Merge pull request #49 from inspectIT/feature-dependency-check

Add dependencyCheckAnalyze step

.github/workflows/eumserver_release.yml

@@ -19,6 +19,8 @@ jobs:
         uses: actions/checkout@v3
       - name: Grant execute permission for gradlew
         run: chmod +x gradlew
+      - name: Scan dependencies
+        run: ./gradlew dependencyCheckAnalyze
       - name: Build project
         run: ./gradlew assemble bootJar -PbuildVersion=${{ github.ref_name }}
       - name: Create BOM

.gitignore

@@ -1,5 +1,6 @@
 .gradle
 *build/
+out/
 !gradle/wrapper/gradle-wrapper.jar
 *.log
 *.zip

README.md

@@ -330,3 +330,6 @@ to ```inspectit-ocelot-eum-server.jar``` and copied to the ./docker directory
 ##### How to Release
 To create a new release, you have to create a new git tag and push it on to GitHub. 
 This Tag is the new version number of the release. Afterwards the release build will be automatically triggered.
+
+Important tasks to check first are `dependencyUpdates` and `dependencyUpdates[Major|Minor]` for newer (patch, minor, major)
+versions and `dependencyCheckAnalyze` for security issues in the used dependencies. 

build.gradle

@@ -1,9 +1,12 @@
+import com.github.benmanes.gradle.versions.updates.DependencyUpdatesTask
+
 plugins {
     id "org.springframework.boot" version "${springBootVersion}"
     id "com.palantir.docker" version "${palantirDockerVersion}"
     id "org.cyclonedx.bom" version "${cyclonedxBomVersion}"
     id "io.spring.dependency-management" version "${springDependencyManangementVersion}"
     id "org.owasp.dependencycheck" version "${owaspDependencyCheckVersion}"
+    id "com.github.ben-manes.versions" version "${versionsPlugin}"
 }
 
 repositories {
@@ -14,8 +17,11 @@ apply plugin: "java"
 apply plugin: "jacoco"
 
 group = "rocks.inspectit.ocelot"
-sourceCompatibility = "17"
-targetCompatibility = "17"
+
+java {
+    sourceCompatibility = "17"
+    targetCompatibility = "17"
+}
 
 if (!project.hasProperty("buildVersion") || project.getProperty("buildVersion").empty) {
     ext.buildVersion = "SNAPSHOT"
@@ -71,9 +77,12 @@ bootJar {
     dependsOn downloadAndExtractBoomerang
     dependsOn downloadOpenTelemetryPlugin
 
-    archivesBaseName = "inspectit-ocelot-eum-server"
     archiveVersion = "${buildVersion}"
 
+    base {
+        archivesName = "inspectit-ocelot-eum-server"
+    }
+
     manifest {
         attributes "Start-Class": "rocks.inspectit.oce.eum.server.EUMServerApplication"
     }
@@ -82,14 +91,14 @@ bootJar {
     from generateVersionFile.versionFile
 
     // include boomerang
-    from("$buildDir/boomerangjs-${boomerangVersion}/package") {
+    from(layout.buildDirectory.dir("boomerangjs-${boomerangVersion}/package")) {
         include "plugins/*.js"
         include "boomerang.js"
         into "static/boomerang"
     }
 
     //include boomerang opentelemetry
-    from("$buildDir") {
+    from(layout.buildDirectory) {
         include "boomerang-opentelemetry.js"
         into "static/boomerang"
     }
@@ -128,6 +137,8 @@ dependencies {
             "io.opencensus:opencensus-impl:${openCensusVersion}",
             "io.opencensus:opencensus-exporter-stats-prometheus:${openCensusVersion}",
 
+            //"io.grpc:grpc-context:1.58.0",
+
             platform("io.opentelemetry:opentelemetry-bom-alpha:${openTelemetryAlphaVersion}"),
             "io.opentelemetry:opentelemetry-semconv",
             platform("io.opentelemetry:opentelemetry-bom:${openTelemetryVersion}"),
@@ -187,8 +198,8 @@ dependencies {
 
