feat: OWASP dependency check

Check for known vulnerabilities each day thanks to the OWASP Dependency Check Gradle plugin.

.github/workflows/dependency-check.yml

@@ -0,0 +1,39 @@
+name: Dependency Checks
+
+on:
+  schedule:
+    - cron: "0 0 * * *"  # Every day
+  workflow_dispatch: {}
+
+env:
+  JAVA_VERSION: '21'
+
+jobs:
+  dependency-check:
+    name: Dependency Check
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      # Checkout GitHub Actions
+      - uses: actions/checkout@v4
+        with:
+          repository: kestra-io/actions
+          path: actions
+          ref: main
+
+      # Setup build
+      - uses: ./actions/.github/actions/setup-build
+        id: build
+        with:
+          java-enabled: true
+          node-enabled: true
+          caches-enabled: true
+
+      # Run OWASP dependency check plugin
+      - name: Run Dependency Check
+        run: |
+          ./gradlew dependencyCheckAggregate

build.gradle

@@ -36,6 +36,9 @@ plugins {
     id 'signing'
     id 'ru.vyarus.pom' version '3.0.0' apply false
     id 'ru.vyarus.github-info' version '2.0.0' apply false
+
+    // OWASP dependency check
+    id "org.owasp.dependencycheck" version "10.0.3" apply false
 }
 
 idea {
@@ -308,6 +311,24 @@ sonar {
     }
 }
 
+/**********************************************************************************************************************\
+ * OWASP Dependency check
+ **********************************************************************************************************************/
+apply plugin: 'org.owasp.dependencycheck'
+
+dependencyCheck {
+    // fail only on HIGH and CRITICAL vulnerabilities, we may want to lower to 5 (mid-medium) later
+    failBuildOnCVSS = 7
+
+    // disable the .NET assembly analyzer as otherwise it wants to analyze EXE file
+    analyzers {
+        assemblyEnabled = false
+    }
+
+    // configure a suppression file
+    suppressionFile = "$projectDir/owasp-dependency-suppressions.xml"
+}
+
 /**********************************************************************************************************************\
  * Micronaut
  **********************************************************************************************************************/

owasp-dependency-suppressions.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <!--
+        This is a CPE/CVE suppression file for the Gradle dependency check plugin.
+        Each CPE that is found by error (false positive) needs to be suppressed for a specific jar using it's GAV.
+        If a CVE is disputed or cannot be fixed, it needs to be suppressed by it's CVE identifier.
+        See https://jeremylong.github.io/DependencyCheck/general/suppression.html
+     -->
+    <suppress>
+        <notes>
+            <![CDATA[
+                Suppress the false positive CPE for Kestra jdbc-mysql to mysql itself
+            ]]>
+        </notes>
+        <gav regex="true">io\.kestra:jdbc-mysql.*</gav>
+        <cpe>cpe:/a:mysql:mysql</cpe>
+    </suppress>
+    <suppress>
+        <notes>
+            <![CDATA[
+                Suppress the false positive CPE for plexus-component-annotations, plexus-interpolation and plexus-utils to codehaus-plexus
+            ]]>
+        </notes>
+        <gav regex="true">org\.codehaus\.plexus:plexus.*</gav>
+        <cpe>cpe:/a:codehaus-plexus_project:codehaus-plexus</cpe>
+    </suppress>
+</suppressions>