Add dependency check plugin (#1019)

* Add dependency check plugin

* Add support for owasp dependency check

* Exclude dependency-check-suppression.xml

* Fix shellcheck errors

* More shellcheck fixes

* One more shellcheck fix

etc/copyright-exclude.txt

@@ -6,6 +6,7 @@ LICENSE.txt
 3RD-PARTY-LICENSE.txt
 etc/copyright-exclude.txt
 etc/copyright.txt
+etc/dependency-check-suppression.xml
 etc/images/
 _plantuml-config.txt
 superagent.js
@@ -40,4 +41,4 @@ freemarker-implicit.ftl
 expected
 expected-config
 .helidon
-jvm.config
+jvm.config

etc/dependency-check-suppression.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+<!-- For information see https://jeremylong.github.io/DependencyCheck/general/suppression.html -->
+
+
+<!--
+    These are FPs.
+    See https://github.com/jeremylong/DependencyCheck/issues/5973
+-->
+<suppress>
+    <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-(cipher|classworlds|component-annotations|interpolation|container-default|sec-dispatcher)@.*$</packageUrl>
+    <cve>CVE-2022-4244</cve>
+    <cve>CVE-2022-4245</cve>
+</suppress>
+
+
+</suppressions>

etc/scripts/owasp-dependency-check.sh

@@ -0,0 +1,64 @@
+#!/bin/bash -e
+#
+# Copyright (c) 2020, 2024 Oracle and/or its affiliates.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -o pipefail || true  # trace ERR through pipes
+set -o errtrace || true # trace ERR through commands and functions
+set -o errexit || true  # exit the script if any statement returns a non-true return value
+
+# Path to this script
+if [ -h "${0}" ] ; then
+    SCRIPT_PATH="$(readlink "${0}")"
+else
+    # shellcheck disable=SC155
+    SCRIPT_PATH="${0}"
+fi
+readonly SCRIPT_PATH
+
+# Path to the root of the workspace
+# shellcheck disable=SC2046
+WS_DIR=$(cd $(dirname -- "${SCRIPT_PATH}") ; cd ../.. ; pwd -P)
+
+on_error(){
+    CODE="${?}" && \
+    set +x && \
+    printf "[ERROR] Error(code=%s) occurred at %s:%s command: %s\n" \
+        "${CODE}" "${BASH_SOURCE[0]}" "${LINENO}" "${BASH_COMMAND}"
+}
+trap on_error ERR
+
+RESULT_FILE=$(mktemp -t XXXdependency-check-result)
+readonly  RESULT_FILE
+
+die() { cat "${RESULT_FILE}" ; echo "Dependency report in ${WS_DIR}/target" ; echo "${1}" ; exit 1 ;}
+
+if [ "${PIPELINE}" = "true" ] ; then
+    # If in pipeline do a priming build before scan
+    # shellcheck disable=SC2086
+    mvn ${MAVEN_ARGS} -f "${WS_DIR}"/pom.xml clean install -DskipTests
+fi
+
+# Setting NVD_API_KEY is not required but improves behavior of NVD API throttling
+
+# shellcheck disable=SC2086
+mvn ${MAVEN_ARGS} -Dorg.slf4j.simpleLogger.defaultLogLevel=WARN org.owasp:dependency-check-maven:aggregate \
+        -f "${WS_DIR}"/pom.xml \
+        -Dtop.parent.basedir="${WS_DIR}" \
+        -Dnvd-api-key="${NVD_API_KEY}" \
+        > "${RESULT_FILE}" || die "Error running the Maven command"
+
+grep -i "One or more dependencies were identified with known vulnerabilities" "${RESULT_FILE}" \
+    && die "CVE SCAN ERROR" || echo "CVE SCAN OK"

pom.xml

@@ -183,6 +183,7 @@
         <version.plugin.clean>3.1.0</version.plugin.clean>
         <version.plugin.compiler>3.8.1</version.plugin.compiler>
         <version.plugin.dependency>3.3.0</version.plugin.dependency>
+        <version.plugin.dependency-check>9.0.9</version.plugin.dependency-check>
         <version.plugin.deploy>2.8.2</version.plugin.deploy>
         <version.plugin.enforcer>3.4.0</version.plugin.enforcer>
         <version.plugin.failsafe>3.0.0-M5</version.plugin.failsafe>
@@ -495,6 +496,30 @@
                     <artifactId>native-maven-plugin</artifactId>
                     <version>${version.plugin.graalvm}</version>
                 </plugin>
+                <plugin>
+                    <groupId>org.owasp</groupId>
+                    <artifactId>dependency-check-maven</artifactId>
+                    <version>${version.plugin.dependency-check}</version>
+                    <configuration>
+                        <skip>${dependency-check.skip}</skip>
+                        <skipTestScope>true</skipTestScope>
+                        <failBuildOnAnyVulnerability>false</failBuildOnAnyVulnerability>
+                        <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
+                        <nvdApiKey>${nvd-api-key}</nvdApiKey>
+                        <excludes>
+                            <!-- Exclude stuff we do not deploy -->
+                            <!-- This should be excluded by above, but for some reason it persists -->
+                            <exclude>org.testng:testng</exclude>
+                        </excludes>
+                        <formats>
+                            <format>HTML</format>
+                        </formats>
+                        <suppressionFiles>
+                            <!--suppress UnresolvedMavenProperty -->
+                            <suppressionFile>${top.parent.basedir}/etc/dependency-check-suppression.xml</suppressionFile>
+                        </suppressionFiles>
+                    </configuration>
+                </plugin>
             </plugins>
         </pluginManagement>
         <plugins>