From 7fa6a8f96cb4ccee04ea26efe4f891b18d18ec85 Mon Sep 17 00:00:00 2001
From: Trask Stalnaker <trask.stalnaker@gmail.com>
Date: Fri, 13 Mar 2026 11:12:52 -0700
Subject: [PATCH 1/2] Replace NVD with Sonatype OSS Index

Looks like a new CVE backing that better understands maven coordinates and so the suppressions we maintained previously should no longer be needed.

Ported from https://github.com/open-telemetry/opentelemetry-java-instrumentation/pull/16445
---
 .github/repository-settings.md                |  5 ++--
 .../owasp-dependency-check-daily.yml          | 24 +++++++++----------
 buildSrc/build.gradle.kts                     |  2 +-
 .../kotlin/otel.java-conventions.gradle.kts   | 12 ++++------
 .../dependency-check-suppressions.xml         | 13 ----------
 custom-checks/build.gradle.kts                |  5 +---
 6 files changed, 21 insertions(+), 40 deletions(-)
 delete mode 100644 buildscripts/dependency-check-suppressions.xml

diff --git a/.github/repository-settings.md b/.github/repository-settings.md
index 4641479832..c7c198ab7f 100644
--- a/.github/repository-settings.md
+++ b/.github/repository-settings.md
@@ -22,9 +22,8 @@ private admin repo.
 
 - `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
 - `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
-- `NVD_API_KEY` - stored in OpenTelemetry-Java 1Password
-  - Generated at <https://nvd.nist.gov/developers/request-an-api-key>
-  - Key is associated with [@trask](https://github.com/trask)'s gmail address
+- `SONATYPE_OSS_INDEX_USER` - owned by [@trask](https://github.com/trask)
+- `SONATYPE_OSS_INDEX_PASSWORD` - owned by [@trask](https://github.com/trask)
 - `SONATYPE_KEY` - owned by [@trask](https://github.com/trask)
 - `SONATYPE_USER` - owned by [@trask](https://github.com/trask)
 
diff --git a/.github/workflows/owasp-dependency-check-daily.yml b/.github/workflows/owasp-dependency-check-daily.yml
index 914475be97..98d898b757 100644
--- a/.github/workflows/owasp-dependency-check-daily.yml
+++ b/.github/workflows/owasp-dependency-check-daily.yml
@@ -1,6 +1,6 @@
 # the benefit of this over renovate is that this also analyzes transitive dependencies
 # while renovate (at least currently) only analyzes top-level dependencies
-name: OWASP dependency check (daily)
+name: OSS Index dependency audit (daily)
 
 on:
   schedule:
@@ -22,22 +22,22 @@ jobs:
           distribution: temurin
           java-version: 21
 
-      - name: Increase gradle daemon heap size
-        run: |
-          sed -i "s/org.gradle.jvmargs=/org.gradle.jvmargs=-Xmx3g /" gradle.properties
-
       - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
 
-      - run: ./gradlew dependencyCheckAnalyze
+      - run: ./gradlew ossIndexAudit
+        id: audit
+        continue-on-error: true
         env:
-          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+          SONATYPE_OSS_INDEX_USER: ${{ secrets.SONATYPE_OSS_INDEX_USER }}
+          SONATYPE_OSS_INDEX_PASSWORD: ${{ secrets.SONATYPE_OSS_INDEX_PASSWORD }}
           DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 
-      - name: Upload report
-        if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          path: "**/build/reports"
+      - name: Print vulnerability report
+        if: steps.audit.outcome == 'failure'
+        run: |
+          echo "=== OSS Index Vulnerability Report ==="
+          cat oss-index-cyclonedx-bom.json
+          exit 1
 
