Feature: Refactor OWASP dependency check runs

cryptomator / cryptofs

Java Filesystem Provider with integrated encryption

GNU Affero General Public License v3.0

93 stars 35 forks source link

Feature: Refactor OWASP dependency check runs #192

Closed infeo closed 9 months ago

infeo commented 9 months ago

This PRs changes the way, how we use the https://github.com/jeremylong/DependencyCheck maven plugin.

Changes were necessary due to the deprecation of an API used by dependency check (see here for details).

Changes:

Plugin updated to 9.0.4
plugin uses an NVD API key
only before a release the plugin is executed
once a week, the plugin is run on CI. If a vulnerability is detected, the workflow fails and the report is uploaded.

infeo commented 9 months ago

good start, but how are we notified? just a failed workflow? that might be a lot of spam for the repo owner. instead, can we post such notifications in slack?

I had exactly the same thoughts with the reversed result 😆 But will change it to a slack notification.

infeo commented 9 months ago

notifications in slack

Done in https://github.com/cryptomator/cryptofs/pull/192/commits/8e20b707f52e62dd33db206ed6bf827c9c06df15.

@overheadhunter The only part missing is now the merge constraint. Can you add it to the repository? It should be very similar to https://github.com/cryptomator/cryptomator and its release-check.yml action.

overheadhunter commented 9 months ago

The only part missing is now the merge constraint. Can you add it to the repository?

I can't reference the action from the repo settings, before it exists on the default branch