Adding maven dependency check to identify publicly disclosed vulnerab…

…ilities (#751) * Added dependency-check-maven and updated grpc modules * Adding dependency check to pipeline * Test pipeline * Test pipeline * Test pipeline * Test pipeline
Azure · Jan 30, 2024 · c92d38c · c92d38c
1 parent 01caa73
commit c92d38c
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 4 deletions.
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -60,6 +60,10 @@ jobs:
           .\package-pipeline.ps1 -buildNumber $buildNumber
         name: output
         displayName: 'Executing build script'
+      - pwsh: |
+          mvn dependency-check:check
+        condition: and(eq(variables['Build.SourceBranch'], 'refs/heads/dev'), eq(variables['SkipMavenDependencyCheck'], 'false'))
+        displayName: 'Maven dependency check'
       - task: CopyFiles@2
         inputs:
           SourceFolder: '$(Build.Repository.LocalPath)/pkg'
@@ -155,7 +159,7 @@ jobs:
         displayName: 'Install .NET 6'
         inputs:
           version: 6.0.x
-      - pwsh: | # Download JDK for later installation 
+      - pwsh: | # Download JDK for later installation
           Invoke-WebRequest $(JDK_DOWNLOAD_LINK) -O "$(JAVA_VERSION).tar.gz"
           $current = get-location | select -ExpandProperty Path
           Write-Host "##vso[task.setvariable variable=downloadPath;]$current"

diff --git a/pom.xml b/pom.xml
@@ -72,17 +72,17 @@
     <dependency>
       <groupId>io.grpc</groupId>
       <artifactId>grpc-protobuf</artifactId>
-      <version>1.57.2</version>
+      <version>1.61.0</version>
     </dependency>
     <dependency>
       <groupId>io.grpc</groupId>
       <artifactId>grpc-stub</artifactId>
-      <version>1.45.2</version>
+      <version>1.61.0</version>
     </dependency>
     <dependency>
       <groupId>io.grpc</groupId>
       <artifactId>grpc-netty-shaded</artifactId>
-      <version>1.45.2</version>
+      <version>1.61.0</version>
     </dependency>
     <dependency>
       <groupId>com.google.code.gson</groupId>
@@ -303,6 +303,22 @@
           </systemProperties>
         </configuration>
       </plugin>
+      <!-- This plugin is used to detect publicly disclosed vulnerabilities contained within a project’s dependencies -->
+      <plugin>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-maven</artifactId>
+        <version>9.0.9</version>
+        <configuration>
+          <failBuildOnCVSS>7</failBuildOnCVSS>
+        </configuration>
+        <executions>
+          <execution>
+            <goals>
+              <goal>check</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
     </plugins>
   </build>
 </project>