Skip to content

Replace NVD with Sonatype OSS Index #8186

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jack-berg merged 6 commits into from
Mar 30, 2026
Merged

Replace NVD with Sonatype OSS Index #8186

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
e77c1d5
Replace NVD with Sonatype OSS Index
trask Mar 13, 2026
9a17580
Update .github/repository-settings.md
trask Mar 17, 2026
b26bab3
updates
trask Mar 19, 2026
2813aab
updates
trask Mar 19, 2026
c8d59d8
Apply suggestion from @trask
trask Mar 27, 2026
d2c2e48
Remove duplicate
trask Mar 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions .github/repository-settings.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,8 @@ private admin repo.

- `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
- `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
- `NVD_API_KEY` - stored in OpenTelemetry-Java 1Password
Copy link
Copy Markdown
Member

@jack-berg jack-berg Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO: reminder to myself to delete this secret once merged

- Generated at https://nvd.nist.gov/developers/request-an-api-key
- Key is associated with [@trask](https://github.com/trask)'s gmail address
- `SONATYPE_OSS_INDEX_USER` - owned by [@jack-berg](https://github.com/jack-berg)
- `SONATYPE_OSS_INDEX_PASSWORD` - owned by [@jack-berg](https://github.com/jack-berg)
- `SONATYPE_KEY` - owned by [@jack-berg](https://github.com/jack-berg)
- `SONATYPE_USER` - owned by [@jack-berg](https://github.com/jack-berg)

Expand Down
51 changes: 51 additions & 0 deletions .github/workflows/oss-index-audit-daily.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# the benefit of this over renovate is that this also analyzes transitive dependencies
# while renovate (at least currently) only analyzes top-level dependencies
name: OSS Index dependency audit (daily)

on:
schedule:
- cron: "30 1 * * *" # daily at 1:30 UTC
workflow_dispatch:

permissions:
contents: read

jobs:
analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: temurin
java-version: 21

- name: Set up gradle
uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2

- run: ./gradlew ossIndexAudit
id: audit
continue-on-error: true
env:
SONATYPE_OSS_INDEX_USER: ${{ secrets.SONATYPE_OSS_INDEX_USER }}
SONATYPE_OSS_INDEX_PASSWORD: ${{ secrets.SONATYPE_OSS_INDEX_PASSWORD }}
DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}

- name: Print vulnerability report
if: steps.audit.outcome == 'failure'
run: |
echo "=== OSS Index Vulnerability Report ==="
find . -name "oss-index-cyclonedx-bom.json" | xargs cat
exit 1

workflow-notification:
permissions:
contents: read
issues: write
needs:
- analyze
if: always()
uses: ./.github/workflows/reusable-workflow-notification.yml
with:
success: ${{ needs.analyze.result == 'success' }}
21 changes: 12 additions & 9 deletions .github/workflows/owasp-dependency-check-daily.yml
View file
Open in desktop
Comment thread
jack-berg marked this conversation as resolved.
Outdated
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# the benefit of this over renovate is that this also analyzes transitive dependencies
# while renovate (at least currently) only analyzes top-level dependencies
name: OWASP dependency check (daily)
name: OSS Index dependency audit (daily)

on:
schedule:
Expand All @@ -24,17 +24,20 @@ jobs:
- name: Set up gradle
uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2

- name: Check dependencies
run: ./gradlew dependencyCheckAnalyze
- run: ./gradlew ossIndexAudit --no-configuration-cache
id: audit
continue-on-error: true
env:
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
SONATYPE_OSS_INDEX_USER: ${{ secrets.SONATYPE_OSS_INDEX_USER }}
SONATYPE_OSS_INDEX_PASSWORD: ${{ secrets.SONATYPE_OSS_INDEX_PASSWORD }}
DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}

- name: Upload report
if: always()
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
path: javaagent/build/reports
- name: Print vulnerability report
if: steps.audit.outcome == 'failure'
run: |
echo "=== OSS Index Vulnerability Report ==="
find . -name "oss-index-cyclonedx-bom.json" | xargs cat
exit 1

workflow-notification:
permissions:
Expand Down
6 changes: 3 additions & 3 deletions all/build.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,9 @@ plugins {
description = "OpenTelemetry All"
otelJava.moduleName.set("io.opentelemetry.all")

// Skip OWASP dependencyCheck task on test module
dependencyCheck {
skip = true
// Skip ossIndexAudit on test module
tasks.named("ossIndexAudit") {
enabled = false
}

val testTasks = mutableListOf<Task>()
Expand Down
6 changes: 3 additions & 3 deletions api/testing-internal/build.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ dependencies {
implementation("org.mockito:mockito-core")
}

// Skip OWASP dependencyCheck task on test module
dependencyCheck {
skip = true
// Skip ossIndexAudit on test module
tasks.named("ossIndexAudit") {
enabled = false
}
Copy link
Copy Markdown
Member

@jack-berg jack-berg Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there no analog for this? Or is it no longer applicable?

Copy link
Copy Markdown
Member

@jack-berg jack-berg Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe this is what you referred to with the suppressions no longer being needed.

