean test
 
       - name: Build with Maven and deploy to Artifact Registry
-        if: github.event_name == 'push' && github.ref == 'refs/heads/master'
-        run: mvn --batch-mode -P ssb-bip deploy -Dmaven.javadoc.skip=true
+        if: github.event_name == 'push' && github.ref == 'refs/heads/master' && success()
+        run: mvn --batch-mode -P ssb-gar deploy -Dmaven.javadoc.skip=true

pom.xml

@@ -17,7 +17,7 @@
     <dapla-dlp-pseudo-func.version>1.3.3</dapla-dlp-pseudo-func.version>
     <guava.version>32.0.0-jre</guava.version>
     <jsonassert.version>1.5.1</jsonassert.version>
-    <logback.version>1.4.6</logback.version>
+    <logback.version>1.4.12</logback.version>
     <lombok.version>1.18.30</lombok.version>
     <micronaut.version>4.3.7</micronaut.version>
     <micronaut.validation.version>4.4.0</micronaut.validation.version>
@@ -27,6 +27,7 @@
     <univocity-parsers.version>2.9.1</univocity-parsers.version>
     <zip4j.version>2.11.5</zip4j.version>
     <caffeine.version>3.2.2</caffeine.version>
+    <protobuf.version>3.25.5</protobuf.version>
 
     <!-- Plugin/extension versions -->
     <artifactregistry-maven-wagon.version>2.1.4</artifactregistry-maven-wagon.version>
@@ -134,6 +135,12 @@
       <artifactId>tika-core</artifactId>
       <version>${tika.version}</version>
     </dependency>
+    <dependency>
+      <groupId>com.google.protobuf</groupId>
+      <artifactId>protobuf-java</artifactId>
+      <version>${protobuf.version}</version>
+    </dependency>
+
     <dependency>
       <groupId>net.lingala.zip4j</groupId>
       <artifactId>zip4j</artifactId>
@@ -381,7 +388,7 @@
       </build>
     </profile>
     <profile>
-      <id>ssb-bip</id>
+      <id>ssb-gar</id>
       <distributionManagement>
         <repository>
           <id>artifact-registry</id>