Unify weekly + per-PR security scanning into a single workflow (#1460)

## Summary

Consolidates security scanning into one workflow with one job
(`securityScan.yml`). Replaces `vulnerabilityCatcher.yml`. Adds
OSV-Scanner alongside the existing OWASP check, plus cyclonedx SBOM
generation so OSV scans the actually-resolved local dependency tree.

This bundles the work that was originally split across (now-closed) PRs
#1458 (suppressions + email-notification fix) and #1459 (per-PR gate).
One unified workflow file, one set of suppression rules, one place to
look.

### Design: single job, terminal steps gated by event

```
Triggers: pull_request, schedule (weekly cron), workflow_dispatch
   │
   ├─ shared: checkout, JDK, JFrog OIDC, maven config
   ├─ shared: NVD database cache (saves ~2 min)
   ├─ shared: mvn package (generates cyclonedx aggregate SBOM)
   ├─ shared: OWASP dependency-check (continue-on-error)
   ├─ shared: install + run OSV-Scanner
   ├─ shared: Collect findings (writes job summary; sets outputs)
   │
   ├─ if pull_request + findings ⇒ fail the job
   └─ if schedule|dispatch + findings ⇒ send email + fail the job
```

No duplicated steps across jobs. Same scan logic for every trigger; only
the notification mechanism differs.

### What changed

| File | Change |
|---|---|
| `.github/workflows/vulnerabilityCatcher.yml` | **Removed.** Superseded
by `securityScan.yml`. |
| `.github/workflows/securityScan.yml` | **New.** Single job with
event-gated terminal steps. Includes NVD database caching for faster
runs. |
| `owasp-suppressions.xml` | **8 new entries** for documented
CPE/ecosystem false positives — Arrow R-only (CVE-2024-52338),
gRPC-Go-only (CVE-2026-33186), protobuf Python-only (CVE-2026-0994), 5
libthrift non-Java bindings. Each entry has a justification comment
block. |
| `osv-scanner.toml` | **New.** Mirrors the OWASP suppressions in TOML
format. Keep the two files in sync when adding/removing entries. |
| `pom.xml` | **cyclonedx-maven-plugin 2.9.1** added, bound to `package`
phase, `skipNotDeployed=false`. Emits an aggregate `target/bom.json` for
OSV to read. |

### Why two scanners

| Scanner | Source | Catches | Misses |
|---|---|---|---|
| OWASP dependency-check | NVD (CPE-based) | Anything with an NVD CPE
entry. Reuses existing `owasp-suppressions.xml` and `failBuildOnCVSS=7`
threshold. | GHSA-only advisories without an NVD CPE (e.g.,
CVE-2025-66566 in lz4-java — the #1455 finding). |
| OSV-Scanner v2.3.8 | OSV.dev (purl-based; federates GHSA + NVD + PyPA
+ RustSec) | The GHSA-only gap. Already turned up a new finding:
**bouncycastle CVE-2026-5598 (severity 8.9)** in bcprov-jdk18on 1.79,
invisible to OWASP. | Findings without a CVSS score (rare for
high-severity). |

### Why cyclonedx SBOM

OSV-Scanner's Maven resolver consults deps.dev's published-artifact
metadata. For the project's *own* GA, that means it sees the
previously-published 3.3.3 pom — not whatever bumps are sitting on
`main`. Result: in CI, OSV would keep showing yesterday's released state
instead of the PR branch's actual dependency tree. Producing a CycloneDX
aggregate SBOM at build time captures the actually-resolved local tree.

### Fixes from #1458 included here

The weekly scan has been failing every Sunday for 7+ consecutive weeks
(since early April 2026) without sending a notification email. Root
cause: the OWASP maven plugin step exits non-zero when CVEs are found
(because `<failBuildOnCVSS>7</failBuildOnCVSS>` is set in
`jdbc-core/pom.xml:357`), short-circuiting the rest of the job. The
subsequent steps never ran.

The new workflow has `continue-on-error: true` on the OWASP step and
routes finding-detection through an explicit `Collect findings` step
that reads the OWASP JSON report directly. Whether the job ultimately
fails (and whether email goes out) is decided after that step, not by
maven's exit code.

