Use OSV-Scanner instead of dependency-check (#321)

The existing dependency-check version is no longer supported and might fail after the NVD data feeds it uses are deprecated on 2023-12-15. The updated version requires an API key to interact with the newer NVD APIs. For details see: - https://github.com/jeremylong/DependencyCheck#900-upgrade-notice It also requires periodic triage and suppression of false positive detections. OSV-Scanner appears less prone to false positives and does not require an API key to be maintained. Implement a scheduled vulnerability scan (using OSV-Scanner) so that vulnerabilities are more visible than the current (dependency-check) implementation, which runs in PR builds but does not fail builds or make the results very visible. Signed-off-by: Mark S. Lewis <[email protected]>
hyperledger · Dec 7, 2023 · 63816aa · 63816aa
1 parent 233e382
commit 63816aa
Show file tree

Hide file tree

Showing 8 changed files with 55 additions and 72 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -71,7 +71,7 @@ jobs:
         uses: gradle/gradle-build-action@v2
         with:
           arguments: |
-            :fabric-chaincode-docker:copyAllDeps -x dependencyCheckAnalyze
+            :fabric-chaincode-docker:copyAllDeps
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
       - name: Set up Docker Buildx

diff --git a/.github/workflows/scheduled-scan.yml b/.github/workflows/scheduled-scan.yml
@@ -0,0 +1,21 @@
+name: "Scheduled vulnerability scan"
+
+on:
+  schedule:
+    - cron: "20 3 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  osv-scanner:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: stable
+      - name: Scan
+        run: make scan
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -26,18 +26,12 @@ jobs:
         cache: 'gradle'
     - name: Validate Gradle wrapper
       uses: gradle/wrapper-validation-action@v1
-    - name: Dependency Check
-      uses: gradle/gradle-build-action@v2
-      with:
-        arguments: |
-          :fabric-chaincode-shim:dependencyCheckAnalyze
     - name: Build and Unit test
       uses: gradle/gradle-build-action@v2
       with:
         arguments: |
           :fabric-chaincode-shim:build 
-          -xdependencyCheckAnalyze            
-    
+
   intergationtest:  
     runs-on: ubuntu-latest
     steps:
@@ -72,5 +66,4 @@ jobs:
         uses: gradle/gradle-build-action@v2
         with:
           arguments: |
-            :fabric-chaincode-integration-test:build 
-            -xdependencyCheckAnalyze 
+            :fabric-chaincode-integration-test:build
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -41,20 +41,25 @@ Should you have any questions or concerns, please reach out to one of the projec
 
 ## How to work with the Codebase
 
-Some useful gradle commands to help with building.  You can add or remove the `--no-daemon` and `-x dependencyCheckAnalyze` as you wish; depending on the performance of you local machine.
+Some useful gradle commands to help with building.  You can add or remove the `--no-daemon` as you wish; depending on the performance of you local machine.
 
-```
-# build everything , but skip the (slow) dependency checks
-./gradlew --no-daemon build -x dependencyCheckAnalyze
+```shell
+# build everything
+./gradlew --no-daemon build
 
 # clean up to force tests and compile to rerun
 ./gradlew clean cleanTest
-./gradlew --no-daemon :fabric-chaincode-shim:build -x dependencyCheckAnalyze
+./gradlew --no-daemon :fabric-chaincode-shim:build
 
 # build docker image
 ./gradlew :fabric-chaincode-docker:buildImage
 ```
 
+You can also scan for vulnerabilities in dependencies (requires [Make](https://www.gnu.org/software/make/) and [Go](https://go.dev/) to be installed):
+```shell
+make scan
+```
+
 ## Hyperledger Fabric
 
 See the

diff --git a/Makefile b/Makefile
@@ -0,0 +1,9 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+.PHONEY: scan
+scan:
+	go install github.com/google/osv-scanner/cmd/osv-scanner@latest
+	./gradlew cyclonedxBom
+	osv-scanner --sbom='fabric-chaincode-shim/build/reports/bom.json'
diff --git a/dependency-suppression.xml b/dependency-suppression.xml
diff --git a/fabric-chaincode-docker/Dockerfile b/fabric-chaincode-docker/Dockerfile
@@ -41,8 +41,7 @@ RUN gradle \
     -x javadoc \
     -x test \
     -x checkstyleMain \
-    -x checkstyleTest \
-    -x dependencyCheckAnalyze
+    -x checkstyleTest
 
 WORKDIR /root/chaincode-java 
 # Run the Gradle and Maven commands to generate the wrapper variants

diff --git a/fabric-chaincode-shim/build.gradle b/fabric-chaincode-shim/build.gradle
@@ -17,10 +17,9 @@ plugins {
     id 'jacoco'
     id 'signing'
     id 'checkstyle'
+    id 'org.cyclonedx.bom' version '1.8.1'
 }
 
-apply plugin: 'org.owasp.dependencycheck'
-
 checkstyle {
     toolVersion '10.12.2'
     configFile file("../ci/checkstyle/checkstyle.xml")
@@ -34,13 +33,18 @@ checkstyleTest {
     source ='src/test/java'
 }
 
-dependencyCheck {
-    suppressionFile='dependency-suppression.xml'
-    scanConfigurations = ['runtimeClasspath']
+cyclonedxBom {
+    includeConfigs = ["runtimeClasspath"]
+    skipConfigs = ["compileClasspath", "testCompileClasspath"]
+    projectType = "library"
+    schemaVersion = "1.5"
+    destination = file("build/reports")
+    outputName = "bom"
+    outputFormat = "json"
+    includeBomSerialNumber = false
+    includeLicenseText = false
 }
 
-check.dependsOn dependencyCheckAnalyze
-
 tasks.withType(org.gradle.api.tasks.testing.Test) {
     systemProperty 'CORE_CHAINCODE_LOGGING_LEVEL', 'DEBUG'
 }
@@ -76,16 +80,6 @@ dependencies {
     implementation 'io.opentelemetry.instrumentation:opentelemetry-grpc-1.6:1.32.0-alpha'
 }
 
-dependencyCheck {
-    format='ALL'
-    analyzers {
-        assemblyEnabled=false
-        ossIndex {
-            enabled=false
-        }
-    }
-}
-
 sourceSets {
     main {
         java {