From e194f9b2055842f755758d053b53085658f62bcc Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Mon, 11 Dec 2023 22:58:42 +0100
Subject: [PATCH 1/2] update dependency check and refactor to own workflow

---
 .github/workflows/dependency-check.yml | 54 ++++++++++++++++++++++++++
 .github/workflows/release-check.yml    | 20 +++++++++-
 pom.xml                                |  4 +-
 3 files changed, 74 insertions(+), 4 deletions(-)
 create mode 100644 .github/workflows/dependency-check.yml

diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml
new file mode 100644
index 000000000..b7742f9e8
--- /dev/null
+++ b/.github/workflows/dependency-check.yml
@@ -0,0 +1,54 @@
+name: OWASP Maven Dependency Check
+on:
+  schedule:
+    - cron: '0 7 * * 0'
+  push:
+    branches:
+      - 'release/**'
+  workflow_dispatch:
+
+
+jobs:
+  check-dependencies:
+    name: Check dependencies
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          show-progress: false
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: 21
+          cache: 'maven'
+      - name: Run org.owasp:dependency-check plugin
+        id: dependency-check
+        continue-on-error: true
+        run: mvn -B verify -Pdependency-check -DskipTests
+        env:
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+      - name: Upload report on failure
+        if: steps.dependency-check.outcome == 'failure'
+        uses: actions/upload-artifact@v3
+        with:
+          name: dependency-check-report
+          path: target/dependency-check-report.html
+          if-no-files-found: error
+      - name: Slack Notification on regular check
+        if: github.event_name == 'schedule' && steps.dependency-check.outcome == 'failure'
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_USERNAME: 'Cryptobot'
+          SLACK_ICON: false
+          SLACK_ICON_EMOJI: ':bot:'
+          SLACK_CHANNEL: 'cryptomator-desktop'
+          SLACK_TITLE: "Vulnerabilities in ${{ github.event.repository.name }} detected."
+          SLACK_MESSAGE: "Download the <https://github.com/${{ github.repository }}/actions/run/${{ github.run_id }}|report> for more details."
+          SLACK_FOOTER: false
+          MSG_MINIMAL: true
+      - name: Failing workflow on release branch
+        if: github.event_name == 'push' && steps.dependency-check.outcome == 'failure'
+        shell: bash
+        run: exit 1
\ No newline at end of file
diff --git a/.github/workflows/release-check.yml b/.github/workflows/release-check.yml
index 1bbfb5d1a..220e0f4e8 100644
--- a/.github/workflows/release-check.yml
+++ b/.github/workflows/release-check.yml
@@ -10,12 +10,22 @@ defaults:
   run:
     shell: bash
 
+env:
+  JAVA_DIST: 'zulu'
+  JAVA_VERSION: 21
+
 jobs:
-  release-check-precondition:
+  check-preconditions:
     name: Validate commits pushed to release/hotfix branch to fulfill release requirements
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+      - name: Setup Java
+        uses: actions/setup-java@v3
+        with:
+          distribution: ${{ env.JAVA_DIST }}
+          java-version: ${{ env.JAVA_VERSION }}
+          cache: 'maven'
       - id: validate-pom-version
         name: Validate POM version
         run: |
@@ -37,4 +47,10 @@ jobs:
           if ! grep -q "<release date=\".*\" version=\"${{ steps.validate-pom-version.outputs.semVerStr }}\"/>" dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml; then
             echo "Release not set in dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml"
             exit 1
-          fi
\ No newline at end of file
+          fi
+      - name: Run org.owasp:dependency-check plugin
+        id: dependency-check
+        continue-on-error: true
+        run: mvn -B verify -Pdependency-check -DskipTests
+        env:
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 781fedc53..f9766f3d2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -63,7 +63,7 @@
 
 		<!-- build-time dependencies -->
 		<jetbrains.annotations.version>24.1.0</jetbrains.annotations.version>
-		<dependency-check.version>9.0.1</dependency-check.version>
+		<dependency-check.version>9.0.4</dependency-check.version>
 		<jacoco.version>0.8.11</jacoco.version>
 		<license-generator.version>2.3.0</license-generator.version>
 		<junit-tree-reporter.version>1.2.1</junit-tree-reporter.version>
@@ -460,11 +460,11 @@
 						<groupId>org.owasp</groupId>
 						<artifactId>dependency-check-maven</artifactId>
 						<configuration>
-							<cveValidForHours>24</cveValidForHours>
 							<failBuildOnCVSS>0</failBuildOnCVSS>
 							<skipTestScope>true</skipTestScope>
 							<detail>true</detail>
 							<suppressionFile>suppression.xml</suppressionFile>
+							<nvdApiKey>${env.NVD_API_KEY}</nvdApiKey>
 						</configuration>
 						<executions>
 							<execution>

From 851838e3a2d9ee1ac35da515b6ac03638204a2dc Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 12 Dec 2023 14:58:48 +0100
Subject: [PATCH 2/2] remove run of dependency-chec workflow for release
 branches (already done in check release workflow)

---
 .github/workflows/dependency-check.yml | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml
index b7742f9e8..bebbaad63 100644
--- a/.github/workflows/dependency-check.yml
+++ b/.github/workflows/dependency-check.yml
@@ -2,9 +2,6 @@ name: OWASP Maven Dependency Check
 on:
   schedule:
     - cron: '0 7 * * 0'
-  push:
-    branches:
-      - 'release/**'
   workflow_dispatch:
 
 
@@ -47,8 +44,4 @@ jobs:
           SLACK_TITLE: "Vulnerabilities in ${{ github.event.repository.name }} detected."
           SLACK_MESSAGE: "Download the <https://github.com/${{ github.repository }}/actions/run/${{ github.run_id }}|report> for more details."
           SLACK_FOOTER: false
-          MSG_MINIMAL: true
-      - name: Failing workflow on release branch
-        if: github.event_name == 'push' && steps.dependency-check.outcome == 'failure'
-        shell: bash
-        run: exit 1
\ No newline at end of file
+          MSG_MINIMAL: true
\ No newline at end of file