Merge pull request #49 from FHIR/do-20230828-owasp-check

Add OWASP check
FHIR · Aug 28, 2023 · 8b458f1 · 8b458f1
2 parents f204417 + d75ea44
commit 8b458f1
Show file tree

Hide file tree

Showing 3 changed files with 74 additions and 1 deletion.
diff --git a/.github/workflows/owasp.yml b/.github/workflows/owasp.yml
@@ -0,0 +1,29 @@
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - run: |
+          mvn -DskipTests install -P OWASP_CHECK
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: target/dependency-check-report.sarif
+          # Optional category for the results
+          # Used to differentiate multiple results for one commit
+
+          category: OWASP-dependency-check
diff --git a/owasp-suppression-file.xml b/owasp-suppression-file.xml
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+</suppressions>
diff --git a/pom.xml b/pom.xml
@@ -101,8 +101,22 @@
     </distributionManagement>
 
     <build>
+        <pluginManagement>
+            <plugins>
+                <plugin>
+                    <groupId>org.owasp</groupId>
+                    <artifactId>dependency-check-maven</artifactId>
+                    <version>8.2.1</version>
+                    <configuration>
+                        <suppressionFiles>
+                            <suppressionFile>cve-suppression.xml</suppressionFile>
+                        </suppressionFiles>
+                        <formats>sarif,html</formats>
+                    </configuration>
+                </plugin>
+            </plugins>
+        </pluginManagement>
         <plugins>
-
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
@@ -307,5 +321,32 @@
                 </plugins>
             </build>
         </profile>
+        <profile>
+            <id>OWASP_CHECK</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.owasp</groupId>
+                        <artifactId>dependency-check-maven</artifactId>
+                        <configuration>
+                            <suppressionFiles>
+                                <suppressionFile>owasp-suppression-file.xml</suppressionFile>
+                            </suppressionFiles>
+                        </configuration>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>check</goal>
+                                </goals>
+                                <configuration>
+                                    <failBuildOnCVSS>10</failBuildOnCVSS>
+                                    <skipTestScope>true</skipTestScope>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
     </profiles>
 </project>