Add OWASP Dependency-Check to msal library build, Fixes AB#3667951#2531
Open
p3dr0rv wants to merge 6 commits into
Open
Add OWASP Dependency-Check to msal library build, Fixes AB#3667951#2531p3dr0rv wants to merge 6 commits into
p3dr0rv wants to merge 6 commits into
Conversation
Mirrors the OWASP Dependency-Check setup already in common: - Apply org.owasp.dependencycheck plugin (v12.2.2) - Wire dependencyCheckAnalyze into the check task - Scan only shipped runtime classpaths (dist/local x release/debug) - Disable analyzers irrelevant to an Android/Java library (assembly, nuspec, node, ossIndex, archive) - NVD key resolved from -PnvdApiKey / gradle.properties / NVD_API_KEY with fail-fast when the task is in the graph and the key is missing - Add config/owasp/dependency-check-suppressions.xml with the same two false-positive suppressions used by common (androidx.browser CVE-2008-7298 and common4j CVE-2024-35255)
This comment has been minimized.
This comment has been minimized.
Contributor
There was a problem hiding this comment.
Pull request overview
Adds OWASP Dependency-Check scanning to the :msal Android library build so runtime dependencies can be analyzed for known CVEs during the standard Gradle check lifecycle, using a suppression file for narrowly-scoped false positives.
Changes:
- Applies the
org.owasp.dependencycheckGradle plugin to:msaland wiresdependencyCheckAnalyzeintocheck. - Configures Dependency-Check (CVSS threshold, report formats/output dir, runtime-only scan configurations, NVD throttling, analyzer disables) and adds an NVD API key guard for runs that include the analyze task.
- Adds an OWASP Dependency-Check suppressions XML with two targeted false-positive suppressions.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
msal/build.gradle |
Adds and configures OWASP Dependency-Check and hooks it into check, including NVD API key resolution + fail-fast behavior. |
config/owasp/dependency-check-suppressions.xml |
Introduces a suppression file with scoped suppressions + guidance comments for maintaining suppressions. |
- Add suppressions for Kotlin stdlib CVEs (< 1.4.21) - Add suppressions for OpenTelemetry Go/C++ CVEs - Add suppressions for protobuf-javalite false positives - Add suppressions for common library CPE false positive - Note: CVE-2023-0833 (okhttp) NOT suppressed; tracked in PBI #3667962
…owasp-dependency-check
This comment has been minimized.
This comment has been minimized.
|
❌ Invalid work item number: AB#3667951 Click here to learn more. |
|
❌ Invalid work item number: AB#3667951 ##. Work item number must be a valid integer. Click here to learn more. |
|
✅ Work item link check complete. Description contains link AB#3667951 to an Azure Boards work item. |
github-actions
Bot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds OWASP Dependency-Check scanning to the :msal Android library build so runtime dependencies can be analyzed for known CVEs during the standard Gradle check lifecycle, using a suppression file for narrowly-scoped false positives.
What changed
Validation
Work Item