From fcbf382f912d75b6e9dbb7cf42a38098f63636f8 Mon Sep 17 00:00:00 2001
From: Julian <82032362+jurosens@users.noreply.github.com>
Date: Tue, 8 Jun 2021 08:33:23 +0200
Subject: [PATCH] fix: enable owasp check (nightly and on push to main) (#50)

---
 .github/workflows/ci-dependency-check.yml | 40 +++++++++++++++++++++++
 owasp/suppressions.xml                    | 10 ++++++
 pom.xml                                   | 16 ++++-----
 3 files changed, 56 insertions(+), 10 deletions(-)
 create mode 100644 .github/workflows/ci-dependency-check.yml

diff --git a/.github/workflows/ci-dependency-check.yml b/.github/workflows/ci-dependency-check.yml
new file mode 100644
index 0000000..cdf7da4
--- /dev/null
+++ b/.github/workflows/ci-dependency-check.yml
@@ -0,0 +1,40 @@
+name: ci-dependency-check
+on:
+  schedule:
+    - cron: '0 1 * * 0' # Each Sunday at 01:00 UTC
+  push:
+    branches:
+      - main
+jobs:
+  build:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/setup-java@v2
+      with:
+        java-version: 11
+        distribution: adopt
+    - uses: actions/checkout@v2
+      with:
+        fetch-depth: 0
+    - uses: actions/cache@v2
+      with:
+        path: |
+          ~/.m2/repository
+        key: ${{ runner.os }}-${{ hashFiles('**/pom.xml') }}
+    - name: version
+      run: |-
+        APP_SHA=$(git rev-parse --short ${GITHUB_SHA})
+        APP_LATEST_REV=$(git rev-list --tags --max-count=1)
+        APP_LATEST_TAG=$(git describe --tags ${APP_LATEST_REV} 2> /dev/null || echo 0.0.0)
+        echo "APP_VERSION=${APP_LATEST_TAG}-${APP_SHA}" >> ${GITHUB_ENV}
+    - name: mvn
+      run: |-
+        mvn dependency-check:check \
+        --batch-mode \
+        --file ./pom.xml \
+        --settings ./settings.xml \
+        --define app.packages.username="${APP_PACKAGES_USERNAME}" \
+        --define app.packages.password="${APP_PACKAGES_PASSWORD}" \
+      env:
+        APP_PACKAGES_USERNAME: ${{ github.actor }}
+        APP_PACKAGES_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
diff --git a/owasp/suppressions.xml b/owasp/suppressions.xml
index 3aac6ff..3db1ef6 100644
--- a/owasp/suppressions.xml
+++ b/owasp/suppressions.xml
@@ -14,4 +14,14 @@
     <notes>see https://tomcat.apache.org/security-9.html#Apache_Tomcat_9.x_vulnerabilities vulnerability is fixed in tomcat 9.0.38</notes>
     <cve>CVE-2020-13943</cve>
   </suppress>
+  <suppress>
+    <!-- spring-boot and spring are excluded from cfenv artifact. Related issues can be omitted. -->
+    <notes><![CDATA[file name: java-cfenv-boot-2.3.0.jar]]></notes>
+    <sha1>da214a6f44ee5811c97f3b53a6dda31edf25ac9e</sha1>
+    <cve>CVE-2016-9878</cve>
+    <cve>CVE-2018-1270</cve>
+    <cve>CVE-2018-1271</cve>
+    <cve>CVE-2018-1272</cve>
+    <cve>CVE-2020-5421</cve>
+  </suppress>
 </suppressions>
diff --git a/pom.xml b/pom.xml
index 45bd11b..0030502 100644
--- a/pom.xml
+++ b/pom.xml
@@ -245,6 +245,12 @@
       <groupId>io.pivotal.cfenv</groupId>
       <artifactId>java-cfenv-boot</artifactId>
       <version>2.3.0</version>
+      <exclusions>
+        <exclusion>
+          <groupId>org.springframework.boot</groupId>
+          <artifactId>spring-boot</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>com.sap.cloud.sdk.cloudplatform</groupId>
@@ -310,19 +316,9 @@
         <artifactId>dependency-check-maven</artifactId>
         <version>${owasp.version}</version>
         <configuration>
-          <skip>true</skip>
           <suppressionFile>./owasp/suppressions.xml</suppressionFile>
           <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
         </configuration>
-        <executions>
-          <execution>
-            <id>check</id>
-            <phase>validate</phase>
-            <goals>
-              <goal>check</goal>
-            </goals>
-          </execution>
-        </executions>
       </plugin>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>