   workflow-notification:
     permissions:
diff --git a/buildSrc/build.gradle.kts b/buildSrc/build.gradle.kts
index 32dfaa7796..71da9a7a3b 100644
--- a/buildSrc/build.gradle.kts
+++ b/buildSrc/build.gradle.kts
@@ -15,7 +15,7 @@ dependencies {
   implementation("com.diffplug.spotless:com.diffplug.spotless.gradle.plugin:8.3.0")
   implementation("net.ltgt.errorprone:net.ltgt.errorprone.gradle.plugin:5.1.0")
   implementation("net.ltgt.nullaway:net.ltgt.nullaway.gradle.plugin:3.0.0")
-  implementation("org.owasp.dependencycheck:org.owasp.dependencycheck.gradle.plugin:12.2.0")
+  implementation("org.sonatype.gradle.plugins:scan-gradle-plugin:3.1.4")
   implementation("ru.vyarus.animalsniffer:ru.vyarus.animalsniffer.gradle.plugin:2.0.1")
   implementation("com.gradle.develocity:com.gradle.develocity.gradle.plugin:4.3.2")
   implementation("me.champeau.gradle.japicmp:me.champeau.gradle.japicmp.gradle.plugin:0.4.6")
diff --git a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
index 08211234e9..a55d65f88b 100644
--- a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
+++ b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
@@ -8,7 +8,7 @@ plugins {
   id("otel.errorprone-conventions")
   id("otel.spotless-conventions")
   id("otel.japicmp-conventions")
-  id("org.owasp.dependencycheck")
+  id("org.sonatype.gradle.plugins.scan")
 }
 
 val otelJava = extensions.create<OtelJavaExtension>("otelJava")
@@ -217,10 +217,8 @@ afterEvaluate {
   }
 }
 
-dependencyCheck {
-  scanConfigurations = mutableListOf("runtimeClasspath")
-  suppressionFile = "buildscripts/dependency-check-suppressions.xml"
-  failBuildOnCVSS = 7.0f // fail on high or critical CVE
-  nvd.apiKey = System.getenv("NVD_API_KEY")
-  nvd.delay = 3500 // until next dependency check release (https://github.com/jeremylong/DependencyCheck/pull/6333)
+ossIndexAudit {
+  username = System.getenv("SONATYPE_OSS_INDEX_USER") ?: ""
+  password = System.getenv("SONATYPE_OSS_INDEX_PASSWORD") ?: ""
+  outputFormat = org.sonatype.gradle.plugins.scan.ossindex.OutputFormat.JSON_CYCLONE_DX_1_4
 }
diff --git a/buildscripts/dependency-check-suppressions.xml b/buildscripts/dependency-check-suppressions.xml
deleted file mode 100644
index a808ebe9f0..0000000000
--- a/buildscripts/dependency-check-suppressions.xml
+++ /dev/null
@@ -1,13 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-  <suppress>
-    <!-- this package is misidentified by OWASP as an Android app named "Wire" -->
-    <packageUrl regex="true">^pkg:maven/com\.squareup\.wire/wire-runtime-jvm@.*$</packageUrl>
-    <cpe>cpe:/a:wire:wire</cpe>
-  </suppress>
-  <suppress>
-    <!-- this package is misidentified by OWASP as Prometheus server -->
-    <packageUrl regex="true">^pkg:maven/io\.opentelemetry/opentelemetry-exporter-prometheus@.*$</packageUrl>
-    <cpe>cpe:/a:prometheus:prometheus</cpe>
-  </suppress>
-</suppressions>
diff --git a/custom-checks/build.gradle.kts b/custom-checks/build.gradle.kts
index dce9205305..46098cdf5b 100644
--- a/custom-checks/build.gradle.kts
+++ b/custom-checks/build.gradle.kts
@@ -81,7 +81,4 @@ configurations {
   }
 }
 
-// Skip OWASP dependencyCheck task on test module
-dependencyCheck {
-  skip = true
-}
+

From e5c16479bcc186ae2bdba67b432db1c66526bcdf Mon Sep 17 00:00:00 2001
From: Lauri Tulmin <ltulmin@splunk.com>
Date: Tue, 17 Mar 2026 09:51:11 +0200
Subject: [PATCH 2/2] spotless

---
 custom-checks/build.gradle.kts | 2 --
 1 file changed, 2 deletions(-)

diff --git a/custom-checks/build.gradle.kts b/custom-checks/build.gradle.kts
index 46098cdf5b..600068d419 100644
--- a/custom-checks/build.gradle.kts
+++ b/custom-checks/build.gradle.kts
@@ -80,5 +80,3 @@ configurations {
     }
   }
 }
-
-