Closed josspo closed 1 year ago
Hi @josspo , thanks for this PR!
When raising a PR, make sure that actions are not failing; as you can see above, the Action that you updated was executed and failed. If you click on the Details
link, you'll easily find the cause - https://github.com/finos/security-scanning/actions/runs/5476487936/jobs/9974107616?pr=279#step:5:45
One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '5.0':
gradle-0.0.1.jar: CVE-2019-16370(5.9), CVE-2021-32751(7.5), CVE-2021-29429(5.5), CVE-2021-29428(7.8), CVE-2020-11979(7.5), CVE-2019-15052(9.8), CVE-2022-30586(7.2)
jquery-ui.min.js: CVE-2022-31160(6.1)
jszip.js: CVE-2022-[48](https://github.com/finos/security-scanning/actions/runs/5476487936/jobs/9974107616?pr=279#step:5:49)285(7.3)
jszip.min.js: CVE-2022-48285(7.3)
In fact, as you can see from the yaml
file you updated, there is no place where you specify the suppress list of CVEs, which for gradle is defined in https://github.com/finos/security-scanning/blob/main/allow-list.xml
I'd suggest to add the --suppression ../allow-list.xml
arg, see docs on https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html
If this approach works, it could well be that it works for all other languages and systems documented in security-scanning! We'd still need to test it one by one though.
Thanks!
The Gradle check passes, well done @josspo and @TheJuanAndOnly99 !
I see that you removed the on:
content, I think that was a mistake right? Could you please restore it?
on:
schedule:
- cron: '0 8,18 * * 1-5'
push:
paths:
- 'gradle/build.gradle'
- 'allow-list.xml'
- '.github/workflows/cve-scanning-gradle.yml'
Note that - 'allow-list.xml'
should be replaced with - 'gradle/allow-list.xml'
Changing Gradle CVE Scanning action to work with dependency check and changing cron job to work manually