Replace NVD with Sonatype OSS Index (#8186)

trask · jack-berg · web-flow · commit 9a992c2e6bd7 · 2026-03-30T13:20:12.000-05:00
Co-authored-by: Jack Berg &lt;34418638+jack-berg@users.noreply.github.com&gt;
diff --git a/.github/repository-settings.md b/.github/repository-settings.md
@@ -10,9 +10,8 @@ private admin repo.
 
 - `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
 - `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
-- `NVD_API_KEY` - stored in OpenTelemetry-Java 1Password
-  - Generated at https://nvd.nist.gov/developers/request-an-api-key
-  - Key is associated with [@trask](https://github.com/trask)'s gmail address
+- `SONATYPE_OSS_INDEX_USER` - owned by [@jack-berg](https://github.com/jack-berg)
+- `SONATYPE_OSS_INDEX_PASSWORD` - owned by [@jack-berg](https://github.com/jack-berg)
 - `SONATYPE_KEY` - owned by [@jack-berg](https://github.com/jack-berg)
 - `SONATYPE_USER` - owned by [@jack-berg](https://github.com/jack-berg)
 
diff --git a/.github/workflows/oss-index-audit-daily.yml b/.github/workflows/oss-index-audit-daily.yml
@@ -1,6 +1,6 @@
 # the benefit of this over renovate is that this also analyzes transitive dependencies
 # while renovate (at least currently) only analyzes top-level dependencies
-name: OWASP dependency check (daily)
+name: OSS Index dependency audit (daily)
 
 on:
   schedule:
@@ -24,17 +24,20 @@ jobs:
       - name: Set up gradle
         uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
 
-      - name: Check dependencies
-        run: ./gradlew dependencyCheckAnalyze
+      - run: ./gradlew ossIndexAudit
+        id: audit
+        continue-on-error: true
         env:
-          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+          SONATYPE_OSS_INDEX_USER: ${{ secrets.SONATYPE_OSS_INDEX_USER }}
+          SONATYPE_OSS_INDEX_PASSWORD: ${{ secrets.SONATYPE_OSS_INDEX_PASSWORD }}
           DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 
-      - name: Upload report
-        if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          path: javaagent/build/reports
+      - name: Print vulnerability report
+        if: steps.audit.outcome == 'failure'
+        run: |
+          echo "=== OSS Index Vulnerability Report ==="
+          find . -name "oss-index-cyclonedx-bom.json" | xargs cat
+          exit 1
 
   workflow-notification:
     permissions:
diff --git a/all/build.gradle.kts b/all/build.gradle.kts
@@ -5,9 +5,9 @@ plugins {
 description = "OpenTelemetry All"
 otelJava.moduleName.set("io.opentelemetry.all")
 
-// Skip OWASP dependencyCheck task on test module
-dependencyCheck {
-  skip = true
+// Skip ossIndexAudit on test module
+tasks.named("ossIndexAudit") {
+  enabled = false
 }
 
 val testTasks = mutableListOf<Task>()
diff --git a/api/testing-internal/build.gradle.kts b/api/testing-internal/build.gradle.kts
@@ -15,7 +15,7 @@ dependencies {
   implementation("org.mockito:mockito-core")
 }
 
-// Skip OWASP dependencyCheck task on test module
-dependencyCheck {
-  skip = true
+// Skip ossIndexAudit on test module
+tasks.named("ossIndexAudit") {
+  enabled = false
 }
diff --git a/buildSrc/build.gradle.kts b/buildSrc/build.gradle.kts
@@ -48,6 +48,6 @@ dependencies {
   implementation("net.ltgt.gradle:gradle-errorprone-plugin:5.1.0")
   implementation("net.ltgt.gradle:gradle-nullaway-plugin:3.0.0")
   implementation("org.jetbrains.kotlin:kotlin-gradle-plugin:2.2.21")
-  implementation("org.owasp:dependency-check-gradle:12.2.0")
+  implementation("org.sonatype.gradle.plugins:scan-gradle-plugin:3.1.5")
   implementation("ru.vyarus:gradle-animalsniffer-plugin:2.0.1")
 }
diff --git a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
@@ -12,7 +12,7 @@ plugins {
   id("otel.errorprone-conventions")
   id("otel.jacoco-conventions")
   id("otel.spotless-conventions")
-  id("org.owasp.dependencycheck")
+  id("org.sonatype.gradle.plugins.scan")
 }
 
 val otelJava = extensions.create<OtelJavaExtension>("otelJava")
@@ -48,26 +48,10 @@ checkstyle {
   configProperties["rootDir"] = rootDir
 }
 
-dependencyCheck {
-  skipConfigurations = mutableListOf(
-    "errorprone",
-    "checkstyle",
-    "annotationProcessor",
-    "java9AnnotationProcessor",
-    "moduleAnnotationProcessor",
-    "testAnnotationProcessor",
-    "testJpmsAnnotationProcessor",
-    "animalsniffer",
-    "spotless996155815", // spotless996155815 is a weird configuration that's only added in jaeger-proto, jaeger-remote-sampler
-    "js2p",
-    "jmhAnnotationProcessor",
-    "jmhBasedTestAnnotationProcessor",
-    "jmhCompileClasspath",
-    "jmhRuntimeClasspath",
-    "jmhRuntimeOnly")
-  failBuildOnCVSS = 7.0f // fail on high or critical CVE
-  analyzers.assemblyEnabled = false // not sure why its trying to analyze .NET assemblies
-  nvd.apiKey = System.getenv("NVD_API_KEY")
+ossIndexAudit {
+  username = System.getenv("SONATYPE_OSS_INDEX_USER") ?: ""
+  password = System.getenv("SONATYPE_OSS_INDEX_PASSWORD") ?: ""
+  outputFormat = org.sonatype.gradle.plugins.scan.ossindex.OutputFormat.JSON_CYCLONE_DX_1_4
 }
 
 val testJavaVersion = gradle.startParameter.projectProperties.get("testJavaVersion")?.let(JavaVersion::toVersion)
diff --git a/context/build.gradle.kts b/context/build.gradle.kts
@@ -17,16 +17,6 @@ dependencies {
   testImplementation("com.google.guava:guava")
 }
 
-dependencyCheck {
-  skipConfigurations.add("braveInOtelTestAnnotationProcessor")
-  skipConfigurations.add("grpcInOtelTestAnnotationProcessor")
-  skipConfigurations.add("otelAsBraveTestAnnotationProcessor")
-  skipConfigurations.add("otelInBraveTestAnnotationProcessor")
-  skipConfigurations.add("otelInGrpcTestAnnotationProcessor")
-  skipConfigurations.add("storageWrappersTestAnnotationProcessor")
-  skipConfigurations.add("strictContextEnabledTestAnnotationProcessor")
-}
-
 testing {
   suites {
     register<JvmTestSuite>("grpcInOtelTest") {
diff --git a/custom-checks/build.gradle.kts b/custom-checks/build.gradle.kts
@@ -81,7 +81,7 @@ configurations {
   }
 }
 
-// Skip OWASP dependencyCheck task on test module
-dependencyCheck {
-  skip = true
+// Skip ossIndexAudit on test module
+tasks.named("ossIndexAudit") {
+  enabled = false
 }
diff --git a/exporters/otlp/testing-internal/build.gradle.kts b/exporters/otlp/testing-internal/build.gradle.kts
@@ -38,7 +38,7 @@ dependencies {
   implementation("org.mock-server:mockserver-netty")
 }
 
-// Skip OWASP dependencyCheck task on test module
-dependencyCheck {
-  skip = true
+// Skip ossIndexAudit on test module
+tasks.named("ossIndexAudit") {
+  enabled = false
 }
diff --git a/integration-tests/otlp/build.gradle.kts b/integration-tests/otlp/build.gradle.kts
@@ -43,7 +43,7 @@ tasks {
   }
 }
 
-// Skip OWASP dependencyCheck task on test module
-dependencyCheck {
-  skip = true
+// Skip ossIndexAudit on test module
+tasks.named("ossIndexAudit") {
+  enabled = false
 }
diff --git a/integration-tests/tracecontext/build.gradle.kts b/integration-tests/tracecontext/build.gradle.kts
@@ -34,7 +34,7 @@ tasks {
   }
 }
 
-// Skip OWASP dependencyCheck task on test module
-dependencyCheck {
-  skip = true
+// Skip ossIndexAudit on test module
+tasks.named("ossIndexAudit") {
+  enabled = false
 }
diff --git a/sdk/metrics/build.gradle.kts b/sdk/metrics/build.gradle.kts
@@ -29,10 +29,6 @@ dependencies {
   jmh(project(":sdk:testing"))
 }
 
-dependencyCheck {
-  skipConfigurations.add("debugEnabledTestAnnotationProcessor")
-}
-
 testing {
   suites {
     register<JvmTestSuite>("testIncubating") {

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ dependencies {`
`15`	`15`	`implementation("org.mockito:mockito-core")`
`16`	`16`	`}`
`17`	`17`
`18`		`-// Skip OWASP dependencyCheck task on test module`
`19`		`-dependencyCheck {`
`20`		`- skip = true`
	`18`	`+// Skip ossIndexAudit on test module`
	`19`	`+tasks.named("ossIndexAudit") {`
	`20`	`+ enabled = false`
`21`	`21`	`}`
Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,6 @@ dependencies {`
`48`	`48`	`implementation("net.ltgt.gradle:gradle-errorprone-plugin:5.1.0")`
`49`	`49`	`implementation("net.ltgt.gradle:gradle-nullaway-plugin:3.0.0")`
`50`	`50`	`implementation("org.jetbrains.kotlin:kotlin-gradle-plugin:2.2.21")`
`51`		`- implementation("org.owasp:dependency-check-gradle:12.2.0")`
	`51`	`+ implementation("org.sonatype.gradle.plugins:scan-gradle-plugin:3.1.5")`
`52`	`52`	`implementation("ru.vyarus:gradle-animalsniffer-plugin:2.0.1")`
`53`	`53`	`}`
Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,7 @@ configurations {`
`81`	`81`	`}`
`82`	`82`	`}`
`83`	`83`
`84`		`-// Skip OWASP dependencyCheck task on test module`
`85`		`-dependencyCheck {`
`86`		`- skip = true`
	`84`	`+// Skip ossIndexAudit on test module`
	`85`	`+tasks.named("ossIndexAudit") {`
	`86`	`+ enabled = false`
`87`	`87`	`}`
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ dependencies {`
`38`	`38`	`implementation("org.mock-server:mockserver-netty")`
`39`	`39`	`}`
`40`	`40`
`41`		`-// Skip OWASP dependencyCheck task on test module`
`42`		`-dependencyCheck {`
`43`		`- skip = true`
	`41`	`+// Skip ossIndexAudit on test module`
	`42`	`+tasks.named("ossIndexAudit") {`
	`43`	`+ enabled = false`
`44`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ tasks {`
`43`	`43`	`}`
`44`	`44`	`}`
`45`	`45`
`46`		`-// Skip OWASP dependencyCheck task on test module`
`47`		`-dependencyCheck {`
`48`		`- skip = true`
	`46`	`+// Skip ossIndexAudit on test module`
	`47`	`+tasks.named("ossIndexAudit") {`
	`48`	`+ enabled = false`
`49`	`49`	`}`