Merge pull request #47 from SelahattinSert/task/add-org.owasp.dependencycheck

SelahattinSert · web-flow · commit 58c2443355dd · 2025-03-19T23:23:15.000+03:00
Add org.owasp.dependencycheck
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -9,31 +9,66 @@ on:
 
 jobs:
   build:
+    name: Build with Maven
     runs-on: ubuntu-latest
 
     steps:
       - name: Check out the repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Set up JDK 21
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@v3
         with:
+          distribution: 'temurin'
           java-version: '21'
+          cache: maven
 
       - name: Set up Maven
         uses: stCarolas/setup-maven@v4.2
         with:
           maven-version: 3.9.6
 
       - name: Cache Maven packages
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
           restore-keys: |
             ${{ runner.os }}-maven-
+
       - name: Build with Maven
         run: mvn -B package --file pom.xml
 
+      - name: Run tests
+        run: mvn clean test
+
+  test:
+    name: Run tests
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@v3
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@v3
+        with:
+          distribution: 'temurin'
+          java-version: '21'
+          cache: maven
+
+      - name: Set up Maven
+        uses: stCarolas/setup-maven@v4.2
+        with:
+          maven-version: 3.9.6
+
+      - name: Cache Maven packages
+        uses: actions/cache@v3
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-maven-
+
       - name: Run tests
         run: mvn clean test
diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <!-- azure-identity-1.13.1 -->
+    <!-- com.azure.spring:spring-cloud-azure-starter@5.15.0 -->
+    <suppress>
+        <cve>CVE-2023-36415</cve>
+        <cve>CVE-2024-35255</cve>
+    </suppress>
+    <!-- json-smart-2.5.1 -->
+    <!-- org.springframework.boot:spring-boot-starter-test@3.3.1 -->
+    <suppress>
+        <cve>CVE-2024-57699</cve>
+    </suppress>
+    <!-- logback-core-1.5.6 -->
+    <!-- org.springframework.boot:spring-boot-starter-logging@3.3.1 -->
+    <suppress>
+        <cve>CVE-2024-12798</cve>
+        <cve>CVE-2024-12801</cve>
+    </suppress>
+    <!-- msal4j-1.16.1 -->
+    <!-- com.azure.spring:spring-cloud-azure-starter@5.15.0 -->
+    <suppress>
+        <cve>CVE-2024-35255</cve>
+    </suppress>
+    <!-- netty-common-4.1.111.Final -->
+    <!-- com.azure:azure-storage-blob@12.27.1 -->
+    <suppress>
+        <cve>CVE-2024-47535</cve>
+    </suppress>
+    <!-- netty-handler-4.1.111.Final -->
+    <!-- com.azure:azure-storage-blob@12.27.1 -->
+    <suppress>
+        <cve>CVE-2025-24970</cve>
+    </suppress>
+    <!-- spring-cloud-azure-starter-storage-queue-5.15.0 -->
+    <!-- com.azure.spring:spring-cloud-azure-starter-storage@5.15.0 -->
+    <suppress>
+        <cve>CVE-2022-30187</cve>
+    </suppress>
+    <!-- spring-core-6.1.10 -->
+    <!-- org.springframework.boot:spring-boot-starter-test@3.3.1 -->
+    <suppress>
+        <cve>CVE-2024-38820</cve>
+    </suppress>
+    <!-- spring-web-6.1.10 -->
+    <!-- org.springframework.boot:spring-boot-starter-web@3.3.1 -->
+    <suppress>
+        <cve>CVE-2024-38809</cve>
+        <cve>CVE-2024-38820</cve>
+    </suppress>
+    <!-- spring-webmvc-6.1.10 -->
+    <!-- org.springframework.boot:spring-boot-starter-web@3.3.1 -->
+    <suppress>
+        <cve>CVE-2024-38816</cve>
+        <cve>CVE-2024-38820</cve>
+    </suppress>
+    <!-- swagger-ui-5.17.14 (DOMPurify@3.1.4) -->
+    <!-- org.springdoc:springdoc-openapi-starter-webmvc-ui@2.6.0 -->
+    <suppress>
+        <cve>CVE-2025-26791</cve>
+    </suppress>
+    <!-- tomcat-embed-core-10.1.25 -->
+    <!-- org.springframework.boot:spring-boot-starter-web@3.3.1 -->
+    <suppress>
+        <cve>CVE-2025-24813</cve>
+    </suppress>
+</suppressions>
diff --git a/pom.xml b/pom.xml
@@ -172,6 +172,24 @@
                 <artifactId>versions-maven-plugin</artifactId>
                 <version>2.18.0</version>
             </plugin>
+
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <version>12.1.0</version>
+                <configuration>
+                    <suppressionFile>${project.basedir}/owasp-suppressions.xml</suppressionFile>
+                    <knownExploitedEnabled>false</knownExploitedEnabled>
+                    <failBuildOnCVSS>0</failBuildOnCVSS>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>check</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
     </build>
 
