Add the ability to perform a dependency check scan. (#37)

* Add the ability to perform a dependency check scan. * Update build.gradle.kts Co-authored-by: Marc-Antoine Fortier <[email protected]> * Sort dependencies by alphabetical order. * Set the output format to SARIF. * Update Dependency-Check to a more recent version. * Change the output format to HTML in the setup script. * Mention the new dep-check in the README file. * Install bundle-audit in the dep-check workflow. --------- Co-authored-by: Marc-Antoine Fortier <[email protected]>
mirego · Oct 27, 2023 · 52f62f9 · 52f62f9
1 parent 00eefb5
commit 52f62f9
Show file tree

Hide file tree

Showing 5 changed files with 64 additions and 1 deletion.
diff --git a/.github/workflows/dependency-check.yaml b/.github/workflows/dependency-check.yaml
@@ -0,0 +1,41 @@
+name: Dependency Check
+
+on:
+  schedule:
+    - cron: "34 14 * * 2"
+  workflow_dispatch:
+
+jobs:
+  dep-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/cache@v3
+        with:
+          path: ~/.gradle
+          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*') }}
+          restore-keys: |
+            ${{ runner.os }}-gradle-
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: .tool-versions
+          bundler-cache: true
+      - run: |
+          bundle install
+          gem install bundler-audit
+          bundle-audit update
+
+      - uses: actions/setup-java@v3
+        with:
+          distribution: "temurin"
+          java-version: "17"
+
+      - run: chmod +x gradlew
+
+      - run: ./gradlew dependencyCheckAggregate
+
+      - uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: reports/dependency-check-report.sarif
diff --git a/README.md b/README.md
@@ -86,6 +86,10 @@ started:
 | Declarative UI framework | [`trikot-viewmodels-declarative-flow`](https://github.com/mirego/trikot/tree/master/trikot-viewmodels-declarative-flow) |
 | Date & time              | [`kotlinx-datetime`](https://github.com/Kotlin/kotlinx-datetime)                                                        |
 
+## OWASP Dependency-Check
+
+[OWASP Dependency-Check](http://jeremylong.github.io/DependencyCheck/index.html) is installed as a Gradle plugin to scan your project to identify the use of known vulnerable components. It mainly checks for vulnerabilities in Gradle dependencies, but if [bundle-audit](https://github.com/rubysec/bundler-audit) is present on the system, it will also scan the Ruby Gems dependencies. It also has the capabiligh to scan for Cocoapods/Swift Package Manager dependencies if executed on a macOS system.
+
 ## License
 
 Kmp Boilerplate is © 2023 [Mirego](https://www.mirego.com) and may be freely distributed under

diff --git a/boilerplate-setup.sh b/boilerplate-setup.sh
@@ -137,6 +137,10 @@ header "Removing boilerplate license → https://choosealicense.com"
 run rm -fr LICENSE.md
 success "Done!\n"
 
+header "Changing the Dependency-Check report format to HTML"
+run sed -i '' 's/SARIF/HTML/' build.gradle.kts
+success "Done!\n"
+
 header "Removing boilerplate setup script..."
 run rm -fr boilerplate-setup.sh
 success "Done!\n"
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -7,8 +7,21 @@ plugins {
     alias(libs.plugins.kotlin.native.cocoapods) apply false
     alias(libs.plugins.serialization) apply false
     alias(libs.plugins.ktlint) apply false
+
+    alias(libs.plugins.owasp.dependencycheck)
 }
 
 tasks.register("clean", Delete::class) {
     delete(rootProject.buildDir)
 }
+
+dependencyCheck {
+    format = "SARIF"
+    outputDirectory = "reports"
+
+    analyzers.apply {
+        assemblyEnabled = false
+        experimentalEnabled = true
+        knownExploitedEnabled = true
+    }
+}
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -26,8 +26,9 @@ android-library = { id = "com.android.library", version.ref = "androidGradlePlug
 kotlin-android = { id = "org.jetbrains.kotlin.android", version.ref = "kotlin" }
 kotlin-multiplatform = { id = "org.jetbrains.kotlin.multiplatform", version.ref = "kotlin" }
 kotlin-native-cocoapods = { id = "org.jetbrains.kotlin.native.cocoapods", version.ref = "kotlin" }
-serialization = { id = "org.jetbrains.kotlin.plugin.serialization", version.ref = "kotlin" }
 ktlint = { id = "org.jlleitschuh.gradle.ktlint", version.ref = "ktlint" }
+owasp-dependencycheck = { id = "org.owasp.dependencycheck", version = "8.4.2" }
+serialization = { id = "org.jetbrains.kotlin.plugin.serialization", version.ref = "kotlin" }
 
 [bundles]