Copy link
Copy Markdown
Member Author

@trask trask Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we're using a different plugin altogether now

Copy link
Copy Markdown
Member

@jack-berg jack-berg Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I get that. But we skipped OWASP on testing-internal because it had dependencies that triggered OWASP. And now we're not doing that. That means the new plugin either doesn't consider the testing dependencies problematic or somehow automatically excludes testing modules like this or something equivalent.

Just curious if you already know the answer.

Copy link
Copy Markdown
Member Author

@trask trask Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, good point, I'll check this

2 changes: 1 addition & 1 deletion buildSrc/build.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,6 @@ dependencies {
implementation("net.ltgt.gradle:gradle-errorprone-plugin:5.1.0")
implementation("net.ltgt.gradle:gradle-nullaway-plugin:3.0.0")
implementation("org.jetbrains.kotlin:kotlin-gradle-plugin:2.2.21")
implementation("org.owasp:dependency-check-gradle:12.2.0")
implementation("org.sonatype.gradle.plugins:scan-gradle-plugin:3.1.5")
implementation("ru.vyarus:gradle-animalsniffer-plugin:2.0.1")
}
26 changes: 5 additions & 21 deletions buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ plugins {
id("otel.errorprone-conventions")
id("otel.jacoco-conventions")
id("otel.spotless-conventions")
id("org.owasp.dependencycheck")
id("org.sonatype.gradle.plugins.scan")
}

val otelJava = extensions.create<OtelJavaExtension>("otelJava")
Expand Down Expand Up @@ -48,26 +48,10 @@ checkstyle {
configProperties["rootDir"] = rootDir
}

dependencyCheck {
skipConfigurations = mutableListOf(
"errorprone",
"checkstyle",
"annotationProcessor",
"java9AnnotationProcessor",
"moduleAnnotationProcessor",
"testAnnotationProcessor",
"testJpmsAnnotationProcessor",
"animalsniffer",
"spotless996155815", // spotless996155815 is a weird configuration that's only added in jaeger-proto, jaeger-remote-sampler
"js2p",
"jmhAnnotationProcessor",
"jmhBasedTestAnnotationProcessor",
"jmhCompileClasspath",
"jmhRuntimeClasspath",
"jmhRuntimeOnly")
failBuildOnCVSS = 7.0f // fail on high or critical CVE
analyzers.assemblyEnabled = false // not sure why its trying to analyze .NET assemblies
nvd.apiKey = System.getenv("NVD_API_KEY")
ossIndexAudit {
username = System.getenv("SONATYPE_OSS_INDEX_USER") ?: ""
password = System.getenv("SONATYPE_OSS_INDEX_PASSWORD") ?: ""
outputFormat = org.sonatype.gradle.plugins.scan.ossindex.OutputFormat.JSON_CYCLONE_DX_1_4
}

val testJavaVersion = gradle.startParameter.projectProperties.get("testJavaVersion")?.let(JavaVersion::toVersion)
Expand Down
10 changes: 0 additions & 10 deletions context/build.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,16 +17,6 @@ dependencies {
testImplementation("com.google.guava:guava")
}

dependencyCheck {
skipConfigurations.add("braveInOtelTestAnnotationProcessor")
skipConfigurations.add("grpcInOtelTestAnnotationProcessor")
skipConfigurations.add("otelAsBraveTestAnnotationProcessor")
skipConfigurations.add("otelInBraveTestAnnotationProcessor")
skipConfigurations.add("otelInGrpcTestAnnotationProcessor")
skipConfigurations.add("storageWrappersTestAnnotationProcessor")
skipConfigurations.add("strictContextEnabledTestAnnotationProcessor")
}

testing {
suites {
register<JvmTestSuite>("grpcInOtelTest") {
Expand Down
6 changes: 3 additions & 3 deletions custom-checks/build.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ configurations {
}
}

// Skip OWASP dependencyCheck task on test module
dependencyCheck {
skip = true
// Skip ossIndexAudit on test module
tasks.named("ossIndexAudit") {
enabled = false
}
6 changes: 3 additions & 3 deletions exporters/otlp/testing-internal/build.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ dependencies {
implementation("org.mock-server:mockserver-netty")
}

// Skip OWASP dependencyCheck task on test module
dependencyCheck {
skip = true
// Skip ossIndexAudit on test module
tasks.named("ossIndexAudit") {
enabled = false
}
6 changes: 3 additions & 3 deletions integration-tests/otlp/build.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ tasks {
}
}

// Skip OWASP dependencyCheck task on test module
dependencyCheck {
skip = true
// Skip ossIndexAudit on test module
tasks.named("ossIndexAudit") {
enabled = false
}
6 changes: 3 additions & 3 deletions integration-tests/tracecontext/build.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ tasks {
}
}

// Skip OWASP dependencyCheck task on test module
dependencyCheck {
skip = true
// Skip ossIndexAudit on test module
tasks.named("ossIndexAudit") {
enabled = false
}
4 changes: 0 additions & 4 deletions sdk/metrics/build.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,10 +29,6 @@ dependencies {
jmh(project(":sdk:testing"))
}

dependencyCheck {
skipConfigurations.add("debugEnabledTestAnnotationProcessor")
}

testing {
suites {
register<JvmTestSuite>("testIncubating") {
Expand Down
Loading