Remove snyk. (#374)

tyroneyu · web-flow · commit c981dfce653c · 2022-10-24T09:15:04.000-07:00
* Remove snyk, use owasp dependency check

* Add Makefile option and CI job

* Comment out owasp dependency check and implement in separate PR.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -71,21 +71,33 @@ jobs:
           JVM_OPTS: -Xmx1g
           TERM: dumb
 
-  snyk-scan:
-    runs-on: ubuntu-20.04
-    steps:
-      # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
-      - name: Check out code
-        uses: actions/checkout@v2.3.4
-        with:
-          ref: ${{github.event.pull_request.head.ref}}
-          repository: ${{github.event.pull_request.head.repo.full_name}}
-          fetch-depth: 0
-          submodules: true
-      - name: Setup snyk
-        uses: snyk/actions/setup@0.3.0
-      - name: Snyk test
-        run: snyk test -d --all-sub-projects --org=hypertrace --severity-threshold=low --policy-path=.snyk --configuration-matching="^runtimeClasspath$"
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-          GRADLE_OPTS: -Dorg.gradle.workers.max=1
+#TODO
+#  dependency-check:
+#    runs-on: ubuntu-20.04
+#    steps:
+#      - name: Check out code
+#        uses: actions/checkout@v2.3.4
+#        with:
+#          ref: ${{github.event.pull_request.head.ref}}
+#          repository: ${{github.event.pull_request.head.repo.full_name}}
+#          fetch-depth: 0
+#          submodules: true
+#
+#      - name: create checksum file
+#        uses: hypertrace/github-actions/checksum@main
+#
+#      - name: Cache packages
+#        id: cache-packages
+#        uses: actions/cache@v2
+#        with:
+#          path: ~/.gradle
+#          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
+#          restore-keys: |
+#            gradle-packages-${{ runner.os }}-${{ github.job }}
+#            gradle-packages-${{ runner.os }}
+#
+#      - name: dependency check
+#        run: make dependency-check
+#        env:
+#          JVM_OPTS: -Xmx1g
+#          TERM: dumb
diff --git a/Makefile b/Makefile
@@ -46,3 +46,7 @@ clean:
 .PHONY: init-submodules
 init-submodules:
 	git submodule update --init
+
+.PHONY: dependency-check
+dependency-check:
+	./gradlew dependencyCheckAggregate 
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -6,6 +6,7 @@ plugins {
     id("org.hypertrace.publish-maven-central-plugin") version "1.0.4" apply false
     id("org.hypertrace.ci-utils-plugin") version "0.3.0"
     id("org.gradle.test-retry") version "1.2.0" apply false
+    id("org.owasp.dependencycheck") version "7.1.1"
 }
 
 allprojects {
@@ -89,3 +90,10 @@ subprojects {
         }
     }
 }
+
+dependencyCheck {
+    format = org.owasp.dependencycheck.reporting.ReportGenerator.Format.valueOf("ALL")
+//    suppressionFile = "owasp-suppressions.xml"
+    scanConfigurations.add("runtimeClasspath")
+    failBuildOnCVSS = 7.0F
+}

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ plugins {`
`6`	`6`	`id("org.hypertrace.publish-maven-central-plugin") version "1.0.4" apply false`
`7`	`7`	`id("org.hypertrace.ci-utils-plugin") version "0.3.0"`
`8`	`8`	`id("org.gradle.test-retry") version "1.2.0" apply false`
	`9`	`+ id("org.owasp.dependencycheck") version "7.1.1"`
`9`	`10`	`}`
`10`	`11`
`11`	`12`	`allprojects {`
`@@ -89,3 +90,10 @@ subprojects {`
`89`	`90`	`}`
`90`	`91`	`}`
`91`	`92`	`}`
	`93`	`+`
	`94`	`+dependencyCheck {`
	`95`	`+ format = org.owasp.dependencycheck.reporting.ReportGenerator.Format.valueOf("ALL")`
	`96`	`+// suppressionFile = "owasp-suppressions.xml"`
	`97`	`+ scanConfigurations.add("runtimeClasspath")`
	`98`	`+ failBuildOnCVSS = 7.0F`
	`99`	`+}`