Add OWASP Dependency-Check to msal library build, Fixes AB#3557141#2531
Conversation
Mirrors the OWASP Dependency-Check setup already in common: - Apply org.owasp.dependencycheck plugin (v12.2.2) - Wire dependencyCheckAnalyze into the check task - Scan only shipped runtime classpaths (dist/local x release/debug) - Disable analyzers irrelevant to an Android/Java library (assembly, nuspec, node, ossIndex, archive) - NVD key resolved from -PnvdApiKey / gradle.properties / NVD_API_KEY with fail-fast when the task is in the graph and the key is missing - Add config/owasp/dependency-check-suppressions.xml with the same two false-positive suppressions used by common (androidx.browser CVE-2008-7298 and common4j CVE-2024-35255)
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Pull request overview
Adds OWASP Dependency-Check scanning to the :msal Android library build so runtime dependencies can be analyzed for known CVEs during the standard Gradle check lifecycle, using a suppression file for narrowly-scoped false positives.
Changes:
- Applies the
org.owasp.dependencycheckGradle plugin to:msaland wiresdependencyCheckAnalyzeintocheck. - Configures Dependency-Check (CVSS threshold, report formats/output dir, runtime-only scan configurations, NVD throttling, analyzer disables) and adds an NVD API key guard for runs that include the analyze task.
- Adds an OWASP Dependency-Check suppressions XML with two targeted false-positive suppressions.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
msal/build.gradle |
Adds and configures OWASP Dependency-Check and hooks it into check, including NVD API key resolution + fail-fast behavior. |
config/owasp/dependency-check-suppressions.xml |
Introduces a suppression file with scoped suppressions + guidance comments for maintaining suppressions. |
- Add suppressions for Kotlin stdlib CVEs (< 1.4.21) - Add suppressions for OpenTelemetry Go/C++ CVEs - Add suppressions for protobuf-javalite false positives - Add suppressions for common library CPE false positive - Note: CVE-2023-0833 (okhttp) NOT suppressed; tracked in PBI #3667962
…owasp-dependency-check
This comment has been minimized.
This comment has been minimized.
|
❌ Invalid work item number: AB#3667951 Click here to learn more. |
|
❌ Invalid work item number: AB#3667951 ##. Work item number must be a valid integer. Click here to learn more. |
|
✅ Work item link check complete. Description contains link AB#3667951 to an Azure Boards work item. |
|
✅ Work item link check complete. Description contains link AB#3557141 to an Azure Boards work item. |
Summary
Adds OWASP Dependency-Check scanning to the :msal Android library build so runtime dependencies can be analyzed for known CVEs during the standard Gradle check lifecycle, using a suppression file for narrowly-scoped false positives.
What changed
Validation
Work Item