Replace NVD with Sonatype OSS Index (#2689)

Co-authored-by: Lauri Tulmin <ltulmin@splunk.com>

Author: trask

.github/repository-settings.md

@@ -22,9 +22,8 @@ private admin repo.
 
 - `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
 - `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
-- `NVD_API_KEY` - stored in OpenTelemetry-Java 1Password
-  - Generated at <https://nvd.nist.gov/developers/request-an-api-key>
-  - Key is associated with [@trask](https://github.com/trask)'s gmail address
+- `SONATYPE_OSS_INDEX_USER` - owned by [@trask](https://github.com/trask)
+- `SONATYPE_OSS_INDEX_PASSWORD` - owned by [@trask](https://github.com/trask)
 - `SONATYPE_KEY` - owned by [@trask](https://github.com/trask)
 - `SONATYPE_USER` - owned by [@trask](https://github.com/trask)
 

.github/workflows/owasp-dependency-check-daily.yml

@@ -1,6 +1,6 @@
 # the benefit of this over renovate is that this also analyzes transitive dependencies
 # while renovate (at least currently) only analyzes top-level dependencies
-name: OWASP dependency check (daily)
+name: OSS Index dependency audit (daily)
 
 on:
   schedule:
@@ -22,22 +22,22 @@ jobs:
           distribution: temurin
           java-version: 21
 
-      - name: Increase gradle daemon heap size
-        run: |
-          sed -i "s/org.gradle.jvmargs=/org.gradle.jvmargs=-Xmx3g /" gradle.properties
-
       - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
 
-      - run: ./gradlew dependencyCheckAnalyze
+      - run: ./gradlew ossIndexAudit
+        id: audit
+        continue-on-error: true
         env:
-          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+          SONATYPE_OSS_INDEX_USER: ${{ secrets.SONATYPE_OSS_INDEX_USER }}
+          SONATYPE_OSS_INDEX_PASSWORD: ${{ secrets.SONATYPE_OSS_INDEX_PASSWORD }}
           DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 
-      - name: Upload report
-        if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          path: "**/build/reports"
+      - name: Print vulnerability report
+        if: steps.audit.outcome == 'failure'
+        run: |
+          echo "=== OSS Index Vulnerability Report ==="
+          cat oss-index-cyclonedx-bom.json
+          exit 1
 
   workflow-notification:
     permissions:

buildSrc/build.gradle.kts

@@ -15,7 +15,7 @@ dependencies {
   implementation("com.diffplug.spotless:com.diffplug.spotless.gradle.plugin:8.3.0")
   implementation("net.ltgt.errorprone:net.ltgt.errorprone.gradle.plugin:5.1.0")
   implementation("net.ltgt.nullaway:net.ltgt.nullaway.gradle.plugin:3.0.0")
-  implementation("org.owasp.dependencycheck:org.owasp.dependencycheck.gradle.plugin:12.2.0")
+  implementation("org.sonatype.gradle.plugins:scan-gradle-plugin:3.1.4")
   implementation("ru.vyarus.animalsniffer:ru.vyarus.animalsniffer.gradle.plugin:2.0.1")
   implementation("com.gradle.develocity:com.gradle.develocity.gradle.plugin:4.3.2")
   implementation("me.champeau.gradle.japicmp:me.champeau.gradle.japicmp.gradle.plugin:0.4.6")

buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts

@@ -8,7 +8,7 @@ plugins {
   id("otel.errorprone-conventions")
   id("otel.spotless-conventions")
   id("otel.japicmp-conventions")
-  id("org.owasp.dependencycheck")
+  id("org.sonatype.gradle.plugins.scan")
 }
 
 val otelJava = extensions.create<OtelJavaExtension>("otelJava")
@@ -217,10 +217,8 @@ afterEvaluate {
   }
 }
 
-dependencyCheck {
-  scanConfigurations = mutableListOf("runtimeClasspath")
-  suppressionFile = "buildscripts/dependency-check-suppressions.xml"
-  failBuildOnCVSS = 7.0f // fail on high or critical CVE
-  nvd.apiKey = System.getenv("NVD_API_KEY")
-  nvd.delay = 3500 // until next dependency check release (https://github.com/jeremylong/DependencyCheck/pull/6333)
+ossIndexAudit {
+  username = System.getenv("SONATYPE_OSS_INDEX_USER") ?: ""
+  password = System.getenv("SONATYPE_OSS_INDEX_PASSWORD") ?: ""
+  outputFormat = org.sonatype.gradle.plugins.scan.ossindex.OutputFormat.JSON_CYCLONE_DX_1_4
 }

buildscripts/dependency-check-suppressions.xml

@@ -80,8 +80,3 @@ configurations {
     }
   }
 }
-
-// Skip OWASP dependencyCheck task on test module
-dependencyCheck {
-  skip = true
-}