diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml new file mode 100644 index 000000000..bebbaad63 --- /dev/null +++ b/.github/workflows/dependency-check.yml @@ -0,0 +1,47 @@ +name: OWASP Maven Dependency Check +on: + schedule: + - cron: '0 7 * * 0' + workflow_dispatch: + + +jobs: + check-dependencies: + name: Check dependencies + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + show-progress: false + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: 21 + cache: 'maven' + - name: Run org.owasp:dependency-check plugin + id: dependency-check + continue-on-error: true + run: mvn -B verify -Pdependency-check -DskipTests + env: + NVD_API_KEY: ${{ secrets.NVD_API_KEY }} + - name: Upload report on failure + if: steps.dependency-check.outcome == 'failure' + uses: actions/upload-artifact@v3 + with: + name: dependency-check-report + path: target/dependency-check-report.html + if-no-files-found: error + - name: Slack Notification on regular check + if: github.event_name == 'schedule' && steps.dependency-check.outcome == 'failure' + uses: rtCamp/action-slack-notify@v2 + env: + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_USERNAME: 'Cryptobot' + SLACK_ICON: false + SLACK_ICON_EMOJI: ':bot:' + SLACK_CHANNEL: 'cryptomator-desktop' + SLACK_TITLE: "Vulnerabilities in ${{ github.event.repository.name }} detected." + SLACK_MESSAGE: "Download the for more details." + SLACK_FOOTER: false + MSG_MINIMAL: true \ No newline at end of file diff --git a/.github/workflows/release-check.yml b/.github/workflows/release-check.yml index 1bbfb5d1a..220e0f4e8 100644 --- a/.github/workflows/release-check.yml +++ b/.github/workflows/release-check.yml @@ -10,12 +10,22 @@ defaults: run: shell: bash +env: + JAVA_DIST: 'zulu' + JAVA_VERSION: 21 + jobs: - release-check-precondition: + check-preconditions: name: Validate commits pushed to release/hotfix branch to fulfill release requirements runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + - name: Setup Java + uses: actions/setup-java@v3 + with: + distribution: ${{ env.JAVA_DIST }} + java-version: ${{ env.JAVA_VERSION }} + cache: 'maven' - id: validate-pom-version name: Validate POM version run: | @@ -37,4 +47,10 @@ jobs: if ! grep -q "" dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml; then echo "Release not set in dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml" exit 1 - fi \ No newline at end of file + fi + - name: Run org.owasp:dependency-check plugin + id: dependency-check + continue-on-error: true + run: mvn -B verify -Pdependency-check -DskipTests + env: + NVD_API_KEY: ${{ secrets.NVD_API_KEY }} \ No newline at end of file diff --git a/pom.xml b/pom.xml index 781fedc53..f9766f3d2 100644 --- a/pom.xml +++ b/pom.xml @@ -63,7 +63,7 @@ 24.1.0 - 9.0.1 + 9.0.4 0.8.11 2.3.0 1.2.1 @@ -460,11 +460,11 @@ org.owasp dependency-check-maven - 24 0 true true suppression.xml + ${env.NVD_API_KEY}