Skip to content

Replace NVD with Sonatype OSS Index #2689

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
laurit merged 2 commits into from
Mar 17, 2026
Merged

Replace NVD with Sonatype OSS Index #2689

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7fa6a8f
Replace NVD with Sonatype OSS Index
trask Mar 13, 2026
e5c1647
spotless
laurit Mar 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions .github/repository-settings.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,8 @@ private admin repo.

- `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
- `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
- `NVD_API_KEY` - stored in OpenTelemetry-Java 1Password
- Generated at <https://nvd.nist.gov/developers/request-an-api-key>
- Key is associated with [@trask](https://github.com/trask)'s gmail address
Comment on lines -25 to -27
Copy link
Copy Markdown
Member Author

@trask trask Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'll remove this secret after the PR is merged

- `SONATYPE_OSS_INDEX_USER` - owned by [@trask](https://github.com/trask)
- `SONATYPE_OSS_INDEX_PASSWORD` - owned by [@trask](https://github.com/trask)
- `SONATYPE_KEY` - owned by [@trask](https://github.com/trask)
- `SONATYPE_USER` - owned by [@trask](https://github.com/trask)

Expand Down
24 changes: 12 additions & 12 deletions .github/workflows/owasp-dependency-check-daily.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# the benefit of this over renovate is that this also analyzes transitive dependencies
# while renovate (at least currently) only analyzes top-level dependencies
name: OWASP dependency check (daily)
name: OSS Index dependency audit (daily)
Copy link
Copy Markdown
Contributor

@breedx-splk breedx-splk Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to change the name of this workflow file too then?


on:
schedule:
Expand All @@ -22,22 +22,22 @@ jobs:
distribution: temurin
java-version: 21

- name: Increase gradle daemon heap size
run: |
sed -i "s/org.gradle.jvmargs=/org.gradle.jvmargs=-Xmx3g /" gradle.properties

- uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2

- run: ./gradlew dependencyCheckAnalyze
- run: ./gradlew ossIndexAudit
id: audit
continue-on-error: true
env:
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
SONATYPE_OSS_INDEX_USER: ${{ secrets.SONATYPE_OSS_INDEX_USER }}
SONATYPE_OSS_INDEX_PASSWORD: ${{ secrets.SONATYPE_OSS_INDEX_PASSWORD }}
DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}

- name: Upload report
if: always()
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
path: "**/build/reports"
- name: Print vulnerability report
if: steps.audit.outcome == 'failure'
run: |
echo "=== OSS Index Vulnerability Report ==="
cat oss-index-cyclonedx-bom.json
Copy link
Copy Markdown
Contributor

@breedx-splk breedx-splk Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Weird, I didn't see this suggestion made for the instrumentation repo. Wonder why its different here...

Copy link
Copy Markdown
Contributor

@laurit laurit Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that copilot reviews aren't enabled in the instrumentation repo

exit 1

workflow-notification:
permissions:
Expand Down
2 changes: 1 addition & 1 deletion buildSrc/build.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ dependencies {
implementation("com.diffplug.spotless:com.diffplug.spotless.gradle.plugin:8.3.0")
implementation("net.ltgt.errorprone:net.ltgt.errorprone.gradle.plugin:5.1.0")
implementation("net.ltgt.nullaway:net.ltgt.nullaway.gradle.plugin:3.0.0")
implementation("org.owasp.dependencycheck:org.owasp.dependencycheck.gradle.plugin:12.2.0")
implementation("org.sonatype.gradle.plugins:scan-gradle-plugin:3.1.4")
implementation("ru.vyarus.animalsniffer:ru.vyarus.animalsniffer.gradle.plugin:2.0.1")
implementation("com.gradle.develocity:com.gradle.develocity.gradle.plugin:4.3.2")
implementation("me.champeau.gradle.japicmp:me.champeau.gradle.japicmp.gradle.plugin:0.4.6")
Expand Down
12 changes: 5 additions & 7 deletions buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ plugins {
id("otel.errorprone-conventions")
id("otel.spotless-conventions")
id("otel.japicmp-conventions")
id("org.owasp.dependencycheck")
id("org.sonatype.gradle.plugins.scan")
}

val otelJava = extensions.create<OtelJavaExtension>("otelJava")
Expand Down Expand Up @@ -217,10 +217,8 @@ afterEvaluate {
}
}

dependencyCheck {
scanConfigurations = mutableListOf("runtimeClasspath")
suppressionFile = "buildscripts/dependency-check-suppressions.xml"
failBuildOnCVSS = 7.0f // fail on high or critical CVE
nvd.apiKey = System.getenv("NVD_API_KEY")
nvd.delay = 3500 // until next dependency check release (https://github.com/jeremylong/DependencyCheck/pull/6333)
ossIndexAudit {
username = System.getenv("SONATYPE_OSS_INDEX_USER") ?: ""
password = System.getenv("SONATYPE_OSS_INDEX_PASSWORD") ?: ""
outputFormat = org.sonatype.gradle.plugins.scan.ossindex.OutputFormat.JSON_CYCLONE_DX_1_4
}
13 changes: 0 additions & 13 deletions buildscripts/dependency-check-suppressions.xml
View file
Open in desktop

This file was deleted.

5 changes: 0 additions & 5 deletions custom-checks/build.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,8 +80,3 @@ configurations {
}
}
}

// Skip OWASP dependencyCheck task on test module
dependencyCheck {
skip = true
}
Loading