From e77c1d5b226e93f777ca00ec2d2858196705f3a0 Mon Sep 17 00:00:00 2001 From: Trask Stalnaker Date: Fri, 13 Mar 2026 11:11:26 -0700 Subject: [PATCH 1/4] Replace NVD with Sonatype OSS Index Looks like a new CVE backing that better understands maven coordinates and so the suppressions we maintained previously should no longer be needed. Ported from https://github.com/open-telemetry/opentelemetry-java-instrumentation/pull/16445 --- .github/repository-settings.md | 5 ++-- .../owasp-dependency-check-daily.yml | 21 ++++++++------- api/testing-internal/build.gradle.kts | 5 +--- buildSrc/build.gradle.kts | 2 +- .../kotlin/otel.java-conventions.gradle.kts | 26 ++++--------------- 5 files changed, 21 insertions(+), 38 deletions(-) diff --git a/.github/repository-settings.md b/.github/repository-settings.md index e3a33d7cec7..10c2c16931e 100644 --- a/.github/repository-settings.md +++ b/.github/repository-settings.md @@ -10,9 +10,8 @@ private admin repo. - `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password - `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password -- `NVD_API_KEY` - stored in OpenTelemetry-Java 1Password - - Generated at https://nvd.nist.gov/developers/request-an-api-key - - Key is associated with [@trask](https://github.com/trask)'s gmail address +- `SONATYPE_OSS_INDEX_USER` - owned by [@trask](https://github.com/trask) +- `SONATYPE_OSS_INDEX_PASSWORD` - owned by [@trask](https://github.com/trask) - `SONATYPE_KEY` - owned by [@jack-berg](https://github.com/jack-berg) - `SONATYPE_USER` - owned by [@jack-berg](https://github.com/jack-berg) diff --git a/.github/workflows/owasp-dependency-check-daily.yml b/.github/workflows/owasp-dependency-check-daily.yml index 7f8e9c4da87..8ff0b840919 100644 --- a/.github/workflows/owasp-dependency-check-daily.yml +++ b/.github/workflows/owasp-dependency-check-daily.yml @@ -1,6 +1,6 @@ # the benefit of this over renovate is that this also analyzes transitive dependencies # while renovate (at least currently) only analyzes top-level dependencies -name: OWASP dependency check (daily) +name: OSS Index dependency audit (daily) on: schedule: @@ -24,17 +24,20 @@ jobs: - name: Set up gradle uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 - - name: Check dependencies - run: ./gradlew dependencyCheckAnalyze + - run: ./gradlew ossIndexAudit + id: audit + continue-on-error: true env: - NVD_API_KEY: ${{ secrets.NVD_API_KEY }} + SONATYPE_OSS_INDEX_USER: ${{ secrets.SONATYPE_OSS_INDEX_USER }} + SONATYPE_OSS_INDEX_PASSWORD: ${{ secrets.SONATYPE_OSS_INDEX_PASSWORD }} DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} - - name: Upload report - if: always() - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 - with: - path: javaagent/build/reports + - name: Print vulnerability report + if: steps.audit.outcome == 'failure' + run: | + echo "=== OSS Index Vulnerability Report ===" + cat oss-index-cyclonedx-bom.json + exit 1 workflow-notification: permissions: diff --git a/api/testing-internal/build.gradle.kts b/api/testing-internal/build.gradle.kts index b3e79cf0cfe..16dafc7b842 100644 --- a/api/testing-internal/build.gradle.kts +++ b/api/testing-internal/build.gradle.kts @@ -15,7 +15,4 @@ dependencies { implementation("org.mockito:mockito-core") } -// Skip OWASP dependencyCheck task on test module -dependencyCheck { - skip = true -} + diff --git a/buildSrc/build.gradle.kts b/buildSrc/build.gradle.kts index c45960086c1..2048661204b 100644 --- a/buildSrc/build.gradle.kts +++ b/buildSrc/build.gradle.kts @@ -48,6 +48,6 @@ dependencies { implementation("net.ltgt.gradle:gradle-errorprone-plugin:5.1.0") implementation("net.ltgt.gradle:gradle-nullaway-plugin:3.0.0") implementation("org.jetbrains.kotlin:kotlin-gradle-plugin:2.2.21") - implementation("org.owasp:dependency-check-gradle:12.2.0") + implementation("org.sonatype.gradle.plugins:scan-gradle-plugin:3.1.4") implementation("ru.vyarus:gradle-animalsniffer-plugin:2.0.1") } diff --git a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts index 