### Findings on `main` today

This workflow, run against current `main`, reports unsuppressed findings
that will be addressed in **separate follow-up PRs**:

1. \`org.bouncycastle:bcprov-jdk18on@1.79\` → CVE-2026-5598 (severity
8.9). Fixed in bouncycastle 1.84. **OWASP doesn't see this — OSV-only
finding.**
2. \`org.apache.thrift:libthrift@0.19.0\` → 4 CVEs
(CVE-2026-41603/04/05/43869, max severity 8.2). Cleared by the libthrift
0.19 → 0.23 follow-up (requires regenerating \`TCLIService.java\` with
the matching compiler).

So this PR's own CI is expected to fail on these 2 known findings until
the follow-ups land. Aligned with the rollout plan: add the workflow
now, mark it required-to-merge in branch protection after the burn-down.

### Expected runtime

Each invocation: **~5–7 minutes** (vs ~4 min for the old weekly).
Breakdown:

- `mvn package` (with cyclonedx SBOM): ~45–90s
- OWASP dependency-check (with NVD cache hit): ~1–2 min
- OSV-Scanner install + run: ~15s
- Other steps: ~30s

NVD caching cuts ~2 minutes off OWASP's runtime when the cache is warm.
The cache key rotates daily so we still get fresh CVE data.

### What this PR is NOT

* It is **not** a required check. Branch protection is unchanged — PRs
aren't blocked by the red ❌ yet.
* It does **not** introduce diff-mode (net-new findings only) gating.
Every PR has to ship into a clean codebase; this is the design we agreed
on, to force burn-down rather than just \"not making it worse.\"
* It does **not** include a Phase 2 design (override flags, severity
tiers, auto-issue filing). Phase 2 is deferred until we have ~2 weeks of
operational experience.

### Test plan

- [x] \`mvn package -DskipTests -Ddependency-check.skip=true\` produces
\`target/bom.json\` (69 components, all expected versions).
- [x] \`mvn -pl jdbc-core org.owasp:dependency-check-maven:check\`
reports 4 unsuppressed CVEs (all libthrift; matches expectation).
- [x] \`osv-scanner scan source --config=osv-scanner.toml --format=json
target/bom.json\` + severity≥7 filter reports 2 findings (bouncycastle +
libthrift cluster).
- [x] Findings-step jq logic correctly counts OWASP CVSS>=7 from the
JSON report.
- [x] XML validation of \`owasp-suppressions.xml\`.
- [x] YAML validation of \`securityScan.yml\`.
- [ ] CI run on this PR — expected to fail on the 2 known findings
above. **The CI failure on this PR is the intended outcome.**
- [ ] Manual \`workflow_dispatch\` run post-merge to verify the email
path fires.

NO_CHANGELOG=true

This pull request and its description were written by Isaac.

