From 43b35cac2d7cba3b4f3c0110fe4eacb4044c06b1 Mon Sep 17 00:00:00 2001
From: Minh Tran <115609913+minhtranq-nashtechglobal@users.noreply.github.com>
Date: Wed, 7 Aug 2024 11:00:19 +0700
Subject: [PATCH] #818 Add OWASP dependency check to ci (#830)

* add oswap dependency check ci cd
---
 .github/workflows/backoffice-bff-ci.yaml | 13 +++++++++++++
 .github/workflows/backoffice-ci.yaml     |  2 +-
 .github/workflows/cart-ci.yaml           | 13 +++++++++++++
 .github/workflows/customer-ci.yaml       | 13 +++++++++++++
 .github/workflows/inventory-ci.yaml      | 13 +++++++++++++
 .github/workflows/location-ci.yaml       | 13 +++++++++++++
 .github/workflows/media-ci.yaml          | 13 +++++++++++++
 .github/workflows/order-ci.yaml          | 13 +++++++++++++
 .github/workflows/payment-ci.yaml        | 13 +++++++++++++
 .github/workflows/payment-paypal-ci.yaml | 13 +++++++++++++
 .github/workflows/product-ci.yaml        | 13 +++++++++++++
 .github/workflows/promotion-ci.yaml      | 13 +++++++++++++
 .github/workflows/rating-ci.yaml         | 13 +++++++++++++
 .github/workflows/search-ci.yaml         | 13 +++++++++++++
 .github/workflows/storefront-bff-ci.yaml | 13 +++++++++++++
 .github/workflows/storefront-ci.yaml     |  2 +-
 .github/workflows/tax-ci.yaml            | 13 +++++++++++++
 .github/workflows/webhook-ci.yaml        | 13 +++++++++++++
 pom.xml                                  | 11 +++++++++++
 19 files changed, 221 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/backoffice-bff-ci.yaml b/.github/workflows/backoffice-bff-ci.yaml
index 71bd1a3bd7..cc59cffb59 100644
--- a/.github/workflows/backoffice-bff-ci.yaml
+++ b/.github/workflows/backoffice-bff-ci.yaml
@@ -34,6 +34,19 @@ jobs:
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -f backoffice-bff
+      - name: OWASP Dependency Check
+        uses: dependency-check/Dependency-Check_Action@main
+        env:
+          JAVA_HOME: /opt/jdk
+        with:
+          project: 'yas'
+          path: '.'
+          format: 'HTML'
+      - name: Upload OWASP Dependency Check results
+        uses: actions/upload-artifact@master
+        with:
+          name: OWASP Dependency Check Report
+          path: ${{github.workspace}}/reports
       - name: Log in to the Container registry
         if: ${{ github.ref == 'refs/heads/main' }}
         uses: docker/login-action@v3
diff --git a/.github/workflows/backoffice-ci.yaml b/.github/workflows/backoffice-ci.yaml
index 18a849202e..ca9777f878 100644
--- a/.github/workflows/backoffice-ci.yaml
+++ b/.github/workflows/backoffice-ci.yaml
@@ -42,7 +42,7 @@ jobs:
           projectBaseDir: backoffice
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}     
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       - name: Log in to the Container registry
         if: ${{ github.ref == 'refs/heads/main' }}
         uses: docker/login-action@v3
diff --git a/.github/workflows/cart-ci.yaml b/.github/workflows/cart-ci.yaml
index 2720eff7b7..13381a7967 100644
--- a/.github/workflows/cart-ci.yaml
+++ b/.github/workflows/cart-ci.yaml
@@ -38,6 +38,19 @@ jobs:
           name: Cart-Service-Unit-Test-Results
           path: "cart/**/surefire-reports/*.xml"
           reporter: java-junit
+      - name: OWASP Dependency Check
+        uses: dependency-check/Dependency-Check_Action@main
+        env:
+          JAVA_HOME: /opt/jdk
+        with:
+          project: 'yas'
+          path: '.'
+          format: 'HTML'
+      - name: Upload OWASP Dependency Check results
+        uses: actions/upload-artifact@master
+        with:
+          name: OWASP Dependency Check Report
+          path: ${{github.workspace}}/reports
       - name: Analyze with sonar cloud
         if: ${{ env.FROM_ORIGINAL_REPOSITORY == 'true' }}
         env:
diff --git a/.github/workflows/customer-ci.yaml b/.github/workflows/customer-ci.yaml
index cd34612952..3dcba3a808 100644
--- a/.github/workflows/customer-ci.yaml
+++ b/.github/workflows/customer-ci.yaml
@@ -43,6 +43,19 @@ jobs:
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -f customer
+      - name: OWASP Dependency Check
+        uses: dependency-check/Dependency-Check_Action@main
+        env:
+          JAVA_HOME: /opt/jdk
+        with:
+          project: 'yas'
+          path: '.'
