Merge pull request #1155 from uhafner/owasp-dependency-check

Add OWASP dependency check to quality monitor

.github/workflows/quality-monitor.yml

@@ -27,7 +27,8 @@ jobs:
       - name: Build with Maven
         env:
           BROWSER: chrome-container
-        run: mvn -V --color always -ntp clean verify -Ppit -Pci | tee maven.log
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+        run: mvn -V --color always -ntp clean verify -Ppit -Pci -Powasp | tee maven.log
       - name: Extract pull request number
         uses: jwalton/gh-find-current-pr@v1
         id: pr
@@ -78,6 +79,16 @@ jobs:
                       "pattern": "**/maven.log"
                     }
                   ]
+                },
+                {
+                  "name": "Vulnerabilities",
+                  "id": "vulnerabilities",
+                  "icon": "shield",
+                  "tools": [
+                    {
+                      "id": "owasp-dependency-check",
+                    }
+                  ]
                 }
               ],
               "coverage": [

pom.xml

@@ -915,6 +915,29 @@
         </plugins>
       </build>
     </profile>
+    <profile>
+      <id>owasp</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <version>10.0.4</version>
+            <configuration>
+              <nvdApiKeyEnvironmentVariable>NVD_API_KEY</nvdApiKeyEnvironmentVariable>
+              <format>JSON</format>
+            </configuration>
+            <executions>
+              <execution>
+                <goals>
+                  <goal>check</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
     <profile>
       <id>depgraph</id>
       <build>