---------

Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>

Author: vikrantpuppala

.github/workflows/securityScan.yml

@@ -0,0 +1,312 @@
+name: Security Scan
+
+# Single workflow, single job. Triggered three ways with DIFFERENT
+# thresholds:
+#
+#   - pull_request to main: fail the job on any unsuppressed
+#     CVSS >= 7 finding (HIGH+). MEDIUM/LOW findings show in the step
+#     summary but don't block merges. Not yet required-to-merge in
+#     branch protection.
+#
+#   - cron (weekly): report ALL findings regardless of severity. Sends
+#     an email with the full sorted list and fails the job on any
+#     finding. The intent is full situational awareness for the team --
+#     emerging MEDIUM risks should be visible before they cross the PR
+#     gate, and the weekly is read by humans, not enforced by code.
+#
+#   - workflow_dispatch: behaves like the cron run (full reporting).
+#
+# Scanner: OSV-Scanner v2.3.8 (purl-based via OSV.dev; federates GHSA,
+# NVD, PyPA, RustSec, Go vuln DB). Reads the cyclonedx aggregate SBOM
+# produced by `mvn package` so it sees the actually-resolved local
+# dependency tree, not deps.dev's stale published-artifact metadata.
+#
+# OSV replaced OWASP dependency-check (NVD CPE-based) as the sole gate
+# in PR #1460. OSV's database is a strict superset of NVD's, and several
+# real CVEs (CVE-2025-66566 in lz4, CVE-2026-5598 in bouncycastle) are
+# GHSA-only with no NVD CPE -- invisible to OWASP, caught by OSV. The
+# `owasp-suppressions.xml` and dependency-check plugin in jdbc-core/pom.xml
+# remain in the repo because the in-repo release.yml/release-thin.yml
+# workflows still reference them, but those workflows are themselves
+# `if: false` and superseded by databricks/secure-public-registry-releases-eng.
+#
+# Suppressions live in `osv-scanner.toml` as [[IgnoredVulns]] entries
+# (CVE-id global; OSV-Scanner v2.3.8 doesn't support per-package CVE
+# scoping). Each entry has a justification comment.
+
+on:
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 0 * * 0'  # Run every Sunday at midnight UTC
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  security-scan:
+    name: Security Scan
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Set up JDK 11
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
+        with:
+          java-version: '11'
+          distribution: 'temurin'
+          cache: maven
+
+      # JFrog OIDC + maven proxy: skipped on fork PRs (no OIDC token from
+      # GitHub's perspective). Fork PRs still work because all of the
+      # driver's direct dependencies are published to public Maven Central
+      # (verified against jdbc-core/pom.xml); without ~/.m2/settings.xml,
+      # Maven falls through to Central directly. JFrog is just a faster
+      # mirror, not a source of any artifact the build genuinely needs.
+      - name: Get JFrog OIDC token
+        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+        run: |
+          set -euo pipefail
+
+          ID_TOKEN=$(curl -sLS \
+            -H "User-Agent: actions/oidc-client" \
+            -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
+          echo "::add-mask::${ID_TOKEN}"
+
+          ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
+            "https://databricks.jfrog.io/access/api/v1/oidc/token" \
+            -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"')
+          echo "::add-mask::${ACCESS_TOKEN}"
+
+          if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
+            echo "FAIL: Could not extract JFrog access token"
+            exit 1
+          fi
+
+          echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
+
+      - name: Configure maven
+        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+        run: |
+          set -euo pipefail
+          mkdir -p ~/.m2
+          cat > ~/.m2/settings.xml << EOF
+          <settings>
+            <mirrors>
+              <mirror>
+                <id>jfrog-central</id>
+                <mirrorOf>*</mirrorOf>
+                <url>https://databricks.jfrog.io/artifactory/db-maven/</url>
+              </mirror>
+            </mirrors>
+            <servers>
+              <server>
+                <id>jfrog-central</id>
+                <username>gha-service-account</username>
+                <password>${JFROG_ACCESS_TOKEN}</password>
+              </server>
+            </servers>
+          </settings>
+          EOF
+
+      # Build the project to produce the cyclonedx aggregate SBOM that OSV
+      # will scan. -Ddependency-check.skip=true because the OWASP plugin
+      # is bound to the verify phase in jdbc-core/pom.xml and we don't
