Skip to content

Commit 5ca71ab

Browse files
A3a3e1A3a3e1
authored
Add an automated vulnerability check (#18)
1 parent 967060d commit 5ca71ab

4 files changed

Lines changed: 53 additions & 1 deletion

File tree

CHANGELOG.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,6 @@
1+
## 1.0.5 (May 6, 2022)
2+
* Add an automated vulnerability check
3+
14
## 1.0.4 (April 08, 2022)
25
* Updated the Sailor version to 3.3.9
36

build.gradle

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ apply plugin: 'groovy'
33
apply plugin: 'idea'
44
apply plugin: 'eclipse'
55
apply plugin: 'java-library-distribution'
6+
apply plugin: org.owasp.dependencycheck.gradle.DependencyCheckPlugin
67

78
group = 'io.elastic'
89

@@ -48,6 +49,26 @@ uploadArchives {
4849
}
4950
}
5051

52+
check.dependsOn dependencyCheckAnalyze
53+
54+
dependencyCheck {
55+
format = 'ALL'
56+
// Dependency Check script will fail in case there are critical (9.0-10.0) vulnerabilities.
57+
// It should be configured to 7 (high and critical), but so far is not possible as 'axis' library
58+
// and log4j issues which does not have any updates that solve the problem
59+
failBuildOnCVSS = 7
60+
suppressionFile='./dependencyCheck-suppression.xml'
61+
}
62+
63+
buildscript {
64+
repositories {
65+
mavenCentral()
66+
}
67+
dependencies {
68+
classpath 'org.owasp:dependency-check-gradle:6.0.3'
69+
}
70+
}
71+
5172
wrapper {
5273
gradleVersion = '5.4.1'
5374
}

component.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
"title": "Petstore API (Java)",
33
"description": "elastic.io component for the Petstore API",
44
"docsUrl": "https://github.com/elasticio/petstore-component-java",
5-
"version": "1.0.4",
5+
"version": "1.0.5",
66
"credentials": {
77
"fields": {
88
"apiKey": {

dependencyCheck-suppression.xml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
3+
<suppress>
4+
<notes><![CDATA[
5+
file name: logback-jackson-0.1.5.jar
6+
]]>
7+
</notes>
8+
<packageUrl regex="true">^pkg:maven/ch\.qos\.logback\.contrib/logback\-jackson@.*$</packageUrl>
9+
<cve>CVE-2017-5929</cve>
10+
<cve>CVE-2021-42550</cve>
11+
</suppress>
12+
<suppress>
13+
<notes><![CDATA[
14+
file name: logback-json-classic-0.1.5.jar
15+
]]>
16+
</notes>
17+
<packageUrl regex="true">^pkg:maven/ch\.qos\.logback\.contrib/logback\-json\-classic@.*$</packageUrl>
18+
<cpe>cpe:/a:qos:logback</cpe>
19+
</suppress>
20+
<suppress>
21+
<notes><![CDATA[
22+
file name: logback-json-core-0.1.5.jar
23+
]]>
24+
</notes>
25+
<packageUrl regex="true">^pkg:maven/ch\.qos\.logback\.contrib/logback\-json\-core@.*$</packageUrl>
26+
<cpe>cpe:/a:qos:logback</cpe>
27+
</suppress>
28+
</suppressions>

0 commit comments

Comments
 (0)