| # |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| # |
| |
| name: CI - OWASP Dependency Check |
| on: |
| schedule: |
| - cron: '15 0 * * *' |
| workflow_dispatch: |
| |
| env: |
| MAVEN_OPTS: -Xss1500k -Xmx1024m -Daether.connector.http.reuseConnections=false -Daether.connector.requestTimeout=60000 -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.http.retryHandler.requestSentEnabled=true -Dmaven.wagon.http.serviceUnavailableRetryStrategy.class=standard -Dmaven.wagon.rto=60000 |
| |
| jobs: |
| run-owasp-dependency-check: |
| if: ${{ github.repository == 'apache/pulsar' || github.event_name == 'workflow_dispatch' }} |
| name: Check ${{ matrix.branch }} |
| env: |
| JOB_NAME: Check ${{ matrix.branch }} |
| GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GE_ACCESS_TOKEN }} |
| runs-on: ubuntu-22.04 |
| timeout-minutes: 75 |
| strategy: |
| fail-fast: false |
| max-parallel: 1 |
| matrix: |
| include: |
| - branch: master |
| - branch: branch-3.2 |
| - branch: branch-3.1 |
| - branch: branch-3.0 |
| - branch: branch-2.11 |
| - branch: branch-2.10 |
| jdk: 11 |
| |
| steps: |
| - name: checkout |
| uses: actions/checkout@v3 |
| with: |
| ref: ${{ matrix.branch }} |
| |
| - name: Tune Runner VM |
| uses: ./.github/actions/tune-runner-vm |
| |
| - name: Cache local Maven repository |
| uses: actions/cache@v3 |
| timeout-minutes: 5 |
| with: |
| path: | |
| ~/.m2/repository/*/*/* |
| !~/.m2/repository/org/apache/pulsar |
| !~/.m2/repository/org/owasp/dependency-check-data |
| key: ${{ runner.os }}-m2-dependencies-all-${{ hashFiles('**/pom.xml') }} |
| lookup-only: true |
| restore-keys: | |
| ${{ runner.os }}-m2-dependencies-core-modules-${{ hashFiles('**/pom.xml') }} |
| ${{ runner.os }}-m2-dependencies-core-modules- |
| |
| - name: Set up JDK ${{ matrix.jdk || '17' }} |
| uses: actions/setup-java@v3 |
| with: |
| distribution: 'temurin' |
| java-version: ${{ matrix.jdk || '17' }} |
| |
| - name: run install by skip tests |
| run: mvn -B -ntp clean install -DskipTests -Dspotbugs.skip=true -Dlicense.skip=true -Dcheckstyle.skip=true -Drat.skip=true -DskipDocker=true |
| |
| - name: OWASP cache key weeknum |
| id: get-weeknum |
| run: | |
| echo "weeknum=$(date -u +"%Y-%U")" >> $GITHUB_OUTPUT |
| shell: bash |
| |
| - name: Restore OWASP Dependency Check data |
| id: restore-owasp-dependency-check-data |
| uses: actions/cache/restore@v3 |
| timeout-minutes: 5 |
| with: |
| path: ~/.m2/repository/org/owasp/dependency-check-data |
| key: owasp-dependency-check-data-${{ steps.get-weeknum.outputs.weeknum }} |
| enableCrossOsArchive: true |
| restore-keys: | |
| owasp-dependency-check-data- |
| |
| - name: Update OWASP Dependency Check data |
| id: update-owasp-dependency-check-data |
| if: ${{ matrix.branch == 'master' && (steps.restore-owasp-dependency-check-data.outputs.cache-hit != 'true' || steps.restore-owasp-dependency-check-data.outputs.cache-matched-key != steps.restore-owasp-dependency-check-data.outputs.cache-primary-key) }} |
| run: mvn -B -ntp -Powasp-dependency-check initialize -pl . dependency-check:update-only |
| |
| - name: Save OWASP Dependency Check data |
| if: ${{ steps.update-owasp-dependency-check-data.outcome == 'success' }} |
| uses: actions/cache/save@v3 |
| timeout-minutes: 5 |
| with: |
| path: ~/.m2/repository/org/owasp/dependency-check-data |
| key: ${{ steps.restore-owasp-dependency-check-data.outputs.cache-primary-key }} |
| enableCrossOsArchive: true |
| |
| - name: run OWASP Dependency Check for distribution/server (-DfailBuildOnAnyVulnerability=true) |
| run: mvn -B -ntp -Pmain,skip-all,skipDocker,owasp-dependency-check initialize verify -pl distribution/server -DfailBuildOnAnyVulnerability=true |
| |
| - name: run OWASP Dependency Check for offloaders/tiered-storage and pulsar-io connectors (-DfailOnError=false) |
| if: ${{ !cancelled() }} |
| run: | |
| mvnprojects=$(mvn -B -ntp -Dscan=false initialize \ |
| | grep -- "-< .* >-" \ |
| | sed -E 's/.*-< (.*) >-.*/\1/' \ |
| | grep -E 'pulsar-io-|tiered-storage-|offloader' \ |
| | tr '\n' ',' | sed 's/,$/\n/' ) |
| set -xe |
| mvn --fail-at-end -B -ntp -Pmain,skip-all,skipDocker,owasp-dependency-check initialize verify -DfailOnError=false -pl "${mvnprojects}" |
| |
| - name: Upload OWASP Dependency Check reports |
| uses: actions/upload-artifact@v4 |
| if: always() |
| with: |
| name: owasp-dependency-check-reports-${{ matrix.branch }} |
| path: | |
| **/target/dependency-check-report.html |