feat: add OWASP dependency-check CVE scanning workflow

coopernetes · claude · coopernetes · commit fcf05ed33991 · 2026-03-30T09:49:39.000-04:00
Adds CVE scanning via the org.owasp.dependencycheck Gradle plugin
(v12.2.0) and a GitHub Actions workflow.

- dependencyCheckAggregate task scans all subproject dependencies
- NVD API key passed via secret, scoped to the scan step only
- NVD database cached per run_id with restore-keys fallback to keep
  the cached DB incrementally up to date across runs
- Suppression file and failOnCVSS=5 configured in build.gradle
- CI/CVE status badges added to README

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/cve.yml b/.github/workflows/cve.yml
@@ -10,24 +10,28 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # ratchet:actions/setup-java@v5
+        with:
+          distribution: temurin
+          java-version: 21
+          cache: gradle
       - name: Build project with Gradle
         run: ./gradlew clean testClasses
-      - name: Depcheck
-        uses: dependency-check/Dependency-Check_Action@1e54355a8b4c8abaa8cc7d0b70aa655a3bb15a6c
-        id: Depcheck
+      - name: Cache CVE data
+        id: cache-cve
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # ratchet:actions/cache@v5
         with:
-          project: 'jgit-proxy'
-          path: '.'
-          format: 'HTML'
-          out: 'reports' # this is the default, no need to specify unless you wish to override it
-          args: >
-            --suppression gradle-suppressions.xml
-            --failOnCVSS 5
-            --enableRetired
+          path: ~/.gradle/dependency-check-data/
+          key: depcheck-db-${{ github.run_id }}
+          restore-keys: depcheck-db-
+      - name: Depcheck
+        run: ./gradlew dependencyCheckAggregate
+        env:
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
 
       - name: Upload Test results
         if: ${{ always() }}
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # ratchet:actions/upload-artifact@v7
         with:
           name: Depcheck report
-          path: ${{ github.workspace }}/reports
+          path: ${{ github.workspace }}/build/reports/dependency-check*
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -90,6 +90,16 @@ Configured via `database.type` in YAML. Supported: `memory`, `h2-mem`, `h2-file`
 
 Always use fully qualified image names (e.g. `docker.io/eclipse-temurin:21-jre`). Podman on Fedora enforces short-name resolution and will error without a TTY if bare names are used.
 
+## GitHub Actions workflows
+
+All action steps must be pinned to a commit hash. After adding or updating any action reference in `.github/workflows/`, run:
+
+```bash
+ratchet pin .github/workflows/<file>.yml
+```
+
+This rewrites version tags (e.g. `@v5`) to their resolved commit SHA and adds a `# ratchet:` comment preserving the original tag for readability.
+
 ## Branch / PR target
 
 Default branch for PRs: **`jetty`**
diff --git a/README.md b/README.md
@@ -1,3 +1,6 @@
+[![CI](https://github.com/coopernetes/jgit-proxy/actions/workflows/ci.yml/badge.svg)](https://github.com/coopernetes/jgit-proxy/actions/workflows/ci.yml)
+[![CVE Scanning](https://github.com/coopernetes/jgit-proxy/actions/workflows/cve.yml/badge.svg)](https://github.com/coopernetes/jgit-proxy/actions/workflows/cve.yml)
+
 # git-proxy in Java
 This is a simple implementation of a git proxy in Java. This is a possible successor to [finos/git-proxy](https://github.com/finos/git-proxy) which is written in Node.
 
diff --git a/build.gradle b/build.gradle
@@ -1,5 +1,6 @@
 plugins {
     id 'com.diffplug.spotless' version '8.4.0' apply false
+    id 'org.owasp.dependencycheck' version '12.2.0'
 }
 
 ext {
@@ -16,8 +17,15 @@ allprojects {
             url 'https://repo.eclipse.org/content/groups/releases/'
         }
     }
+    dependencyCheck {
+        nvd.apiKey = System.getenv("NVD_API_KEY")
+        failBuildOnCVSS = 5
+        suppressionFile = rootProject.file('gradle-suppressions.xml').toString()
+
+    }
 }
 
+
 subprojects {
     apply plugin: 'com.diffplug.spotless'
 
@@ -42,4 +50,4 @@ subprojects {
             finalizedBy jacocoTestReport
         }
     }
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`plugins {`
`2`	`2`	`id 'com.diffplug.spotless' version '8.4.0' apply false`
	`3`	`+ id 'org.owasp.dependencycheck' version '12.2.0'`
`3`	`4`	`}`
`4`	`5`
`5`	`6`	`ext {`
`@@ -16,8 +17,15 @@ allprojects {`
`16`	`17`	`url 'https://repo.eclipse.org/content/groups/releases/'`
`17`	`18`	`}`
`18`	`19`	`}`
	`20`	`+ dependencyCheck {`
	`21`	`+ nvd.apiKey = System.getenv("NVD_API_KEY")`
	`22`	`+ failBuildOnCVSS = 5`
	`23`	`+ suppressionFile = rootProject.file('gradle-suppressions.xml').toString()`
	`24`	`+`
	`25`	`+ }`
`19`	`26`	`}`
`20`	`27`
	`28`	`+`
`21`	`29`	`subprojects {`
`22`	`30`	`apply plugin: 'com.diffplug.spotless'`
`23`	`31`
`@@ -42,4 +50,4 @@ subprojects {`
`42`	`50`	`finalizedBy jacocoTestReport`
`43`	`51`	`}`
`44`	`52`	`}`
`45`		`-}`
	`53`	`+}`