generated from SAP/repository-template
-
Notifications
You must be signed in to change notification settings - Fork 8
86 lines (75 loc) · 2.8 KB
/
fosstars-report.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
name: "Fosstars (Security)"
on:
workflow_dispatch:
schedule:
- cron: '42 03 * * MON-FRI' # 03:42 on weekdays, a somewhat random time to avoid producing load spikes on the GH actions infrastructure
env:
MVN_MULTI_THREADED_ARGS: --batch-mode --no-transfer-progress --fail-at-end --show-version --threads 1C
JAVA_VERSION: 17
CVE_CACHE_KEY: cve-db
CVE_CACHE_DIR: ~/.m2/repository/org/owasp/dependency-check-data
CVE_CACHE_REF: refs/heads/main
jobs:
create_fosstars_report:
runs-on: ubuntu-latest
name: "Security rating"
steps:
- name: "Checkout repository"
uses: actions/checkout@v4
- name: "Setup java"
uses: actions/setup-java@v4
with:
distribution: "temurin"
java-version: ${{ env.JAVA_VERSION }}
cache: 'maven'
- name: "Restore CVE Database"
uses: actions/cache/restore@v4
with:
path: ${{ env.CVE_CACHE_DIR }}
key: ${{ env.CVE_CACHE_KEY }}
# fail-on-cache-miss: true
- name: "Build SDK"
run: |
MVN_ARGS="${{ env.MVN_MULTI_THREADED_ARGS }} clean install -DskipTests -DskipFormatting"
mvn $MVN_ARGS
- name: "CVE Scan"
env:
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
run: |
mvn -T1 --no-transfer-progress --batch-mode org.owasp:dependency-check-maven:check org.owasp:dependency-check-maven:aggregate
- name: "Archive CVE Report"
uses: actions/upload-artifact@v4
with:
name: cve-report
path: target/dependency-check-report.html
retention-days: 7
- name: "Delete Old CVE Cache"
run: |
CACHE_IDS=$(gh cache list --key "${{ env.CVE_CACHE_KEY }}" --ref "${{ env.CVE_CACHE_REF }}" --json id | jq -r '.[] | .id')
for CACHE_ID in $CACHE_IDS; do
echo "Deleting cache with ID: $CACHE_ID"
gh cache delete "${CACHE_ID}"
done
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: "Create Updated CVE Cache"
uses: actions/cache/save@v4
with:
path: ${{ env.CVE_CACHE_DIR }}
key: ${{ env.CVE_CACHE_KEY }}
# This action changes the active branch!
- name: "Fosstars Rating"
uses: SAP/[email protected]
with:
report-branch: fosstars-report
token: ${{ secrets.GITHUB_TOKEN }}
- name: "Slack Notification"
if: failure()
uses: slackapi/[email protected]
with:
webhook: ${{ secrets.SLACK_WEBHOOK }}
webhook-type: incoming-webhook
payload: |
{
"text": "⚠️ OWASP Dependency check failed! 😬 Please inspect & fix by clicking <https://github.com/SAP/ai-sdk-java/actions/runs/${{ github.run_id }}|here>"
}