CI(Dependency): Dependency Check and Submission

halibobo1205 · halibobo1205 · commit 2a964cc29d0c · 2026-03-02T15:34:51.000+08:00
diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml
@@ -0,0 +1,61 @@
+name: "Dependency Check"
+
+on:
+  push:
+    branches: [ 'develop', 'master', 'release_**', 'feat/state_root_sync' ]
+  pull_request:
+    branches: [ 'develop', "release_**" , 'feat/state_root_sync' ]
+  schedule:
+    - cron: '25 6 * * *'
+  workflow_dispatch:
+
+jobs:
+  dependency-check:
+    name: Dependency Check
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Cache ODC data
+        uses: actions/cache@v3
+        with:
+          path: ~/.dependency-check/data
+          key: ${{ runner.os }}-odc-data-${{ hashFiles('**/build.gradle') }}
+          restore-keys: |
+            ${{ runner.os }}-odc-data-
+
+      - name: Set up JDK 8
+        uses: actions/setup-java@v3
+        with:
+          java-version: '8'
+          distribution: 'temurin'
+
+      - name: Gradlew build
+        run:  ./gradlew --no-daemon -S -Dorg.gradle.dependency.verification=off -Dorg.gradle.warning.mode=none build -x test
+
+      - name: Dependency Check
+        uses: dependency-check/Dependency-Check_Action@1.1.0
+        env:
+          # actions/setup-java@v1 changes JAVA_HOME, so it needs to be reset to match the depcheck image
+          JAVA_HOME: /opt/jdk
+        with:
+          project: 'java-tron'
+          path: '.'
+          format: 'HTML'
+          out: 'reports'
+          args: >
+            --failOnCVSS 7
+            --enableRetired
+            --suppression ${{github.workspace}}/suppression.xml
+      - name: Generate timestamp
+        run: echo "BUILD_TIMESTAMP=$(date -u +"%Y%m%d-%H%M%S")" >> $GITHUB_ENV
+      - name: Get Repository Name
+        run: echo "REPO_NAME=$(echo '${{ github.repository }}' | cut -d'/' -f2)" >> $GITHUB_ENV
+      - name: Upload report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-check-${{ env.REPO_NAME }}-${{ env.BUILD_TIMESTAMP }}
+          path: ${{github.workspace}}/reports
diff --git a/.github/workflows/dependency-submission.yml b/.github/workflows/dependency-submission.yml
@@ -0,0 +1,29 @@
+name: Dependency Submission
+
+on:
+  push:
+    branches: [ 'develop', 'master', 'release_**', 'feat/state_root_sync' ]
+  pull_request:
+    branches: [ 'develop', "release_**" , 'feat/state_root_sync' ]
+
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  dependency-submission:
+    runs-on: ubuntu-24.04-arm
+
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v4
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: 17
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v4
+      - name: Generate and submit dependency graph
+        uses: gradle/actions/dependency-submission@v4
diff --git a/build.gradle b/build.gradle
@@ -44,6 +44,7 @@ println "Building for architecture: ${archInfo.name}, Java version: ${archInfo.j
 
 
 subprojects {
+    apply plugin: "java"
     apply plugin: "jacoco"
     apply plugin: "maven-publish"
 
diff --git a/common/build.gradle b/common/build.gradle
@@ -1,9 +1,6 @@
-plugins {
-    id 'java'
-}
-
 version '1.0.0'
 
+
 dependencies {
     api group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.18.3' // https://github.com/FasterXML/jackson-databind/issues/3627
     api "com.cedarsoftware:java-util:3.2.0"
diff --git a/crypto/build.gradle b/crypto/build.gradle
@@ -1,7 +1,3 @@
-plugins {
-    id 'java'
-}
-
 version '1.0.0'
 
 repositories {
diff --git a/suppression.xml b/suppression.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+
+    <suppress>
+        <notes><![CDATA[file name: java-tron-1.0.0.zip: grpc-netty-1.75.0.jar]]></notes>
+        <sha1>6edfe492eef2a4e41e247f984d7e1f062fe2f47d</sha1>
+        <cve>CVE-2019-20444</cve>
+        <cve>CVE-2019-20445</cve>
+        <cve>CVE-2025-55163</cve>
+        <cve>CVE-2015-2156</cve>
+        <cve>CVE-2019-16869</cve>
+        <cve>CVE-2021-37136</cve>
+        <cve>CVE-2021-37137</cve>
+        <cve>CVE-2022-41881</cve>
+        <cve>CVE-2023-44487</cve>
+    </suppress>
+
+</suppressions>
