Merge pull request #8 from wiremock/fix-vulns

Fix / ignore vulnerabilities
wiremock · Sep 13, 2024 · 002c659 · 002c659
2 parents 6ed66f7 + 0684bf1
commit 002c659
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 3 deletions.
diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
@@ -21,12 +21,12 @@ jobs:
       JDK_VERSION:  ${{ matrix.jdk }}
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
 
     - name: Set up JDK
-      uses: actions/setup-java@v2
+      uses: actions/setup-java@v4
       with:
         java-version: ${{ matrix.jdk }}
         distribution: 'temurin'
@@ -43,3 +43,18 @@ jobs:
 
     - name: Test with Gradle
       run: ./gradlew check --stacktrace --no-daemon
+
+  gradle-scan:
+    name: Snyk gradle scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Snyk to check build.gradle for vulnerabilities
+        uses: snyk/actions/gradle-jdk17@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: test
+          args: --severity-threshold=high --org=f310ee2f-5552-444d-84ee-ec8c44c33adb
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -38,3 +38,17 @@ jobs:
           OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
           OSSRH_GPG_SECRET_KEY: ${{ secrets.OSSRH_GPG_SECRET_KEY }}
           OSSRH_GPG_SECRET_KEY_PASSWORD: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
+
+  gradle-monitor:
+    name: Snyk gradle monitor
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Snyk to monitor build.gradle for vulnerabilities
+        uses: snyk/actions/gradle-jdk17@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: monitor
+          args: --org=f310ee2f-5552-444d-84ee-ec8c44c33adb --project-name=wiremock-jwt-extension --policy-path=.snyk
diff --git a/.snyk b/.snyk
@@ -0,0 +1,15 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744:
+    - '*':
+        reason: No fix available
+        expires: 2025-09-13T11:22:43.997Z
+        created: 2024-09-13T11:22:43.999Z
+  'snyk:lic:maven:junit:junit:EPL-1.0':
+    - '*':
+        reason: Not relevant, we do not repackage junit
+        expires: 2034-09-13T12:29:48.476Z
+        created: 2024-09-13T12:29:48.481Z
+patch: {}
diff --git a/build.gradle b/build.gradle
@@ -12,7 +12,7 @@ plugins {
   id 'eclipse'
   id 'project-report'
   id 'com.diffplug.spotless' version '6.21.0'
-  id 'org.wiremock.tools.gradle.wiremock-extension-convention' version '0.2.0'
+  id 'org.wiremock.tools.gradle.wiremock-extension-convention' version '0.3.0'
 }
 
 repositories {
@@ -67,6 +67,9 @@ dependencies {
     implementation('com.fasterxml.jackson.core:jackson-core:2.15.0') {
       because 'version 2.14.2 brought in transitively by com.auth0:[email protected] has CWE-400'
     }
+    implementation('org.apache.commons:commons-compress:1.26.0') {
+      because 'version 1.24.0 brought in transitively by org.wiremock:wiremock:3.9.1 has CVE-2024-25710'
+    }
   }
 }