2f793bbe018..71776aa2f34 100644 --- a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts +++ b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts @@ -12,7 +12,7 @@ plugins { id("otel.errorprone-conventions") id("otel.jacoco-conventions") id("otel.spotless-conventions") - id("org.owasp.dependencycheck") + id("org.sonatype.gradle.plugins.scan") } val otelJava = extensions.create("otelJava") @@ -48,26 +48,10 @@ checkstyle { configProperties["rootDir"] = rootDir } -dependencyCheck { - skipConfigurations = mutableListOf( - "errorprone", - "checkstyle", - "annotationProcessor", - "java9AnnotationProcessor", - "moduleAnnotationProcessor", - "testAnnotationProcessor", - "testJpmsAnnotationProcessor", - "animalsniffer", - "spotless996155815", // spotless996155815 is a weird configuration that's only added in jaeger-proto, jaeger-remote-sampler - "js2p", - "jmhAnnotationProcessor", - "jmhBasedTestAnnotationProcessor", - "jmhCompileClasspath", - "jmhRuntimeClasspath", - "jmhRuntimeOnly") - failBuildOnCVSS = 7.0f // fail on high or critical CVE - analyzers.assemblyEnabled = false // not sure why its trying to analyze .NET assemblies - nvd.apiKey = System.getenv("NVD_API_KEY") +ossIndexAudit { + username = System.getenv("SONATYPE_OSS_INDEX_USER") ?: "" + password = System.getenv("SONATYPE_OSS_INDEX_PASSWORD") ?: "" + outputFormat = org.sonatype.gradle.plugins.scan.ossindex.OutputFormat.JSON_CYCLONE_DX_1_4 } val testJavaVersion = gradle.startParameter.projectProperties.get("testJavaVersion")?.let(JavaVersion::toVersion) From 9a1758024dbe2e3ce5d6c3c453d70a991caca4f0 Mon Sep 17 00:00:00 2001 From: Trask Stalnaker Date: Tue, 17 Mar 2026 13:57:13 -0700 Subject: [PATCH 2/4] Update .github/repository-settings.md Co-authored-by: Jack Berg <34418638+jack-berg@users.noreply.github.com> --- .github/repository-settings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/repository-settings.md b/.github/repository-settings.md index 10c2c16931e..8ae938b1109 100644 --- a/.github/repository-settings.md +++ b/.github/repository-settings.md @@ -10,8 +10,8 @@ private admin repo. - `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password - `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password -- `SONATYPE_OSS_INDEX_USER` - owned by [@trask](https://github.com/trask) -- `SONATYPE_OSS_INDEX_PASSWORD` - owned by [@trask](https://github.com/trask) +- `SONATYPE_OSS_INDEX_USER` - owned by [@jack-berg](https://github.com/jack-berg) +- `SONATYPE_OSS_INDEX_PASSWORD` - owned by [@jack-berg](https://github.com/jack-berg) - `SONATYPE_KEY` - owned by [@jack-berg](https://github.com/jack-berg) - `SONATYPE_USER` - owned by [@jack-berg](https://github.com/jack-berg) From b26bab3250306b747804a9112e88726d31e766a8 Mon Sep 17 00:00:00 2001 From: Trask Stalnaker Date: Thu, 19 Mar 2026 11:24:43 -0700 Subject: [PATCH 3/4] updates --- .github/workflows/oss-index-audit-daily.yml | 51 +++++++++++++++++++ .../owasp-dependency-check-daily.yml | 2 +- all/build.gradle.kts | 5 -- context/build.gradle.kts | 10 ---- custom-checks/build.gradle.kts | 5 -- .../otlp/testing-internal/build.gradle.kts | 5 -- integration-tests/otlp/build.gradle.kts | 5 -- .../tracecontext/build.gradle.kts | 5 -- sdk/metrics/build.gradle.kts | 4 -- 9 files changed, 52 insertions(+), 40 deletions(-) create mode 100644 .github/workflows/oss-index-audit-daily.yml diff --git a/.github/workflows/oss-index-audit-daily.yml b/.github/workflows/oss-index-audit-daily.yml new file mode 100644 index 00000000000..02ef69e9a99 --- /dev/null +++ b/.github/workflows/oss-index-audit-daily.yml @@ -0,0 +1,51 @@ +# the benefit of this over renovate is that this also analyzes transitive dependencies +# while renovate (at least currently) only analyzes top-level dependencies +name: OSS Index dependency audit (daily) + +on: + schedule: + - cron: "30 1 * * *" # daily at 1:30 UTC + workflow_dispatch: + +permissions: + contents: read + +jobs: + analyze: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 + with: + distribution: temurin + java-version: 21 + + - name: Set up gradle + uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + + - run: ./gradlew ossIndexAudit + id: audit + continue-on-error: true + env: + SONATYPE_OSS_INDEX_USER: ${{ secrets.SONATYPE_OSS_INDEX_USER }} + SONATYPE_OSS_INDEX_PASSWORD: ${{ secrets.SONATYPE_OSS_INDEX_PASSWORD }} + DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} + + - name: Print vulnerability report + if: steps.audit.outcome == 'failure' + run: | + echo "=== OSS Index Vulnerability Report ===" + find . -name "oss-index-cyclonedx-bom.json" | xargs cat + exit 1 + + workflow-notification: + permissions: + contents: read + issues: write + needs: + - analyze + if: always() + uses: ./.github/workflows/reusable-workflow-notification.yml + with: + success: ${{ needs.analyze.result == 'success' }} diff --git a/.github/workflows/owasp-dependency-check-daily.yml b/.github/workflows/owasp-dependency-check-daily.yml index 8ff0b840919..02ef69e9a99 100644 --- a/.github/workflows/owasp-dependency-check-daily.yml +++ b/.github/workflows/owasp-dependency-check-daily.yml @@ -36,7 +36,7 @@ jobs: if: steps.audit.outcome == 'failure' run: | echo "=== OSS Index Vulnerability Report ===" - cat oss-index-cyclonedx-bom.json + find . -name "oss-index-cyclonedx-bom.json" | xargs cat exit 1 workflow-notification: diff --git a/all/build.gradle.kts b/all/build.gradle.kts index dd097cd1e33..8a2dc8d6731 100644 --- a/all/build.gradle.kts +++ b/all/build.gradle.kts @@ -5,11 +5,6 @@ plugins { description = "OpenTelemetry All" otelJava.moduleName.set("io.opentelemetry.all") -// Skip OWASP dependencyCheck task on test module -dependencyCheck { - skip = true -} - val testTasks = mutableListOf() val jarTasks = mutableListOf() diff --git a/context/build.gradle.kts b/context/build.gradle.kts index b3a35620518..d0402a7983f 100644 --- a/context/build.gradle.kts +++ b/context/build.gradle.kts @@ -17,16 +17,6 @@ dependencies { testImplementation("com.google.guava:guava") } -dependencyCheck { - skipConfigurations.add("braveInOtelTestAnnotationProcessor") - skipConfigurations.add("grpcInOtelTestAnnotationProcessor") - skipConfigurations.add("otelAsBraveTestAnnotationProcessor") - skipConfigurations.add("otelInBraveTestAnnotationProcessor") - skipConfigurations.add("otelInGrpcTestAnnotationProcessor") - skipConfigurations.add("storageWrappersTestAnnotationProcessor") - skipConfigurations.add("strictContextEnabledTestAnnotationProcessor") -} - testing { suites { register("grpcInOtelTest") { diff --git a/custom-checks/build.gradle.kts b/custom-checks/build.gradle.kts index c587d411657..de767924d8f 100644 --- a/custom-checks/build.gradle.kts +++ b/custom-checks/build.gradle.kts @@ -80,8 +80,3 @@ configurations { } } } - -// Skip OWASP dependencyCheck task on test module -dependencyCheck { - skip = true -} diff --git a/exporters/otlp/testing-internal/build.gradle.kts b/exporters/otlp/testing-internal/build.gradle.kts index 1d6bff53854..f40b49fefa2 100644 --- a/exporters/otlp/testing-internal/build.gradle.kts +++ b/exporters/otlp/testing-internal/build.gradle.kts @@ -37,8 +37,3 @@ dependencies { implementation("org.assertj:assertj-core") implementation("org.mock-server:mockserver-netty") } - -// Skip OWASP dependencyCheck task on test module -dependencyCheck { - skip = true -} diff --git a/integration-tests/otlp/build.gradle.kts b/integration-tests/otlp/build.gradle.kts index 977ed7ff73e..1943dda31e8 100644 --- a/integration-tests/otlp/build.gradle.kts +++ b/integration-tests/otlp/build.gradle.kts @@ -42,8 +42,3 @@ tasks { dependsOn(testing.suites) } } - -// Skip OWASP dependencyCheck task on test module -dependencyCheck { - skip = true -} diff --git a/integration-tests/tracecontext/build.gradle.kts b/integration-tests/tracecontext/build.gradle.kts index bad01107a42..c376a639fd9 100644 --- a/integration-tests/tracecontext/build.gradle.kts +++ b/integration-tests/tracecontext/build.gradle.kts @@ -33,8 +33,3 @@ tasks { jvmArgs("-Dio.opentelemetry.testArchive=${shadowJar.get().archiveFile.get().asFile.absolutePath}") } } - -// Skip