diff --git a/.github/repository-settings.md b/.github/repository-settings.md index e3a33d7cec7..8ae938b1109 100644 --- a/.github/repository-settings.md +++ b/.github/repository-settings.md @@ -10,9 +10,8 @@ private admin repo. - `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password - `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password -- `NVD_API_KEY` - stored in OpenTelemetry-Java 1Password - - Generated at https://nvd.nist.gov/developers/request-an-api-key - - Key is associated with [@trask](https://github.com/trask)'s gmail address +- `SONATYPE_OSS_INDEX_USER` - owned by [@jack-berg](https://github.com/jack-berg) +- `SONATYPE_OSS_INDEX_PASSWORD` - owned by [@jack-berg](https://github.com/jack-berg) - `SONATYPE_KEY` - owned by [@jack-berg](https://github.com/jack-berg) - `SONATYPE_USER` - owned by [@jack-berg](https://github.com/jack-berg) diff --git a/.github/workflows/oss-index-audit-daily.yml b/.github/workflows/oss-index-audit-daily.yml new file mode 100644 index 00000000000..02ef69e9a99 --- /dev/null +++ b/.github/workflows/oss-index-audit-daily.yml @@ -0,0 +1,51 @@ +# the benefit of this over renovate is that this also analyzes transitive dependencies +# while renovate (at least currently) only analyzes top-level dependencies +name: OSS Index dependency audit (daily) + +on: + schedule: + - cron: "30 1 * * *" # daily at 1:30 UTC + workflow_dispatch: + +permissions: + contents: read + +jobs: + analyze: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 + with: + distribution: temurin + java-version: 21 + + - name: Set up gradle + uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + + - run: ./gradlew ossIndexAudit + id: audit + continue-on-error: true + env: + SONATYPE_OSS_INDEX_USER: ${{ secrets.SONATYPE_OSS_INDEX_USER }} + SONATYPE_OSS_INDEX_PASSWORD: ${{ secrets.SONATYPE_OSS_INDEX_PASSWORD }} + DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} + + - name: Print vulnerability report + if: steps.audit.outcome == 'failure' + run: | + echo "=== OSS Index Vulnerability Report ===" + find . -name "oss-index-cyclonedx-bom.json" | xargs cat + exit 1 + + workflow-notification: + permissions: + contents: read + issues: write + needs: + - analyze + if: always() + uses: ./.github/workflows/reusable-workflow-notification.yml + with: + success: ${{ needs.analyze.result == 'success' }} diff --git a/.github/workflows/owasp-dependency-check-daily.yml b/.github/workflows/owasp-dependency-check-daily.yml index 7f8e9c4da87..8952db65901 100644 --- a/.github/workflows/owasp-dependency-check-daily.yml +++ b/.github/workflows/owasp-dependency-check-daily.yml @@ -1,6 +1,6 @@ # the benefit of this over renovate is that this also analyzes transitive dependencies # while renovate (at least currently) only analyzes top-level dependencies -name: OWASP dependency check (daily) +name: OSS Index dependency audit (daily) on: schedule: @@ -24,17 +24,20 @@ jobs: - name: Set up gradle uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 - - name: Check dependencies - run: ./gradlew dependencyCheckAnalyze + - run: ./gradlew ossIndexAudit --no-configuration-cache + id: audit + continue-on-error: true env: - NVD_API_KEY: ${{ secrets.NVD_API_KEY }} + SONATYPE_OSS_INDEX_USER: ${{ secrets.SONATYPE_OSS_INDEX_USER }} + SONATYPE_OSS_INDEX_PASSWORD: ${{ secrets.SONATYPE_OSS_INDEX_PASSWORD }} DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} - - name: Upload report - if: always() - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 - with: - path: javaagent/build/reports + - name: Print vulnerability report + if: steps.audit.outcome == 'failure' + run: | + echo "=== OSS Index Vulnerability Report ===" + find . -name "oss-index-cyclonedx-bom.json" | xargs cat + exit 1 workflow-notification: permissions: diff --git a/all/build.gradle.kts b/all/build.gradle.kts index dd097cd1e33..b21a619bab5 100644 --- a/all/build.gradle.kts +++ b/all/build.gradle.kts @@ -5,9 +5,9 @@ plugins { description = "OpenTelemetry All" otelJava.moduleName.set("io.opentelemetry.all") -// Skip OWASP dependencyCheck task on test module -dependencyCheck { - skip = true +// Skip ossIndexAudit on test module +tasks.named("ossIndexAudit") { + enabled = false } val testTasks = mutableListOf() diff --git a/api/testing-internal/build.gradle.kts b/api/testing-internal/build.gradle.kts index b3e79cf0cfe..6098501ea03 100644 --- a/api/testing-internal/build.gradle.kts +++ b/api/testing-internal/build.gradle.kts @@ -15,7 +15,7 @@ dependencies { implementation("org.mockito:mockito-core") } -// Skip OWASP dependencyCheck task on test module -dependencyCheck { - skip = true +// Skip ossIndexAudit on test module +tasks.named("ossIndexAudit") { + enabled = false } diff --git a/buildSrc/build.gradle.kts b/buildSrc/build.gradle.kts index c45960086c1..2048661204b 100644 --- a/buildSrc/build.gradle.kts +++ b/buildSrc/build.gradle.kts @@ -48,6 +48,6 @@ dependencies { implementation("net.ltgt.gradle:gradle-errorprone-plugin:5.1.0") implementation("net.ltgt.gradle:gradle-nullaway-plugin:3.0.0") implementation("org.jetbrains.kotlin:kotlin-gradle-plugin:2.2.21") - implementation("org.owasp:dependency-check-gradle:12.2.0") + implementation("org.sonatype.gradle.plugins:scan-gradle-plugin:3.1.4") implementation("ru.vyarus:gradle-animalsniffer-plugin:2.0.1") } diff --git a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts index 2f793bbe018..71776aa2f34 100644 --- a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts +++ b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts @@ -12,7 +12,7 @@ plugins { id("otel.errorprone-conventions") id("otel.jacoco-conventions") id("otel.spotless-conventions") - id("org.owasp.dependencycheck") + id("org.sonatype.gradle.plugins.scan") } val otelJava = extensions.create("otelJava") @@ -48,26 +48,10 @@ checkstyle { configProperties["rootDir"] = rootDir } -dependencyCheck { - skipConfigurations = mutableListOf( - "errorprone", - "checkstyle", - "annotationProcessor", - "java9AnnotationProcessor", - "moduleAnnotationProcessor", - "testAnnotationProcessor", - "testJpmsAnnotationProcessor", - "animalsniffer", - "spotless996155815", // spotless996155815 is a weird configuration that's only added in jaeger-proto, jaeger-remote-sampler - "js2p", - "jmhAnnotationProcessor", - "jmhBasedTestAnnotationProcessor", - "jmhCompileClasspath", - "jmhRuntimeClasspath", - "jmhRuntimeOnly") - failBuildOnCVSS = 7.0f // fail on high or critical CVE - analyzers.assemblyEnabled = false // not sure why its trying to analyze .NET assemblies - nvd.apiKey = System.getenv("NVD_API_KEY") +ossIndexAudit { + username = System.getenv("SONATYPE_OSS_INDEX_USER") ?: "" + password = System.getenv("SONATYPE_OSS_INDEX_PASSWORD") ?: "" + outputFormat = org.sonatype.gradle.plugins.scan.ossindex.OutputFormat.JSON_CYCLONE_DX_1_4 } val testJavaVersion = gradle.startParameter.projectProperties.get("testJavaVersion")?.let(JavaVersion::toVersion) diff --git a/context/build.gradle.kts b/context/build.gradle.kts index b3a35620518..d0402a7983f 100644 --- a/context/build.gradle.kts +++ b/context/build.gradle.kts @@ -17,16 +17,6 @@ dependencies { testImplementation("com.google.guava:guava") } -dependencyCheck { - skipConfigurations.add("braveInOtelTestAnnotationProcessor") - skipConfigurations.add("grpcInOtelTestAnnotationProcessor") - skipConfigurations.add("otelAsBraveTestAnnotationProcessor") - skipConfigurations.add("otelInBraveTestAnnotationProcessor") - skipConfigurations.add("otelInGrpcTestAnnotationProcessor") - skipConfigurations.add("storageWrappersTestAnnotationProcessor") - skipConfigurations.add("strictContextEnabledTestAnnotationProcessor") -} - testing { suites { register("grpcInOtelTest") { diff --git a/custom-checks/build.gradle.kts b/custom-checks/build.gradle.kts index c587d411657..f2a25350982 100644 --- a/custom-checks/build.gradle.kts +++ b/custom-checks/build.gradle.kts @@ -81,7 +81,7 @@ configurations { } } -// Skip OWASP dependencyCheck task on test module -dependencyCheck { - skip = true +// Skip ossIndexAudit on test module +tasks.named("ossIndexAudit") { + enabled = false } diff --git a/exporters/otlp/testing-internal/build.gradle.kts b/exporters/otlp/testing-internal/build.gradle.kts index 1d6bff53854..624d4759405 100644 --- a/exporters/otlp/testing-internal/build.gradle.kts +++ b/exporters/otlp/testing-internal/build.gradle.kts @@ -38,7 +38,7 @@ dependencies { implementation("org.mock-server:mockserver-netty") } -// Skip OWASP dependencyCheck task on test module -dependencyCheck { - skip = true +// Skip ossIndexAudit on test module +tasks.named("ossIndexAudit") { + enabled = false } diff --git a/integration-tests/otlp/build.gradle.kts b/integration-tests/otlp/build.gradle.kts index 977ed7ff73e..bdc208a5392 100644 --- a/integration-tests/otlp/build.gradle.kts +++ b/integration-tests/otlp/build.gradle.kts @@ -43,7 +43,7 @@ tasks { } } -// Skip OWASP dependencyCheck task on test module -dependencyCheck { - skip = true +// Skip ossIndexAudit on test module +tasks.named("ossIndexAudit") { + enabled = false } diff --git a/integration-tests/tracecontext/build.gradle.kts b/integration-tests/tracecontext/build.gradle.kts index bad01107a42..6abc20f0d68 100644 --- a/integration-tests/tracecontext/build.gradle.kts +++ b/integration-tests/tracecontext/build.gradle.kts @@ -34,7 +34,7 @@ tasks { } } -// Skip OWASP dependencyCheck task on test module -dependencyCheck { - skip = true +// Skip ossIndexAudit on test module +tasks.named("ossIndexAudit") { + enabled = false } diff --git a/sdk/metrics/build.gradle.kts b/sdk/metrics/build.gradle.kts index fdde4938120..ae1c59f7978 100644 --- a/sdk/metrics/build.gradle.kts +++ b/sdk/metrics/build.gradle.kts @@ -29,10 +29,6 @@ dependencies { jmh(project(":sdk:testing")) } -dependencyCheck { - skipConfigurations.add("debugEnabledTestAnnotationProcessor") -} - testing { suites { register("testIncubating") {