Remove snyk. (#374)

* Remove snyk, use owasp dependency check * Add Makefile option and CI job * Comment out owasp dependency check and implement in separate PR.
hypertrace · Oct 24, 2022 · c981dfc · c981dfc
1 parent 6ef6c30
commit c981dfc
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 18 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -71,21 +71,33 @@ jobs:
           JVM_OPTS: -Xmx1g
           TERM: dumb
 
-  snyk-scan:
-    runs-on: ubuntu-20.04
-    steps:
-      # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
-      - name: Check out code
-        uses: actions/checkout@v2.3.4
-        with:
-          ref: ${{github.event.pull_request.head.ref}}
-          repository: ${{github.event.pull_request.head.repo.full_name}}
-          fetch-depth: 0
-          submodules: true
-      - name: Setup snyk
-        uses: snyk/actions/setup@0.3.0
-      - name: Snyk test
-        run: snyk test -d --all-sub-projects --org=hypertrace --severity-threshold=low --policy-path=.snyk --configuration-matching="^runtimeClasspath$"
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-          GRADLE_OPTS: -Dorg.gradle.workers.max=1
+#TODO
+#  dependency-check:
+#    runs-on: ubuntu-20.04
+#    steps:
+#      - name: Check out code
+#        uses: actions/checkout@v2.3.4
+#        with:
+#          ref: ${{github.event.pull_request.head.ref}}
+#          repository: ${{github.event.pull_request.head.repo.full_name}}
+#          fetch-depth: 0
+#          submodules: true
+#
+#      - name: create checksum file
+#        uses: hypertrace/github-actions/checksum@main
+#
+#      - name: Cache packages
+#        id: cache-packages
+#        uses: actions/cache@v2
+#        with:
+#          path: ~/.gradle
+#          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
+#          restore-keys: |
+#            gradle-packages-${{ runner.os }}-${{ github.job }}
+#            gradle-packages-${{ runner.os }}
+#
+#      - name: dependency check
+#        run: make dependency-check
+#        env:
+#          JVM_OPTS: -Xmx1g
+#          TERM: dumb
diff --git a/Makefile b/Makefile
@@ -46,3 +46,7 @@ clean:
 .PHONY: init-submodules
 init-submodules:
 	git submodule update --init
+
+.PHONY: dependency-check
+dependency-check:
+	./gradlew dependencyCheckAggregate 
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -6,6 +6,7 @@ plugins {
     id("org.hypertrace.publish-maven-central-plugin") version "1.0.4" apply false
     id("org.hypertrace.ci-utils-plugin") version "0.3.0"
     id("org.gradle.test-retry") version "1.2.0" apply false
+    id("org.owasp.dependencycheck") version "7.1.1"
 }
 
 allprojects {
@@ -89,3 +90,10 @@ subprojects {
         }
     }
 }
+
+dependencyCheck {
+    format = org.owasp.dependencycheck.reporting.ReportGenerator.Format.valueOf("ALL")
+//    suppressionFile = "owasp-suppressions.xml"
+    scanConfigurations.add("runtimeClasspath")
+    failBuildOnCVSS = 7.0F
+}