CI(Dependency): add Dependency Check and Submission

halibobo1205 · halibobo1205 · commit 34d118938106 · 2026-06-23T15:25:26.000+08:00
diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml
@@ -0,0 +1,61 @@
+name: "Dependency Check"
+
+on:
+  push:
+    branches: [ 'develop', 'master', 'release_**', 'feat/JDK17' ]
+  pull_request:
+    branches: [ 'develop', "release_**" , 'feat/JDK17' ]
+  schedule:
+    - cron: '25 6 * * *'
+  workflow_dispatch:
+
+jobs:
+  dependency-check:
+    name: Dependency Check
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Cache ODC data
+        uses: actions/cache@v3
+        with:
+          path: ~/.dependency-check/data
+          key: ${{ runner.os }}-odc-data-${{ hashFiles('**/build.gradle') }}
+          restore-keys: |
+            ${{ runner.os }}-odc-data-
+
+      - name: Set up JDK 8
+        uses: actions/setup-java@v3
+        with:
+          java-version: '8'
+          distribution: 'temurin'
+
+      - name: Gradlew build
+        run:  ./gradlew --no-daemon -S -Dorg.gradle.dependency.verification=off -Dorg.gradle.warning.mode=none build -x test
+
+      - name: Dependency Check
+        uses: dependency-check/Dependency-Check_Action@1.1.0
+        env:
+          # actions/setup-java@v1 changes JAVA_HOME, so it needs to be reset to match the depcheck image
+          JAVA_HOME: /opt/jdk
+        with:
+          project: 'java-tron'
+          path: '.'
+          format: 'HTML'
+          out: 'reports'
+          args: >
+            --failOnCVSS 7
+            --enableRetired
+            --suppression ${{github.workspace}}/suppression.xml
+      - name: Generate timestamp
+        run: echo "BUILD_TIMESTAMP=$(date -u +"%Y%m%d-%H%M%S")" >> $GITHUB_ENV
+      - name: Get Repository Name
+        run: echo "REPO_NAME=$(echo '${{ github.repository }}' | cut -d'/' -f2)" >> $GITHUB_ENV
+      - name: Upload report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-check-${{ env.REPO_NAME }}-${{ env.BUILD_TIMESTAMP }}
+          path: ${{github.workspace}}/reports
diff --git a/.github/workflows/dependency-submission.yml b/.github/workflows/dependency-submission.yml
@@ -0,0 +1,29 @@
+name: Dependency Submission
+
+on:
+  push:
+    branches: [ 'develop', 'master', 'release_**', 'feat/JDK17' ]
+  pull_request:
+    branches: [ 'develop', "release_**" , 'feat/JDK17' ]
+
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  dependency-submission:
+    runs-on: ubuntu-24.04-arm
+
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v4
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: 17
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v4
+      - name: Generate and submit dependency graph
+        uses: gradle/actions/dependency-submission@v4
diff --git a/build.gradle b/build.gradle
@@ -55,6 +55,7 @@ println "Building for architecture: ${archInfo.name}, Java version: ${archInfo.j
 
 
 subprojects {
+    apply plugin: "java"
     apply plugin: "jacoco"
     apply plugin: "maven-publish"
 
diff --git a/common/build.gradle b/common/build.gradle
@@ -1,11 +1,5 @@
-plugins {
-    id 'java'
-}
-
 version '1.0.0'
 
-sourceCompatibility = 1.8
-
 
 dependencies {
     api group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.18.6' // https://github.com/FasterXML/jackson-databind/issues/3627
@@ -45,8 +39,8 @@ dependencies {
 
 jacocoTestReport {
     reports {
-        xml.enabled = true
-        html.enabled = true
+        xml.required.set(true)
+        html.required.set(true)
     }
     getExecutionData().setFrom(fileTree('../framework/build/jacoco').include("**.exec"))
     afterEvaluate {
diff --git a/crypto/build.gradle b/crypto/build.gradle
@@ -1,7 +1,3 @@
-plugins {
-    id 'java'
-}
-
 version '1.0.0'
 
 sourceCompatibility = 1.8
diff --git a/suppression.xml b/suppression.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+
+    <suppress>
+        <notes><![CDATA[grpc-netty CVEs: these are false positives or already mitigated in grpc-netty >= 1.60.0.
+        CVE-2019-20444, CVE-2019-20445, CVE-2015-2156, CVE-2019-16869: Netty HTTP/2 header smuggling/request smuggling - not applicable to gRPC transport usage.
+        CVE-2025-55163: reported against Netty, not grpc-netty itself.
+        CVE-2021-37136, CVE-2021-37137: Netty decompression OOM - gRPC does not use Netty's HTTP chunk decompressor.
+        CVE-2022-41881: Netty HAProxyMessage OOM - not used by gRPC.
+        CVE-2023-44487: HTTP/2 Rapid Reset - mitigated in grpc-java >= 1.58.0.]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-netty@.*$</packageUrl>
+        <cve>CVE-2019-20444</cve>
+        <cve>CVE-2019-20445</cve>
+        <cve>CVE-2025-55163</cve>
+        <cve>CVE-2015-2156</cve>
+        <cve>CVE-2019-16869</cve>
+        <cve>CVE-2021-37136</cve>
+        <cve>CVE-2021-37137</cve>
+        <cve>CVE-2022-41881</cve>
+        <cve>CVE-2023-44487</cve>
+    </suppress>
+
+</suppressions>
