Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include a GitHub workflow for vulnerability scanning #1174

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Include a GitHub workflow for vulnerability scanning #1174

wants to merge 3 commits into from

Conversation

alexanderpann
Copy link
Member

No description provided.

arimer
arimer reviewed Dec 9, 2024
View reviewed changes
.github/workflows/vulnerability-scanning.yml Outdated
- name: Upload Test results
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
with:
name: Depcheck report
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets give it a full name like : "Dependency Check report"

@arimer
Copy link
Member

arimer commented Dec 9, 2024

At the moment the report is just uploaded as an aritfact. What is the intention behind this? Will there be an automated check of the report or anything like that in the future?

@arimer
Copy link
Member

arimer commented Dec 9, 2024

  1. Are the platform dependencies to mbeddr / mps-extensions / mps-qa excluded by default? A local dependency calculation looks like this, but most of those deps. did not make it to the report?
grafik **Report:** grafik 2. What about the custom JBR that we are using for building? Do we need to list it? 3. Could you maybe link the documentation to the provider of that plugin?

@alexanderpann
Copy link
Member Author

alexanderpann commented Dec 9, 2024
edited
Loading

At the moment the report is just uploaded as an aritfact. What is the intention behind this? Will there be an automated check of the report or anything like that in the future?

I first wanted to check if we have any vulnerabilities. We could set --failOnCVSS 7 (fail on severity level 7 or higher out of 10) so that the build fails when an issue is found. If we fail the build, someone has to fix it immediately, which we might not want.

Are the platform dependencies excluded by default?

They seem to be excluded, but to be honest I don't understand how it works. For me this behavior is correct since we only want to check the current platform and also keep the checking fast.

What about the custom JBR that we are using for building?

If we want to check it, the vulnerability check would have to be done in https://github.com/mbeddr/build.publish.jdk. Since we don't build anything here, the generic JDK is fine.

Could you maybe link the documentation

This is the GitHub action: https://github.com/dependency-check/Dependency-Check_Action
The arguments are documented here: https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arimer arimer arimer left review comments

@wsafonov wsafonov Awaiting requested review from wsafonov wsafonov is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alexanderpann @arimer