build: use OSV-Scanner v2 for vulnerability scanning (#365)

bestbeforetoday · web-flow · commit dcad8c0f64fe · 2025-04-03T11:04:39.000-07:00
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -33,27 +33,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: gradle/actions/wrapper-validation@v3
-  cyclonedx-sbom:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-java@v4
-        with:
-          java-version: '17'
-          distribution: 'temurin'
-      - name: Generate SBOMs
-        run: ./gradlew cyclonedxBom
-      - name: Upload SBOMs
-        uses: actions/upload-artifact@v4
-        with:
-          name: cyclonedx-sbom
-          path: |
-            core/build/reports/bom.json
-            isthmus/build/reports/bom.json
-            isthmus-cli/build/reports/bom.json
+      - uses: gradle/actions/wrapper-validation@v4
   osv-scanner:
-    needs: cyclonedx-sbom
     runs-on: ubuntu-latest
     continue-on-error: true
     strategy:
@@ -64,12 +45,17 @@ jobs:
           - isthmus
           - isthmus-cli
     steps:
-      - name: Download SBOMs
-        uses: actions/download-artifact@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
         with:
-          name: cyclonedx-sbom
+          java-version: '17'
+          distribution: 'temurin'
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v4
+      - name: Create Gradle lockfile
+        run: ./gradlew :${{ matrix.project }}:dependencies --write-locks
       - name: Scan
-        run: docker run --rm -v "${PWD}/${{ matrix.project }}/build/reports/bom.json:/bom.json" ghcr.io/google/osv-scanner:v1.9.2 --sbom /bom.json
+        run: docker run --rm -v "${PWD}/${{ matrix.project }}/gradle.lockfile:/gradle.lockfile" ghcr.io/google/osv-scanner:v2.0.0 scan --lockfile /gradle.lockfile
   java:
     name: Build and Test Java
     runs-on: ubuntu-latest
@@ -83,7 +69,7 @@ jobs:
           java-version: '17'
           distribution: 'temurin'
       - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@v3
+        uses: gradle/actions/setup-gradle@v4
       - name: Build with Gradle
         run: gradle build --rerun-tasks
   examples:
@@ -124,7 +110,7 @@ jobs:
         # helps avoid rate-limiting issues
         github-token: ${{ secrets.GITHUB_TOKEN }}
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
     - name: Report Java Version
       run: java -version
     - name: Install GraalVM native image
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -29,7 +29,7 @@ jobs:
           # helps avoid rate-limiting issues
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@v3
+        uses: gradle/actions/setup-gradle@v4
       - name: Report Java Version
         run: java -version
       - name: Install GraalVM native image
@@ -67,7 +67,7 @@ jobs:
         with:
           node-version: '20'
       - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@v3
+        uses: gradle/actions/setup-gradle@v4
       - name: Download isthmus-ubuntu-latest binary
         uses: actions/download-artifact@v4
         with:
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -69,21 +69,6 @@ allprojects {
       }
     }
   }
-
-  if (listOf("core", "isthmus", "isthmus-cli").contains(project.name)) {
-    apply(plugin = "org.cyclonedx.bom")
-    tasks.cyclonedxBom {
-      setIncludeConfigs(listOf("runtimeClasspath"))
-      setSkipConfigs(listOf("compileClasspath", "testCompileClasspath"))
-      setProjectType("library")
-      setSchemaVersion("1.5")
-      setDestination(project.file("build/reports"))
-      setOutputName("bom")
-      setOutputFormat("json")
-      setIncludeBomSerialNumber(false)
-      setIncludeLicenseText(false)
-    }
-  }
 }
 
 nexusPublishing {
diff --git a/core/build.gradle.kts b/core/build.gradle.kts
@@ -124,6 +124,8 @@ java {
   }
 }
 
+configurations { runtimeClasspath { resolutionStrategy.activateDependencyLocking() } }
+
 tasks.named("sourcesJar") { mustRunAfter("generateGrammarSource") }
 
 sourceSets {
diff --git a/isthmus-cli/build.gradle.kts b/isthmus-cli/build.gradle.kts
@@ -11,6 +11,8 @@ java {
   withSourcesJar()
 }
 
+configurations { runtimeClasspath { resolutionStrategy.activateDependencyLocking() } }
+
 val CALCITE_VERSION = properties.get("calcite.version")
 val GUAVA_VERSION = properties.get("guava.version")
 val IMMUTABLES_VERSION = properties.get("immutables.version")
diff --git a/isthmus/build.gradle.kts b/isthmus/build.gradle.kts
@@ -71,6 +71,8 @@ java {
   withSourcesJar()
 }
 
+configurations { runtimeClasspath { resolutionStrategy.activateDependencyLocking() } }
+
 val CALCITE_VERSION = properties.get("calcite.version")
 val GUAVA_VERSION = properties.get("guava.version")
 val IMMUTABLES_VERSION = properties.get("immutables.version")

Original file line number	Diff line number	Diff line change
`@@ -69,21 +69,6 @@ allprojects {`
`69`	`69`	`}`
`70`	`70`	`}`
`71`	`71`	`}`
`72`		`-`
`73`		`- if (listOf("core", "isthmus", "isthmus-cli").contains(project.name)) {`
`74`		`- apply(plugin = "org.cyclonedx.bom")`
`75`		`- tasks.cyclonedxBom {`
`76`		`- setIncludeConfigs(listOf("runtimeClasspath"))`
`77`		`- setSkipConfigs(listOf("compileClasspath", "testCompileClasspath"))`
`78`		`- setProjectType("library")`
`79`		`- setSchemaVersion("1.5")`
`80`		`- setDestination(project.file("build/reports"))`
`81`		`- setOutputName("bom")`
`82`		`- setOutputFormat("json")`
`83`		`- setIncludeBomSerialNumber(false)`
`84`		`- setIncludeLicenseText(false)`
`85`		`- }`
`86`		`- }`
`87`	`72`	`}`
`88`	`73`
`89`	`74`	`nexusPublishing {`
Original file line number	Diff line number	Diff line change
`@@ -124,6 +124,8 @@ java {`
`124`	`124`	`}`
`125`	`125`	`}`
`126`	`126`
	`127`	`+configurations { runtimeClasspath { resolutionStrategy.activateDependencyLocking() } }`
	`128`	`+`
`127`	`129`	`tasks.named("sourcesJar") { mustRunAfter("generateGrammarSource") }`
`128`	`130`
`129`	`131`	`sourceSets {`
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,8 @@ java {`
`11`	`11`	`withSourcesJar()`
`12`	`12`	`}`
`13`	`13`
	`14`	`+configurations { runtimeClasspath { resolutionStrategy.activateDependencyLocking() } }`
	`15`	`+`
`14`	`16`	`val CALCITE_VERSION = properties.get("calcite.version")`
`15`	`17`	`val GUAVA_VERSION = properties.get("guava.version")`
`16`	`18`	`val IMMUTABLES_VERSION = properties.get("immutables.version")`
Original file line number	Diff line number	Diff line change
`@@ -71,6 +71,8 @@ java {`
`71`	`71`	`withSourcesJar()`
`72`	`72`	`}`
`73`	`73`
	`74`	`+configurations { runtimeClasspath { resolutionStrategy.activateDependencyLocking() } }`
	`75`	`+`
`74`	`76`	`val CALCITE_VERSION = properties.get("calcite.version")`
`75`	`77`	`val GUAVA_VERSION = properties.get("guava.version")`
`76`	`78`	`val IMMUTABLES_VERSION = properties.get("immutables.version")`