OWASP dependencyCheck task on test module -dependencyCheck { - skip = true -} diff --git a/sdk/metrics/build.gradle.kts b/sdk/metrics/build.gradle.kts index fdde4938120..ae1c59f7978 100644 --- a/sdk/metrics/build.gradle.kts +++ b/sdk/metrics/build.gradle.kts @@ -29,10 +29,6 @@ dependencies { jmh(project(":sdk:testing")) } -dependencyCheck { - skipConfigurations.add("debugEnabledTestAnnotationProcessor") -} - testing { suites { register("testIncubating") { From 2813aab702c87422595d42c978c100bfbc5f7da0 Mon Sep 17 00:00:00 2001 From: Trask Stalnaker Date: Thu, 19 Mar 2026 12:38:31 -0700 Subject: [PATCH 4/4] updates --- .github/workflows/owasp-dependency-check-daily.yml | 2 +- all/build.gradle.kts | 5 +++++ api/testing-internal/build.gradle.kts | 5 ++++- custom-checks/build.gradle.kts | 5 +++++ exporters/otlp/testing-internal/build.gradle.kts | 5 +++++ integration-tests/otlp/build.gradle.kts | 5 +++++ integration-tests/tracecontext/build.gradle.kts | 5 +++++ 7 files changed, 30 insertions(+), 2 deletions(-) diff --git a/.github/workflows/owasp-dependency-check-daily.yml b/.github/workflows/owasp-dependency-check-daily.yml index 02ef69e9a99..8952db65901 100644 --- a/.github/workflows/owasp-dependency-check-daily.yml +++ b/.github/workflows/owasp-dependency-check-daily.yml @@ -24,7 +24,7 @@ jobs: - name: Set up gradle uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 - - run: ./gradlew ossIndexAudit + - run: ./gradlew ossIndexAudit --no-configuration-cache id: audit continue-on-error: true env: diff --git a/all/build.gradle.kts b/all/build.gradle.kts index 8a2dc8d6731..b21a619bab5 100644 --- a/all/build.gradle.kts +++ b/all/build.gradle.kts @@ -5,6 +5,11 @@ plugins { description = "OpenTelemetry All" otelJava.moduleName.set("io.opentelemetry.all") +// Skip ossIndexAudit on test module +tasks.named("ossIndexAudit") { + enabled = false +} + val testTasks = mutableListOf() val jarTasks = mutableListOf() diff --git a/api/testing-internal/build.gradle.kts b/api/testing-internal/build.gradle.kts index 16dafc7b842..6098501ea03 100644 --- a/api/testing-internal/build.gradle.kts +++ b/api/testing-internal/build.gradle.kts @@ -15,4 +15,7 @@ dependencies { implementation("org.mockito:mockito-core") } - +// Skip ossIndexAudit on test module +tasks.named("ossIndexAudit") { + enabled = false +} diff --git a/custom-checks/build.gradle.kts b/custom-checks/build.gradle.kts index de767924d8f..f2a25350982 100644 --- a/custom-checks/build.gradle.kts +++ b/custom-checks/build.gradle.kts @@ -80,3 +80,8 @@ configurations { } } } + +// Skip ossIndexAudit on test module +tasks.named("ossIndexAudit") { + enabled = false +} diff --git a/exporters/otlp/testing-internal/build.gradle.kts b/exporters/otlp/testing-internal/build.gradle.kts index f40b49fefa2..624d4759405 100644 --- a/exporters/otlp/testing-internal/build.gradle.kts +++ b/exporters/otlp/testing-internal/build.gradle.kts @@ -37,3 +37,8 @@ dependencies { implementation("org.assertj:assertj-core") implementation("org.mock-server:mockserver-netty") } + +// Skip ossIndexAudit on test module +tasks.named("ossIndexAudit") { + enabled = false +} diff --git a/integration-tests/otlp/build.gradle.kts b/integration-tests/otlp/build.gradle.kts index 1943dda31e8..bdc208a5392 100644 --- a/integration-tests/otlp/build.gradle.kts +++ b/integration-tests/otlp/build.gradle.kts @@ -42,3 +42,8 @@ tasks { dependsOn(testing.suites) } } + +// Skip ossIndexAudit on test module +tasks.named("ossIndexAudit") { + enabled = false +} diff --git a/integration-tests/tracecontext/build.gradle.kts b/integration-tests/tracecontext/build.gradle.kts index c376a639fd9..6abc20f0d68 100644 --- a/integration-tests/tracecontext/build.gradle.kts +++ b/integration-tests/tracecontext/build.gradle.kts @@ -33,3 +33,8 @@ tasks { jvmArgs("-Dio.opentelemetry.testArchive=${shadowJar.get().archiveFile.get().asFile.absolutePath}") } } + +// Skip ossIndexAudit on test module +tasks.named("ossIndexAudit") { + enabled = false +}