Merge pull request #90 from halibobo1205/feat/add_dependency-check

halibobo1205 · web-flow · commit 669ac875d194 · 2025-03-24T14:52:16.000+08:00
feat(CI): add Dependency Check
diff --git a/.github/dependency-check-suppressions.xml b/.github/dependency-check-suppressions.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress>
+        <notes><![CDATA[
+   file name: java-tron-1.0.0.zip: quartz-2.3.2.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.quartz-scheduler/quartz@.*$</packageUrl>
+        <cve>CVE-2023-39017</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: plugins-1.0.0.zip: leveldbjni-all-1.18.2.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.github\.tronprotocol/leveldbjni-all@.*$</packageUrl>
+        <cve>CVE-2018-10906</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: java-tron-1.0.0.zip: ini4j-0.5.4.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.ini4j/ini4j@.*$</packageUrl>
+        <vulnerabilityName>CVE-2022-41404</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        This suppresses all CVE entries that have a score below CVSS 7.
+        ]]></notes>
+        <cvssBelow>7</cvssBelow>
+    </suppress>
+</suppressions>
diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml
@@ -0,0 +1,55 @@
+name: "Dependency Check"
+
+on:
+  push:
+    branches: [ 'develop', 'master', 'release_**' ]
+  pull_request:
+    branches: [ 'develop', "release_**" ]
+  schedule:
+    - cron: '0 6 * * *'
+
+jobs:
+  dependency-check:
+    name: Dependency Check
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Cache ODC data
+        uses: actions/cache@v3
+        with:
+          path: ~/.dependency-check/data
+          key: ${{ runner.os }}-odc-data-${{ hashFiles('**/build.gradle') }}
+          restore-keys: |
+            ${{ runner.os }}-odc-data-
+
+      - name: Set up JDK 8
+        uses: actions/setup-java@v3
+        with:
+          java-version: '8'
+          distribution: 'temurin'
+
+      - name: Gradlew build
+        run:  ./gradlew --no-daemon -S -Dorg.gradle.dependency.verification=off -Dorg.gradle.warning.mode=none build -x test
+
+      - name: Dependency Check
+        uses: dependency-check/Dependency-Check_Action@1.1.0
+        env:
+          # actions/setup-java@v1 changes JAVA_HOME, so it needs to be reset to match the depcheck image
+          JAVA_HOME: /opt/jdk
+        with:
+          project: 'java-tron'
+          path: '.'
+          format: 'HTML'
+          out: 'reports'
+          # failOnCVSS: 8
+          suppression: '.github/dependency-check-suppressions.xml'
+
+      - name: Upload report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-check-report
+          path: ${{github.workspace}}/reports
