Add an automated vulnerability check (#18)

elasticio · May 4, 2022 · 5ca71ab · 5ca71ab
1 parent 967060d
commit 5ca71ab
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+## 1.0.5 (May 6, 2022)
+* Add an automated vulnerability check
+
 ## 1.0.4 (April 08, 2022)
 * Updated the Sailor version to 3.3.9
 

diff --git a/build.gradle b/build.gradle
@@ -3,6 +3,7 @@ apply plugin: 'groovy'
 apply plugin: 'idea'
 apply plugin: 'eclipse'
 apply plugin: 'java-library-distribution'
+apply plugin: org.owasp.dependencycheck.gradle.DependencyCheckPlugin
 
 group = 'io.elastic'
 
@@ -48,6 +49,26 @@ uploadArchives {
     }
 }
 
+check.dependsOn dependencyCheckAnalyze
+
+dependencyCheck {
+    format = 'ALL'
+    // Dependency Check script will fail in case there are critical (9.0-10.0) vulnerabilities.
+    // It should be configured to 7 (high and critical), but so far is not possible as 'axis' library
+    // and log4j issues which does not have any updates that solve the problem
+    failBuildOnCVSS = 7
+    suppressionFile='./dependencyCheck-suppression.xml'
+}
+
+buildscript {
+    repositories {
+        mavenCentral()
+    }
+    dependencies {
+        classpath 'org.owasp:dependency-check-gradle:6.0.3'
+    }
+}
+
 wrapper {
     gradleVersion = '5.4.1'
 }
diff --git a/component.json b/component.json
@@ -2,7 +2,7 @@
   "title": "Petstore API (Java)",
   "description": "elastic.io component for the Petstore API",
   "docsUrl": "https://github.com/elasticio/petstore-component-java",
-  "version": "1.0.4",
+  "version": "1.0.5",
   "credentials": {
     "fields": {
       "apiKey": {

diff --git a/dependencyCheck-suppression.xml b/dependencyCheck-suppression.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <suppress>
+    <notes><![CDATA[
+      file name: logback-jackson-0.1.5.jar
+      ]]>
+    </notes>
+    <packageUrl regex="true">^pkg:maven/ch\.qos\.logback\.contrib/logback\-jackson@.*$</packageUrl>
+    <cve>CVE-2017-5929</cve>
+    <cve>CVE-2021-42550</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+      file name: logback-json-classic-0.1.5.jar
+      ]]>
+    </notes>
+    <packageUrl regex="true">^pkg:maven/ch\.qos\.logback\.contrib/logback\-json\-classic@.*$</packageUrl>
+    <cpe>cpe:/a:qos:logback</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+      file name: logback-json-core-0.1.5.jar
+      ]]>
+    </notes>
+    <packageUrl regex="true">^pkg:maven/ch\.qos\.logback\.contrib/logback\-json\-core@.*$</packageUrl>
+    <cpe>cpe:/a:qos:logback</cpe>
+  </suppress>
+</suppressions>