+      # use it anymore -- skipping saves ~2 minutes.
+      - name: Build (generates cyclonedx SBOM)
+        run: mvn package -DskipTests -Ddependency-check.skip=true -B
+
+      - name: Install osv-scanner
+        run: |
+          set -euo pipefail
+          curl -fsSL -o /tmp/osv-scanner \
+            https://github.com/google/osv-scanner/releases/download/v2.3.8/osv-scanner_linux_amd64
+          chmod +x /tmp/osv-scanner
+          /tmp/osv-scanner --version
+
+      - name: Run OSV-Scanner
+        # Drop -e because osv-scanner exits 1 on ANY finding regardless of
+        # severity. The severity >= 7 filter below is our actual gate, so
+        # we explicitly tolerate osv-scanner's non-zero exit via `|| true`.
+        run: |
+          set -uo pipefail
+
+          if [ ! -f target/bom.json ]; then
+            echo "::error::SBOM not found at target/bom.json (build likely failed)."
+            exit 1
+          fi
+
+          /tmp/osv-scanner scan source \
+            --recursive=false \
+            --config=osv-scanner.toml \
+            --format=json \
+            --output-file=/tmp/osv-out.json \
+            target/bom.json || true
+
+          if [ ! -s /tmp/osv-out.json ]; then
+            echo "::error::OSV-Scanner did not produce an output file."
+            exit 1
+          fi
+
+      # Parse OSV's JSON into job outputs. The terminal steps below
+      # (PR-fail and email) consume these outputs.
+      #
+      # Two thresholds: PR gating uses CVSS >= 7 (high_count) so we don't
+      # block merges on MEDIUM/LOW noise; the weekly email reports
+      # everything (total_findings) so the team has full situational
+      # awareness of emerging risk before it crosses the gate.
+      - name: Collect findings
+        id: findings
+        run: |
+          set -uo pipefail
+
+          # All findings (sorted by severity desc). Anything missing a
+          # CVSS score sorts to 0 -- visible in the report but not silent.
+          ALL_FINDINGS=$(jq -c '[
+            .results[].packages[]? |
+            .package as $pkg |
+            .groups[]? |
+            {pkg: ($pkg.name + "@" + $pkg.version), ids: .ids, severity: (.max_severity // "0")}
+          ] | sort_by(- (.severity | tonumber? // 0))' /tmp/osv-out.json)
+          TOTAL_FINDINGS=$(echo "$ALL_FINDINGS" | jq 'length')
+
+          # High findings (CVSS >= 7). Both counters are logged so a
+          # mismatch (e.g. 50 total / 0 high) is visible -- protects
+          # against silent fail-open if OSV ever changes its severity
+          # format (e.g. emits "HIGH" instead of a number, which
+          # `tonumber? // 0` would mask).
+          HIGH_FINDINGS=$(echo "$ALL_FINDINGS" | jq -c '[.[] | select((.severity | tonumber? // 0) >= 7)]')
+          HIGH_COUNT=$(echo "$HIGH_FINDINGS" | jq 'length')
+
+          # Persist the full findings list to a file rather than a job
+          # output -- GitHub Actions outputs are size-capped at 1 MB and
+          # the formatted email body can be larger than that for big
+          # finding lists.
+          echo "$ALL_FINDINGS" > /tmp/all-findings.json
+
+          echo "total_findings=$TOTAL_FINDINGS" >> "$GITHUB_OUTPUT"
+          echo "high_count=$HIGH_COUNT" >> "$GITHUB_OUTPUT"
+
+          # Step summary so findings are visible in the GH Actions UI
+          # without downloading artifacts.
+          {
+            echo "## OSV-Scanner Findings"
+            echo ""
+            echo "- Total findings (any severity): \`$TOTAL_FINDINGS\`"
+            echo "- High findings (CVSS >= 7, PR-blocking): \`$HIGH_COUNT\`"
+            if [ "$TOTAL_FINDINGS" -gt 0 ]; then
+              echo ""
+              echo "All findings (sorted by severity desc):"
+              echo ""
+              echo "| Severity | Package | IDs |"
+              echo "|---|---|---|"
+              echo "$ALL_FINDINGS" | jq -r '.[] | "| \(.severity) | \(.pkg) | \(.ids | join(",")) |"'
+            fi
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          # Also dump the findings to the job log so they're visible in
+          # the default "Logs" view, not just the step summary panel.
+          echo "OSV: $TOTAL_FINDINGS total findings, $HIGH_COUNT at CVSS>=7"
+          if [ "$TOTAL_FINDINGS" -gt 0 ]; then
+            echo ""
+            echo "All findings (sorted by severity desc):"
+            echo "$ALL_FINDINGS" | jq -r '.[] | "  [\(.severity)] \(.pkg)  \(.ids | join(", "))"'
+          fi
+
+      # --- Terminal: PR event ---
+      # Fail the job so the PR's check goes red. No email.
+      # PR gate is CVSS >= 7 only; MEDIUM/LOW findings show up in the
