diff --git a/.github/workflows/github-actions-java8.yml b/.github/workflows/github-actions-java8.yml index 46abd2b..07c960b 100644 --- a/.github/workflows/github-actions-java8.yml +++ b/.github/workflows/github-actions-java8.yml @@ -56,6 +56,7 @@ jobs: with: java-version: "8" distribution: "zulu" + check-latest: true # Get the latest Java 8 patch version - name: Validate Gradle wrapper uses: gradle/actions/wrapper-validation@v4 @@ -64,6 +65,21 @@ jobs: if: runner.os != 'Windows' run: chmod +x ./gradlew + - name: Run OWASP dependency check + if: matrix.os == 'windows-latest' # Only run on one platform + run: ./gradlew dependencyCheckAnalyze --no-daemon --stacktrace --continue + continue-on-error: true # Don't fail the build if dependency check has issues + env: + NVD_API_KEY: ${{ secrets.NVD_API_KEY }} + + - name: Upload dependency check report + uses: actions/upload-artifact@v4 + if: matrix.os == 'windows-latest' # Only upload from one platform + with: + name: dependency-check-report + path: build/reports/dependency-check-report.html + retention-days: 30 + - name: Build with Gradle run: ./gradlew buildShadow --no-daemon --stacktrace diff --git a/build.gradle.kts b/build.gradle.kts index 033a85e..56f3de3 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -81,3 +81,22 @@ tasks { dependsOn(shadowJar) } } + +// OWASP Dependency Check configuration +dependencyCheck { + // Format for the dependency check report + formats = listOf("HTML") + + // Suppress false positives (optional - can be configured as needed) + suppressionFile = "dependency-check-suppressions.xml" + + // Fail build on CVSS score of 7 or higher (High/Critical vulnerabilities) + failBuildOnCVSS = 7.0f + + // Enable NVD API with your API key + nvd.apiKey = System.getenv("NVD_API_KEY") ?: "" + nvd.delay = 4000 + + // Enable auto-update with NVD API + autoUpdate = true +}