Add OWASP dependency check (hapifhir#1347)

* Add owasp dependency scan * Add github action to upload results * Remove unused javalin dependency, also generate html reports * formats instead of format * Restore javalin dependency (make revert easier later if necessary) * Set OWASP to run on PR plus better names for sarif upload
aehrc · Jul 14, 2023 · c2cb2aa · c2cb2aa
1 parent a917497
commit c2cb2aa
Show file tree

Hide file tree

Showing 6 changed files with 82 additions and 8 deletions.
diff --git a/.github/workflows/owasp.yml b/.github/workflows/owasp.yml
@@ -1,9 +1,10 @@
-
-name: "OWASP"
+name: "OWASP Security Scans"
 
 on:
-  schedule:
-    - cron: '0 0 * * *'
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
 
   workflow_dispatch:
 
@@ -29,4 +30,6 @@ jobs:
         sarif_file: target/dependency-check-report.sarif
         # Optional category for the results
         # Used to differentiate multiple results for one commit
-        category: OWASP-analysis
+
+        category: OWASP-dependency-check
+
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -1,4 +1,4 @@
-name: Trivy Security Scans
+name: "Trivy Security Scans"
 
 on:
   push:
@@ -32,4 +32,4 @@ jobs:
         uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: 'trivy-results.sarif'
-          category: 'code'
+          category: 'Trivy-security-scan'
diff --git a/cve-suppression.xml b/cve-suppression.xml
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+</suppressions>
diff --git a/org.hl7.fhir.validation.cli/pom.xml b/org.hl7.fhir.validation.cli/pom.xml
@@ -415,6 +415,24 @@
                         <skip>true</skip>
                     </configuration>
                 </plugin>
+                <plugin>
+                    <groupId>org.owasp</groupId>
+                    <artifactId>dependency-check-maven</artifactId>
+                    <configuration>
+                        <suppressionFiles>
+                            <suppressionFile>cve-suppression.xml</suppressionFile>
+                        </suppressionFiles>
+                        <excludes>
+                            <!-- These are our own modules, and contain test archives for zip-slip, which break owasp
+                            archive extraction -->
+                            <exclude>ca.uhn.hapi.fhir:org.hl7.fhir.convertors</exclude>
+                            <exclude>ca.uhn.hapi.fhir:org.hl7.fhir.r4b</exclude>
+                            <exclude>ca.uhn.hapi.fhir:org.hl7.fhir.r5</exclude>
+                            <exclude>ca.uhn.hapi.fhir:org.hl7.fhir.utilities</exclude>
+                            <exclude>ca.uhn.hapi.fhir:org.hl7.fhir.validation</exclude>
+                        </excludes>
+                    </configuration>
+                </plugin>
         	</plugins>
         </pluginManagement>
     </build>

diff --git a/org.hl7.fhir.validation/pom.xml b/org.hl7.fhir.validation/pom.xml
@@ -199,8 +199,9 @@
             <groupId>io.javalin</groupId>
             <artifactId>javalin</artifactId>
             <version>3.8.0</version>
-				<optional>true</optional>
+            <optional>true</optional>
         </dependency>
+
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-simple</artifactId>

diff --git a/pom.xml b/pom.xml
@@ -286,6 +286,18 @@
                         <redirectTestOutputToFile>false</redirectTestOutputToFile>
                     </configuration>
                 </plugin>
+
+                <plugin>
+                    <groupId>org.owasp</groupId>
+                    <artifactId>dependency-check-maven</artifactId>
+                    <version>8.2.1</version>
+                    <configuration>
+                        <suppressionFiles>
+                            <suppressionFile>cve-suppression.xml</suppressionFile>
+                        </suppressionFiles>
+                        <formats>sarif,html</formats>
+                    </configuration>
+                </plugin>
             </plugins>
         </pluginManagement>
         <plugins>
@@ -680,5 +692,42 @@
                 </plugins>
             </build>
         </profile>
+        <profile>
+            <id>OWASP_CHECK</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.owasp</groupId>
+                        <artifactId>dependency-check-maven</artifactId>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>check</goal>
+                                </goals>
+                                <configuration>
+                                    <failBuildOnCVSS>10</failBuildOnCVSS>
+                                    <skipTestScope>true</skipTestScope>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
     </profiles>
+    <reporting>
+        <plugins>
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <reportSets>
+                    <reportSet>
+                        <reports>
+                            <report>aggregate</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+        </plugins>
+    </reporting>
 </project>