+      # step summary but don't block merges.
+      - name: Fail on findings (PR)
+        if: github.event_name == 'pull_request' && steps.findings.outputs.high_count != '0'
+        run: |
+          set -uo pipefail
+          # List the actual HIGH findings inline so the author sees what
+          # needs fixing without clicking through to the step summary
+          # panel or downloading artifacts.
+          HIGH_FINDINGS=$(jq -c '[.[] | select((.severity | tonumber? // 0) >= 7)]' /tmp/all-findings.json)
+
+          echo "::error::${{ steps.findings.outputs.high_count }} unsuppressed CVSS>=7 finding(s) in this PR:"
+          echo ""
+          echo "$HIGH_FINDINGS" | jq -r '.[] | "  [\(.severity)] \(.pkg)  \(.ids | join(", "))"'
+          echo ""
+          echo "Fix by either:"
+          echo "  1. Bumping the affected dependency to a patched version, or"
+          echo "  2. Adding a documented [[IgnoredVulns]] entry to osv-scanner.toml"
+          echo "     with a clear justification for why the CVE doesn't apply to our usage."
+          echo ""
+          echo "Full step summary: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
+          exit 1
+
+      # --- Terminal: scheduled/manual event ---
+      # Weekly reports ALL findings (not just CVSS >= 7) so the team sees
+      # emerging risk before it crosses the PR gate. PR-time is narrower
+      # to avoid blocking on MEDIUM/LOW noise; weekly is broader because
+      # it's read by humans, not enforced.
+      - name: Compose email body
+        if: (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && steps.findings.outputs.total_findings != '0'
+        run: |
+          set -uo pipefail
+          {
+            echo "<!DOCTYPE html><html><head><title>JDBC Driver Security Scan Results</title>"
+            echo "<style>"
+            echo "  body { font-family: -apple-system, sans-serif; }"
+            echo "  table { border-collapse: collapse; margin-top: 1em; }"
+            echo "  th, td { border: 1px solid #ddd; padding: 6px 12px; text-align: left; }"
+            echo "  th { background: #f5f5f5; }"
+            echo "  tr.high { background: #ffe5e5; }"
+            echo "  tr.medium { background: #fff5e5; }"
+            echo "</style></head><body>"
+            echo "<h1>Security Vulnerabilities Found</h1>"
+            echo "<p><b>${{ steps.findings.outputs.total_findings }}</b> total finding(s) on main; <b>${{ steps.findings.outputs.high_count }}</b> are CVSS &gt;= 7 (PR-blocking).</p>"
+            echo "<p>Full reports are attached to the GitHub Actions run as artifacts: <a href='https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}'>View Artifacts</a></p>"
+            echo "<table><tr><th>Severity</th><th>Package</th><th>IDs</th></tr>"
+            jq -r '.[] |
+              (if (.severity | tonumber? // 0) >= 7 then "high"
+               elif (.severity | tonumber? // 0) >= 4 then "medium"
+               else "" end) as $cls |
+              "<tr class=\"\($cls)\"><td>\(.severity)</td><td>\(.pkg)</td><td>\(.ids | join(", "))</td></tr>"
+            ' /tmp/all-findings.json
+            echo "</table>"
+            echo "</body></html>"
+          } > security-scan-report.html
+
+      - name: Send Email
+        if: (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && steps.findings.outputs.total_findings != '0'
+        uses: dawidd6/action-send-mail@4226df7daafa6fc901a43789c49bf7ab309066e7 # v3
+        with:
+          server_address: smtp.gmail.com
+          server_port: 465
+          username: ${{ secrets.SMTP_USERNAME }}
+          password: ${{ secrets.SMTP_PASSWORD }}
+          subject: OSS JDBC Driver Security Scan - 🚨 Vulnerabilities Found
+          html_body: file://security-scan-report.html
+          to: ${{ secrets.EMAIL_RECIPIENTS }}
+          from: JDBC Security Scanner
+          content_type: text/html
+
+      - name: Fail on findings (scheduled/manual)
+        if: (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && steps.findings.outputs.total_findings != '0'
+        run: |
+          echo "::error::${{ steps.findings.outputs.total_findings }} OSV finding(s) on main (${{ steps.findings.outputs.high_count }} at CVSS>=7). Email sent."
+          exit 1
+
+      # Always upload artifacts so triagers can pull the full reports
+      # without having to rerun anything.
+      - name: Upload reports
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: security-scan-reports
+          path: |
+            /tmp/osv-out.json
+            target/bom.json
+            security-scan-report.html
+          if-no-files-found: ignore