chore: use trivy scan vulnerability and license

Author: sheyanjie-qq

.github/workflows/dependency-review.yml

@@ -0,0 +1,57 @@
+name: Trivy Vulnerability + License Scan (PR + Scheduled)
+
+# Trigger conditions: PR/push on main/3.0 branches, daily scheduled scan (00:00 UTC)
+on:
+  workflow_dispatch:
+  pull_request:
+    branches: [ main, 3.0 ]
+    types: [ opened, synchronize, reopened ]
+  push:
+    branches: [ main, 3.0 ]
+  schedule:
+    - cron: '0 0 * * *' # Daily scan at 00:00 UTC (8:00 Beijing Time)
+
+jobs:
+  trivy-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write # Required for uploading SARIF to GitHub Security
+
+    steps:
+      # Step 1: Check out repository code (required for scanning local files/pom.xml)
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      # Step 2: Trivy FS Scan - Detect vulnerabilities in code/dependencies
+      - name: Trivy FS Scan (Code/Dependency Vulnerabilities)
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.' # Scan project root directory
+          format: 'sarif' # Output SARIF for GitHub Security integration
+          output: 'trivy-fs-results.sarif'
+          severity: 'CRITICAL,HIGH' # Focus on critical/high severity vulnerabilities
+          exit-code: '1' # Fail CI if critical/high vulnerabilities are found
+          ignore-unfixed: true # Ignore vulnerabilities that cannot be fixed
+          skip-dirs: 'target,node_modules' # Skip Maven build artifacts and node modules
+          skip-files: 'pom.xml.versionsBackup' # Skip temporary Maven files
+
+      # Step 3: Trivy License Scan
+      - name: Trivy License Scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: fs
+          scan-ref: .
+          format: table
+          exit-code: 1 # Fail CI on non-allowed licenses
+          skip-dirs: target # Skip build artifacts to speed up scan
+          scanners: license
+          severity: 'UNKNOWN,HIGH,CRITICAL'
+
+
+      # Step 4: Upload SARIF report to GitHub Security (visualize vulnerabilities)
+      - name: Upload Trivy Results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-fs-results.sarif'

.github/workflows/trivy-scan.yml

@@ -39,7 +39,7 @@
         <java.version>1.8</java.version>
         <maven-compiler-plugin.version>3.6.0</maven-compiler-plugin.version>
         <jackson.version>2.20.0</jackson.version>
-        <httpclient.version>4.5.14</httpclient.version>
+        <httpclient.version>4.5.12</httpclient.version>
         <guava.version>33.5.0-jre</guava.version>
         <netty-all.version>4.2.9.Final</netty-all.version>
         <junit.version>4.13.2</junit.version>
@@ -105,9 +105,6 @@
             <version>${logback.version}</version>
             <scope>test</scope>
         </dependency>
-
-    </dependencies>
-
     <build>
         <resources>
             <resource>