diff --git a/.github/workflows/code-qualitiy.yml b/.github/workflows/code-qualitiy.yml index 42b4eae8c..5c5db7f73 100644 --- a/.github/workflows/code-qualitiy.yml +++ b/.github/workflows/code-qualitiy.yml @@ -99,3 +99,36 @@ jobs: - name: Run reproducibility check run: mvn clean install + dirty-waters: + runs-on: + ubuntu-latest + permissions: + pull-requests: write # To comment on a Pull Request + steps: + - name: Harden Runner + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + submodules: true + + - name: Verify action checksums + uses: ./.github/actions/ghasum + + - name: Setup JDK17 + uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 + with: + java-version: '17' + distribution: 'temurin' + + - name: Dirty Waters Analysis + uses: chains-project/dirty-waters-action@30bc4ef96e9c59f85efb05affc2992353d65870b # v1.11.52 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + package_manager: maven + gradual_report: false + debug: true + config: dirty-waters.json + diff --git a/.github/workflows/gha.sum b/.github/workflows/gha.sum index d2a6cb7a1..72f7ae8f6 100755 --- a/.github/workflows/gha.sum +++ b/.github/workflows/gha.sum @@ -1,16 +1,22 @@ version 1 actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 xizZh3f6SQipDN8OULmHn5pM+d2g1xWEP+rD7K+KVVA= +actions/cache@v4.2.3 A/Paejdu47oer1Zf9zbtOgbMTG3OmOiXsgB6oodFIOU= actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 aYx2ZNrV/U9daVa5XJLnuR3depD7lQqzkyRhH4E9bOU= +actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 g2V9DAwkHBbZHaTOx4M2g/r9wI49KupzyARL47t/rEQ= actions/dependency-review-action@40c09b7dc99638e5ddb0bfd91c1673effc064d8a 2QKI0zLFRGnJvQ+VnEy9S/uUZpHbCV6s0LS72Xc0TpI= actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 0qLZUqMcil7hZ8idJYYxI/LgdETqnWR0T02izCncHy4= actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 XE1eqHfEOlHsHx+3cUQA1OGC3jxGBnmx7eTIdEzwSoI= +actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 cKZQn6p38RgADB4MCMpbFp94sScgm/u3B7rEDB9QS5I= actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 Cn0rDfuNlsG0naRPXRAUwU3fAQ9P+sxzfPvU5EcNOQ8= +actions/setup-python@v5.6.0 MTHBGEHwb+MeIw3xRLiVuM/uyRfuK8hlVXL+Z/yEA8c= actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 ZTERhL1FNPaoitPyTgsnA9lbOffV5BJ3FsNYFciQmGU= +chains-project/dirty-waters-action@30bc4ef96e9c59f85efb05affc2992353d65870b JTXn8ep3K5YnkSpNVyVVe85RAxg2eQ2X+TKP5A6JgyA= chains-project/maven-lockfile@723132de2c6095048129f6eaf5e6b30f13c5b2ca IuzZe5N+X3qZs6O5saBYlSViPrWdcwjcfmVMdpncgUw= github/codeql-action@0499de31b99561a6d14a36a5f662c2a54f91beee uBZRqSyNk1SohDHUS5Iqm86o5tkInfY5gtmI6LMiNMU= google/osv-scanner-action@9bb69575e74019c2ad085a1860787043adf47ccb 02gWjvvjKDLqqYT/YzdTI3aKQ3oO8uKPE39z353BQbA= jreleaser/release-action@ad73772277e63d9f2bbf4f24a7bb1300388334d7 uCAaYYuyjM4iq8qflqOt5SzivqVnl3ZXt7vI9BWpHAo= ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a oHo5wLG0ePY4IIiiNfo0MU1uYrDKDkeV7MpBTJ39dQg= stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 g4PCgPHeeaVpSPTRcoBKth4QnrZGGQXwBEoEAsAXivs= +step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 rG/FhhPP4VlsNB/2lKudn7rieQAYYNLIRb34q19qmFU= step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a fJwkMDFdylV4NgARDISD6NU03D0clX66qStzE3+HeJQ= diff --git a/dirty-waters.json b/dirty-waters.json new file mode 100644 index 000000000..cb871eb76 --- /dev/null +++ b/dirty-waters.json @@ -0,0 +1,123 @@ +{ + "ignore": { + "aopalliance:aopalliance@1.0": ["code_signature"], + "com.diffplug.durian:durian-collect@1.2.0": ["source_code_sha"], + "com.diffplug.durian:durian-core@1.2.0": ["source_code_sha"], + "com.diffplug.durian:durian-io@1.2.0": ["source_code_sha"], + "com.diffplug.spotless:spotless-lib-extra@3.1.2": ["source_code_sha"], + "com.diffplug.spotless:spotless-lib@3.1.2": ["source_code_sha"], + "com.diffplug.spotless:spotless-maven-plugin@2.44.5": ["source_code_sha"], + "com.google.code.gson:gson@2.12.1": ["source_code_sha"], + "com.google.code.gson:gson@2.13.1": ["source_code_sha"], + "com.google.collections:google-collections@1.0": ["code_signature"], + "com.google.guava:guava@32.0.1-jre": ["source_code_sha"], + "com.google.guava:guava@33.2.1-jre": ["source_code_sha"], + "com.google.guava:guava@33.4.0-jre": ["source_code_sha"], + "com.google.guava:guava@33.4.8-jre": ["source_code_sha"], + "com.google.guava:listenablefuture@9999.0-empty-to-avoid-conflict-with-guava": ["source_code_sha"], + "com.google.protobuf:protobuf-java-util@4.29.3": ["source_code_sha"], + "com.google.protobuf:protobuf-java@4.29.3": ["source_code_sha"], + "com.kohlschutter.junixsocket:junixsocket-core@2.10.1": ["code_signature"], + "com.soebes.itf.jupiter.extension:itf-assertj@0.13.1": ["source_code_sha"], + "com.soebes.itf.jupiter.extension:itf-extension-maven@0.13.1": ["source_code_sha"], + "com.soebes.itf.jupiter.extension:itf-jupiter-extension@0.13.1": ["source_code_sha"], + "com.soebes.itf.jupiter.extension:itf-maven-plugin@0.13.1": ["source_code_sha"], + "commons-beanutils:commons-beanutils@1.7.0": ["source_code", "code_signature"], + "commons-chain:commons-chain@1.1": ["code_signature"], + "commons-cli:commons-cli@1.8.0": ["source_code_sha"], + "commons-codec:commons-codec@1.16.1": ["source_code_sha"], + "commons-codec:commons-codec@1.17.0": ["source_code_sha"], + "commons-codec:commons-codec@1.17.1": ["source_code_sha"], + "commons-codec:commons-codec@1.17.2": ["source_code_sha"], + "commons-codec:commons-codec@1.18.0": ["source_code_sha"], + "commons-digester:commons-digester@1.8": ["code_signature"], + "commons-io:commons-io@2.11.0": ["source_code_sha"], + "commons-io:commons-io@2.14.0": ["source_code_sha"], + "commons-io:commons-io@2.16.1": ["source_code_sha"], + "commons-io:commons-io@2.18.0": ["source_code_sha"], + "commons-io:commons-io@2.19.0": ["source_code_sha"], + "dev.equo.ide:solstice@1.8.1": ["source_code_sha"], + "dom4j:dom4j@1.1": ["source_code", "code_signature"], + "io.github.crac:org-crac@0.1.3": ["source_code_sha"], + "io.vertx:vertx-auth-common@4.5.13": ["source_code_sha"], + "io.vertx:vertx-uri-template@4.5.13": ["source_code_sha"], + "io.vertx:vertx-web-client@4.5.13": ["source_code_sha"], + "io.vertx:vertx-web-common@4.5.13": ["source_code_sha"], + "jakarta.el:jakarta.el-api@5.0.1": ["source_code_sha"], + "jakarta.interceptor:jakarta.interceptor-api@2.2.0": ["source_code_sha"], + "jakarta.json:jakarta.json-api@2.1.3": ["source_code_sha"], + "javax.inject:javax.inject@1": ["code_signature"], + "om.kohlschutter.junixsocket:junixsocket-core@2.10.1": ["code_signature"], + "org.aesh:aesh@2.8.2": ["code_signature", "source_code_sha"], + "org.aesh:readline@2.6": ["code_signature"], + "org.apache.commons:commons-collections4@4.4": ["source_code_sha"], + "org.apache.commons:commons-compress@1.26.1": ["source_code_sha"], + "org.apache.commons:commons-compress@1.26.2": ["source_code_sha"], + "org.apache.commons:commons-compress@1.27.1": ["source_code_sha"], + "org.apache.commons:commons-lang3@3.12.0": ["source_code_sha"], + "org.apache.commons:commons-lang3@3.14.0": ["source_code_sha"], + "org.apache.commons:commons-lang3@3.17.0": ["source_code_sha"], + "org.apache.commons:commons-lang3@3.8.1": ["source_code_sha"], + "org.apache.commons:commons-text@1.12.0": ["source_code_sha"], + "org.apache.httpcomponents:httpclient@4.5.13": ["source_code_sha"], + "org.apache.httpcomponents:httpclient@4.5.14": ["source_code_sha"], + "org.apache.httpcomponents:httpcore@4.4.14": ["source_code_sha"], + "org.apache.httpcomponents:httpcore@4.4.16": ["source_code_sha"], + "org.apache.logging.log4j:log4j-api@2.24.3": ["source_code_sha"], + "org.apache.logging.log4j:log4j-core@2.24.3": ["source_code_sha"], + "org.apache.maven.doxia:doxia-decoration-model@1.11.1": ["source_code_sha"], + "org.apache.maven.doxia:doxia-integration-tools@2.0.0": ["source_code_sha"], + "org.apache.maven.doxia:doxia-site-model@2.0.0": ["source_code_sha"], + "org.apache.maven.doxia:doxia-site-renderer@1.11.1": ["source_code_sha"], + "org.apache.maven.doxia:doxia-site-renderer@2.0.0": ["source_code_sha"], + "org.apache.maven.doxia:doxia-skin-model@1.11.1": ["source_code_sha"], + "org.apache.maven.doxia:doxia-skin-model@2.0.0": ["source_code_sha"], + "org.assertj:assertj-core@3.24.2": ["source_code_sha"], + "org.bouncycastle:bcpg-jdk18on@1.78.1": ["source_code_sha"], + "org.bouncycastle:bcpkix-jdk18on@1.80": ["source_code_sha"], + "org.bouncycastle:bcprov-jdk18on@1.80": ["source_code_sha"], + "org.bouncycastle:bcutil-jdk18on@1.80": ["source_code_sha"], + "org.codehaus.plexus:plexus-i18n@1.0-beta-10": ["code_signature"], + "org.eclipse.jetty:jetty-http@9.4.56.v20240826": ["source_code_sha"], + "org.eclipse.jetty:jetty-io@9.4.56.v20240826": ["source_code_sha"], + "org.eclipse.jetty:jetty-security@9.4.56.v20240826": ["source_code_sha"], + "org.eclipse.jetty:jetty-server@9.4.56.v20240826": ["source_code_sha"], + "org.eclipse.jetty:jetty-servlet@9.4.56.v20240826": ["source_code_sha"], + "org.eclipse.jetty:jetty-util-ajax@9.4.56.v20240826": ["source_code_sha"], + "org.eclipse.jetty:jetty-util@9.4.56.v20240826": ["source_code_sha"], + "org.eclipse.jetty:jetty-webapp@9.4.56.v20240826": ["source_code_sha"], + "org.eclipse.jetty:jetty-xml@9.4.56.v20240826": ["source_code_sha"], + "org.eclipse.platform:org.eclipse.osgi@3.23.0": ["source_code_sha"], + "org.eclipse.sisu:org.eclipse.sisu.inject@0.9.0.M2": ["source_code_sha"], + "org.eclipse.sisu:org.eclipse.sisu.inject@0.9.0.M3": ["source_code_sha"], + "org.eclipse.sisu:org.eclipse.sisu.plexus@0.9.0.M2": ["source_code_sha"], + "org.eclipse.sisu:org.eclipse.sisu.plexus@0.9.0.M3": ["source_code_sha"], + "org.instancio:instancio-core@5.4.1": ["source_code_sha"], + "org.instancio:instancio-junit@5.4.1": ["source_code_sha"], + "org.iq80.snappy:snappy@0.4": ["source_code"], + "org.jboss.logging:commons-logging-jboss-logging@1.0.0.Final": ["code_signature"], + "org.jboss.logging:jboss-logging-annotations@3.0.4.Final": ["code_signature"], + "org.jboss.logging:jboss-logging@3.6.1.Final": ["code_signature"], + "org.jboss.logmanager:jboss-logmanager@3.1.2.Final": ["code_signature"], + "org.jboss.marshalling:jboss-marshalling@2.2.2.Final": ["source_code_sha"], + "org.jboss.slf4j:slf4j-jboss-logmanager@2.0.0.Final": ["code_signature", "source_code_sha"], + "org.jboss.threads:jboss-threads@3.8.0.Final": ["code_signature"], + "org.jdom:jdom2@2.0.6.1": ["source_code_sha"], + "org.jetbrains:annotations@13.0": ["source_code_sha"], + "org.junit.platform:junit-platform-commons@1.10.5": ["source_code_sha"], + "org.junit.platform:junit-platform-commons@1.13.0": ["source_code_sha"], + "org.junit.platform:junit-platform-engine@1.10.5": ["source_code_sha"], + "org.junit.platform:junit-platform-engine@1.13.0": ["source_code_sha"], + "org.junit.platform:junit-platform-launcher@1.10.5": ["source_code_sha"], + "org.sonatype.plexus:plexus-cipher@1.4": ["source_code"], + "org.sonatype.plexus:plexus-sec-dispatcher@1.3": ["source_code"], + "org.twdata.maven:mojo-executor@2.4.0": ["source_code_sha"], + "org.wildfly.common:wildfly-common@2.0.1": ["code_signature"], + "oro:oro@2.0.8": ["source_code", "code_signature"] + }, + "ignore-if-parent": { + "com.diffplug.spotless:spotless-maven-plugin@2.44.3": ["source_code_sha"], + "org.apache.maven.plugins:maven-artifact-plugin@3.6.0": ["source_code_sha"], + "org.apache.maven.plugins:maven-site-plugin@3.21.0": ["source_code_sha"] + } +}