 tasks.register('copyServerJar', Copy) {
     dependsOn bootJar
-    from("${buildDir}/libs/inspectit-ocelot-eum-server-${version}.jar")
-    into("${buildDir}/docker-jar")
+    from(layout.buildDirectory.file("libs/inspectit-ocelot-eum-server-${version}.jar"))
+    into(layout.buildDirectory.dir("docker-jar"))
     rename("inspectit-ocelot-eum-server-${version}\\.jar",
             "inspectit-ocelot-eum-server.jar")
 }
@@ -200,3 +211,64 @@ docker {
     dockerfile file("docker/Dockerfile")
     files "docker/entrypoint.sh", copyServerJar.outputs
 }
+
+dependencyCheck {
+    failBuildOnCVSS = 6
+    suppressionFile = "dependencyCheckSuppression.xml"
+    analyzers {
+        assemblyEnabled = false
+        ossIndex {
+            enabled = true
+        }
+    }
+}
+
+def isNonStable = { String candidate ->
+    def stableKeyword = ['RELEASE', 'FINAL', 'GA', 'JRE'].any { it -> candidate.toUpperCase().contains(it) }
+    def versionRegex = /^[0-9,.v-]+(-r)?$/
+    return !stableKeyword && !(candidate ==~ versionRegex)
+}
+
+def isNotSameMajorMinor = { String current, String candidate, boolean matchMinor ->
+    if(current.equals(candidate)) return false
+
+    def firstDot = current.indexOf('.')
+    def secondDot = current.indexOf('.', firstDot + 1)
+    def major = current.substring(0, firstDot)
+    def minor = current.substring(firstDot + 1, secondDot)
+    def majorRegex = /^$major\..*/
+    def minorRegex = /^$major\.${minor}\..*/
+    return !((candidate ==~ majorRegex) && (!matchMinor || (candidate ==~ minorRegex)))
+}
+
+tasks.named("dependencyUpdates").configure {
+    rejectVersionIf {
+        // only patch updates
+        isNonStable(it.candidate.version) || isNotSameMajorMinor(it.currentVersion, it.candidate.version, true)
+    }
+}
+
+tasks.register('dependencyUpdatesMinor', DependencyUpdatesTask) {
+    rejectVersionIf {
+        // only minor updates
+        isNonStable(it.candidate.version) || isNotSameMajorMinor(it.currentVersion, it.candidate.version, false)
+    }
+}
+
+tasks.register('dependencyUpdatesMajor', DependencyUpdatesTask) {
+    rejectVersionIf {
+        // all updates including major updates
+        isNonStable(it.candidate.version)
+    }
+}
+
+tasks.withType(DependencyUpdatesTask).configureEach {
+    // default settings
+    revision = 'milestone'
+    gradleReleaseChannel = "current"
+    checkConstraints = true
+    checkBuildEnvironmentConstraints = true
+    outputFormatter = 'json,plain'
+    outputDir = 'build/reports'
+    reportfileName = 'dependencyUpdates'
+}

dependencyCheckSuppression.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress>
+        <notes><![CDATA[
+          False positive in opencensus-exporter-stats-prometheus-0.31.1.jar due to the prometheus name.
+          ]]></notes>
+        <sha1>e5bc2949679b6214e8d9a1e5b707f2b42bb3fa13</sha1>
+        <cve>CVE-2019-3826</cve>
+    </suppress>
+</suppressions>

gradle.properties

@@ -3,7 +3,7 @@ boomerangVersion=1.737.0
 # The open-telemetry-boomerang version to ship with the EUM server
 boomerangOpenTelemetryPluginVersion=0.25.0-8
 # Upgrade to Spring 3.* and Java 17
-springBootVersion=3.1.3
+springBootVersion=3.1.4
 # CVE-2022-1471 was resolved with SnakeYAML 2.0
 snakeYamlVersion=2.0
 # Ensure to adapt the netty version (inspectit-ocelot-core/build.gradle) when changing the OpenCensus version
@@ -14,7 +14,7 @@ prometheusClientVersion = 0.6.0
 openTelemetryVersion=1.27.0
 openTelemetryAlphaVersion=1.27.0-alpha
 openTelemetryProtoVersion=1.7.1-alpha
-protobufVersion=3.22.3
+protobufVersion=3.22.5
 guavaVersion=32.1.2-jre
 geoip2Version=4.0.1
 commonsNetVersion=3.9.0
@@ -27,15 +27,16 @@ okioJvmVersion=3.5.0
 
 opencensusInfluxdbExporterVersion=1.2
 armeriaVersion=1.23.1
-testContainersVersion=1.18.0
+testContainersVersion=1.18.3
 
 ### gradle plugin versions
 ### Check for newer version at https://plugins.gradle.org/
 # io.spring.dependency-management
-springDependencyManangementVersion=1.1.0
+springDependencyManangementVersion=1.1.3
 # org.owasp.dependencycheck
-owaspDependencyCheckVersion=8.2.1
+owaspDependencyCheckVersion=8.4.0
 # org.cyclonedx.bom
 cyclonedxBomVersion=1.7.4
 # com.palantir.docker
 palantirDockerVersion=0.35.0
+versionsPlugin=0.48.0

gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.6-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.4-bin.zip
+networkTimeout=10000
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists