updates

trask · trask · commit b26bab325030 · 2026-03-19T11:30:40.000-07:00
diff --git a/.github/workflows/oss-index-audit-daily.yml b/.github/workflows/oss-index-audit-daily.yml
@@ -0,0 +1,51 @@
+# the benefit of this over renovate is that this also analyzes transitive dependencies
+# while renovate (at least currently) only analyzes top-level dependencies
+name: OSS Index dependency audit (daily)
+
+on:
+  schedule:
+    - cron: "30 1 * * *" # daily at 1:30 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        with:
+          distribution: temurin
+          java-version: 21
+
+      - name: Set up gradle
+        uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
+
+      - run: ./gradlew ossIndexAudit
+        id: audit
+        continue-on-error: true
+        env:
+          SONATYPE_OSS_INDEX_USER: ${{ secrets.SONATYPE_OSS_INDEX_USER }}
+          SONATYPE_OSS_INDEX_PASSWORD: ${{ secrets.SONATYPE_OSS_INDEX_PASSWORD }}
+          DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
+
+      - name: Print vulnerability report
+        if: steps.audit.outcome == 'failure'
+        run: |
+          echo "=== OSS Index Vulnerability Report ==="
+          find . -name "oss-index-cyclonedx-bom.json" | xargs cat
+          exit 1
+
+  workflow-notification:
+    permissions:
+      contents: read
+      issues: write
+    needs:
+      - analyze
+    if: always()
+    uses: ./.github/workflows/reusable-workflow-notification.yml
+    with:
+      success: ${{ needs.analyze.result == 'success' }}
diff --git a/.github/workflows/owasp-dependency-check-daily.yml b/.github/workflows/owasp-dependency-check-daily.yml
@@ -36,7 +36,7 @@ jobs:
         if: steps.audit.outcome == 'failure'
         run: |
           echo "=== OSS Index Vulnerability Report ==="
-          cat oss-index-cyclonedx-bom.json
+          find . -name "oss-index-cyclonedx-bom.json" | xargs cat
           exit 1
 
   workflow-notification:
diff --git a/all/build.gradle.kts b/all/build.gradle.kts
@@ -5,11 +5,6 @@ plugins {
 description = "OpenTelemetry All"
 otelJava.moduleName.set("io.opentelemetry.all")
 
-// Skip OWASP dependencyCheck task on test module
-dependencyCheck {
-  skip = true
-}
-
 val testTasks = mutableListOf<Task>()
 val jarTasks = mutableListOf<Jar>()
 
diff --git a/context/build.gradle.kts b/context/build.gradle.kts
@@ -17,16 +17,6 @@ dependencies {
   testImplementation("com.google.guava:guava")
 }
 
-dependencyCheck {
-  skipConfigurations.add("braveInOtelTestAnnotationProcessor")
-  skipConfigurations.add("grpcInOtelTestAnnotationProcessor")
-  skipConfigurations.add("otelAsBraveTestAnnotationProcessor")
-  skipConfigurations.add("otelInBraveTestAnnotationProcessor")
-  skipConfigurations.add("otelInGrpcTestAnnotationProcessor")
-  skipConfigurations.add("storageWrappersTestAnnotationProcessor")
-  skipConfigurations.add("strictContextEnabledTestAnnotationProcessor")
-}
-
 testing {
   suites {
     register<JvmTestSuite>("grpcInOtelTest") {
diff --git a/custom-checks/build.gradle.kts b/custom-checks/build.gradle.kts
@@ -80,8 +80,3 @@ configurations {
     }
   }
 }
-
-// Skip OWASP dependencyCheck task on test module
-dependencyCheck {
-  skip = true
-}
diff --git a/exporters/otlp/testing-internal/build.gradle.kts b/exporters/otlp/testing-internal/build.gradle.kts
@@ -37,8 +37,3 @@ dependencies {
   implementation("org.assertj:assertj-core")
   implementation("org.mock-server:mockserver-netty")
 }
-
-// Skip OWASP dependencyCheck task on test module
-dependencyCheck {
-  skip = true
-}
diff --git a/integration-tests/otlp/build.gradle.kts b/integration-tests/otlp/build.gradle.kts
@@ -42,8 +42,3 @@ tasks {
     dependsOn(testing.suites)
   }
 }
-
-// Skip OWASP dependencyCheck task on test module
-dependencyCheck {
-  skip = true
-}
diff --git a/integration-tests/tracecontext/build.gradle.kts b/integration-tests/tracecontext/build.gradle.kts
@@ -33,8 +33,3 @@ tasks {
     jvmArgs("-Dio.opentelemetry.testArchive=${shadowJar.get().archiveFile.get().asFile.absolutePath}")
   }
 }
-
-// Skip OWASP dependencyCheck task on test module
-dependencyCheck {
-  skip = true
-}
diff --git a/sdk/metrics/build.gradle.kts b/sdk/metrics/build.gradle.kts
@@ -29,10 +29,6 @@ dependencies {
   jmh(project(":sdk:testing"))
 }
 
-dependencyCheck {
-  skipConfigurations.add("debugEnabledTestAnnotationProcessor")
-}
-
 testing {
   suites {
     register<JvmTestSuite>("testIncubating") {

Original file line number	Diff line number	Diff line change
`@@ -80,8 +80,3 @@ configurations {`
`80`	`80`	`}`
`81`	`81`	`}`
`82`	`82`	`}`
`83`		`-`
`84`		`-// Skip OWASP dependencyCheck task on test module`
`85`		`-dependencyCheck {`
`86`		`- skip = true`
`87`		`-}`
Original file line number	Diff line number	Diff line change
`@@ -37,8 +37,3 @@ dependencies {`
`37`	`37`	`implementation("org.assertj:assertj-core")`
`38`	`38`	`implementation("org.mock-server:mockserver-netty")`
`39`	`39`	`}`
`40`		`-`
`41`		`-// Skip OWASP dependencyCheck task on test module`
`42`		`-dependencyCheck {`
`43`		`- skip = true`
`44`		`-}`
Original file line number	Diff line number	Diff line change
`@@ -42,8 +42,3 @@ tasks {`
`42`	`42`	`dependsOn(testing.suites)`
`43`	`43`	`}`
`44`	`44`	`}`
`45`		`-`
`46`		`-// Skip OWASP dependencyCheck task on test module`
`47`		`-dependencyCheck {`
`48`		`- skip = true`
`49`		`-}`
Original file line number	Diff line number	Diff line change
`@@ -33,8 +33,3 @@ tasks {`
`33`	`33`	`jvmArgs("-Dio.opentelemetry.testArchive=${shadowJar.get().archiveFile.get().asFile.absolutePath}")`
`34`	`34`	`}`
`35`	`35`	`}`
`36`		`-`
`37`		`-// Skip OWASP dependencyCheck task on test module`
`38`		`-dependencyCheck {`
`39`		`- skip = true`
`40`		`-}`