From 52f62f99733fd501ea6b4f5d69955f73555f92c1 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Couture <jpcouture@mirego.com>
Date: Fri, 27 Oct 2023 09:39:56 -0400
Subject: [PATCH] Add the ability to perform a dependency check scan. (#37)

* Add the ability to perform a dependency check scan.

* Update build.gradle.kts

Co-authored-by: Marc-Antoine Fortier <mafortier@mirego.com>

* Sort dependencies by alphabetical order.

* Set the output format to SARIF.

* Update Dependency-Check to a more recent version.

* Change the output format to HTML in the setup script.

* Mention the new dep-check in the README file.

* Install bundle-audit in the dep-check workflow.

---------

Co-authored-by: Marc-Antoine Fortier <mafortier@mirego.com>
---
 .github/workflows/dependency-check.yaml | 41 +++++++++++++++++++++++++
 README.md                               |  4 +++
 boilerplate-setup.sh                    |  4 +++
 build.gradle.kts                        | 13 ++++++++
 gradle/libs.versions.toml               |  3 +-
 5 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/dependency-check.yaml

diff --git a/.github/workflows/dependency-check.yaml b/.github/workflows/dependency-check.yaml
new file mode 100644
index 0000000..d613127
--- /dev/null
+++ b/.github/workflows/dependency-check.yaml
@@ -0,0 +1,41 @@
+name: Dependency Check
+
+on:
+  schedule:
+    - cron: "34 14 * * 2"
+  workflow_dispatch:
+
+jobs:
+  dep-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/cache@v3
+        with:
+          path: ~/.gradle
+          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*') }}
+          restore-keys: |
+            ${{ runner.os }}-gradle-
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: .tool-versions
+          bundler-cache: true
+      - run: |
+          bundle install
+          gem install bundler-audit
+          bundle-audit update
+
+      - uses: actions/setup-java@v3
+        with:
+          distribution: "temurin"
+          java-version: "17"
+
+      - run: chmod +x gradlew
+
+      - run: ./gradlew dependencyCheckAggregate
+
+      - uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: reports/dependency-check-report.sarif
diff --git a/README.md b/README.md
index be9aa20..e2a9faf 100644
--- a/README.md
+++ b/README.md
@@ -86,6 +86,10 @@ started:
 | Declarative UI framework | [`trikot-viewmodels-declarative-flow`](https://github.com/mirego/trikot/tree/master/trikot-viewmodels-declarative-flow) |
 | Date & time              | [`kotlinx-datetime`](https://github.com/Kotlin/kotlinx-datetime)                                                        |
 
+## OWASP Dependency-Check
+
+[OWASP Dependency-Check](http://jeremylong.github.io/DependencyCheck/index.html) is installed as a Gradle plugin to scan your project to identify the use of known vulnerable components. It mainly checks for vulnerabilities in Gradle dependencies, but if [bundle-audit](https://github.com/rubysec/bundler-audit) is present on the system, it will also scan the Ruby Gems dependencies. It also has the capabiligh to scan for Cocoapods/Swift Package Manager dependencies if executed on a macOS system.
+
 ## License
 
 Kmp Boilerplate is © 2023 [Mirego](https://www.mirego.com) and may be freely distributed under
diff --git a/boilerplate-setup.sh b/boilerplate-setup.sh
index 64b6c3a..b5c9be2 100755
--- a/boilerplate-setup.sh
+++ b/boilerplate-setup.sh
@@ -137,6 +137,10 @@ header "Removing boilerplate license → https://choosealicense.com"
 run rm -fr LICENSE.md
 success "Done!\n"
 
+header "Changing the Dependency-Check report format to HTML"
+run sed -i '' 's/SARIF/HTML/' build.gradle.kts
+success "Done!\n"
+
 header "Removing boilerplate setup script..."
 run rm -fr boilerplate-setup.sh
 success "Done!\n"
diff --git a/build.gradle.kts b/build.gradle.kts
index 7701c50..9018ab6 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -7,8 +7,21 @@ plugins {
     alias(libs.plugins.kotlin.native.cocoapods) apply false
     alias(libs.plugins.serialization) apply false
     alias(libs.plugins.ktlint) apply false
+
+    alias(libs.plugins.owasp.dependencycheck)
 }
 
 tasks.register("clean", Delete::class) {
     delete(rootProject.buildDir)
 }
+
+dependencyCheck {
+    format = "SARIF"
+    outputDirectory = "reports"
+
+    analyzers.apply {
+        assemblyEnabled = false
+        experimentalEnabled = true
+        knownExploitedEnabled = true
+    }
+}
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 20dfc7f..dcc546c 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -26,8 +26,9 @@ android-library = { id = "com.android.library", version.ref = "androidGradlePlug
 kotlin-android = { id = "org.jetbrains.kotlin.android", version.ref = "kotlin" }
 kotlin-multiplatform = { id = "org.jetbrains.kotlin.multiplatform", version.ref = "kotlin" }
 kotlin-native-cocoapods = { id = "org.jetbrains.kotlin.native.cocoapods", version.ref = "kotlin" }
-serialization = { id = "org.jetbrains.kotlin.plugin.serialization", version.ref = "kotlin" }
 ktlint = { id = "org.jlleitschuh.gradle.ktlint", version.ref = "ktlint" }
+owasp-dependencycheck = { id = "org.owasp.dependencycheck", version = "8.4.2" }
+serialization = { id = "org.jetbrains.kotlin.plugin.serialization", version.ref = "kotlin" }
 
 [bundles]