+          format: 'HTML'
+      - name: Upload OWASP Dependency Check results
+        uses: actions/upload-artifact@master
+        with:
+          name: OWASP Dependency Check Report
+          path: ${{github.workspace}}/reports
       - name: Log in to the Container registry
         if: ${{ github.ref == 'refs/heads/main' }}
         uses: docker/login-action@v3
diff --git a/.github/workflows/inventory-ci.yaml b/.github/workflows/inventory-ci.yaml
index de7002f4b5..61eb38ad65 100644
--- a/.github/workflows/inventory-ci.yaml
+++ b/.github/workflows/inventory-ci.yaml
@@ -40,6 +40,19 @@ jobs:
           name: Inventory-Service-Unit-Test-Results
           path: "inventory/**/surefire-reports/*.xml"
           reporter: java-junit
+      - name: OWASP Dependency Check
+        uses: dependency-check/Dependency-Check_Action@main
+        env:
+          JAVA_HOME: /opt/jdk
+        with:
+          project: 'yas'
+          path: '.'
+          format: 'HTML'
+      - name: Upload OWASP Dependency Check results
+        uses: actions/upload-artifact@master
+        with:
+          name: OWASP Dependency Check Report
+          path: ${{github.workspace}}/reports
       - name: Analyze with sonar cloud
         if: ${{ env.FROM_ORIGINAL_REPOSITORY == 'true' }}
         env:
diff --git a/.github/workflows/location-ci.yaml b/.github/workflows/location-ci.yaml
index 5ed5867389..116d246df6 100644
--- a/.github/workflows/location-ci.yaml
+++ b/.github/workflows/location-ci.yaml
@@ -43,6 +43,19 @@ jobs:
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -f location
+      - name: OWASP Dependency Check
+        uses: dependency-check/Dependency-Check_Action@main
+        env:
+          JAVA_HOME: /opt/jdk
+        with:
+          project: 'yas'
+          path: '.'
+          format: 'HTML'
+      - name: Upload OWASP Dependency Check results
+        uses: actions/upload-artifact@master
+        with:
+          name: OWASP Dependency Check Report
+          path: ${{github.workspace}}/reports
       - name: Log in to the Container registry
         if: ${{ github.ref == 'refs/heads/main' }}
         uses: docker/login-action@v3
diff --git a/.github/workflows/media-ci.yaml b/.github/workflows/media-ci.yaml
index 94caa5b0ad..27fff18655 100644
--- a/.github/workflows/media-ci.yaml
+++ b/.github/workflows/media-ci.yaml
@@ -43,6 +43,19 @@ jobs:
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -f media
+      - name: OWASP Dependency Check
+        uses: dependency-check/Dependency-Check_Action@main
+        env:
+          JAVA_HOME: /opt/jdk
+        with:
+          project: 'yas'
+          path: '.'
+          format: 'HTML'
+      - name: Upload OWASP Dependency Check results
+        uses: actions/upload-artifact@master
+        with:
+          name: OWASP Dependency Check Report
+          path: ${{github.workspace}}/reports
       - name: Log in to the Container registry
         if: ${{ github.ref == 'refs/heads/main' }}
         uses: docker/login-action@v3
diff --git a/.github/workflows/order-ci.yaml b/.github/workflows/order-ci.yaml
index 798cbd28c5..14bcc26b65 100644
--- a/.github/workflows/order-ci.yaml
+++ b/.github/workflows/order-ci.yaml
@@ -43,6 +43,19 @@ jobs:
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -f order
+      - name: OWASP Dependency Check
+        uses: dependency-check/Dependency-Check_Action@main
+        env:
+          JAVA_HOME: /opt/jdk
+        with:
+          project: 'yas'
+          path: '.'
+          format: 'HTML'
+      - name: Upload OWASP Dependency Check results
+        uses: actions/upload-artifact@master
+        with:
+          name: OWASP Dependency Check Report
+          path: ${{github.workspace}}/reports
       - name: Log in to the Container registry
         if: ${{ github.ref == 'refs/heads/main' }}
         uses: docker/login-action@v3
diff --git a/.github/workflows/payment-ci.yaml b/.github/workflows/payment-ci.yaml
index cd8a5ece73..02cb6e938c 100644
--- a/.github/workflows/payment-ci.yaml
+++ b/.github/workflows/payment-ci.yaml
@@ -43,6 +43,19 @@ jobs:
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -f payment
+      - name: OWASP Dependency Check
+        uses: dependency-check/Dependency-Check_Action@main
+        env:
+          JAVA_HOME: /opt/jdk
+        with:
+          project: 'yas'
+          path: '.'
+          format: 'HTML'
+      - name: Upload OWASP Dependency Check results
+        uses: actions/upload-artifact@master
+        with:
+          name: OWASP Dependency Check Report
+          path: ${{github.workspace}}/reports
       - name: Log in to the Container registry
         if: ${{ github.ref == 'refs/heads/main' }}
         uses: docker/login-action@v3
diff --git a/.github/workflows/payment-paypal-ci.yaml b/.github/workflows/payment-paypal-ci.yaml
index 8b4ab4a32c..458d70d26e 100644
--- a/.github/workflows/payment-paypal-ci.yaml
+++ b/.github/workflows/payment-paypal-ci.yaml
@@ -43,6 +43,19 @@ jobs:
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -f payment-paypal
+      - name: OWASP Dependency Check
+        uses: dependency-check/Dependency-Check_Action@main
+        env:
+          JAVA_HOME: /opt/jdk
+        with:
+          project: 'yas'
+          path: '.'
+          format: 'HTML'
+      - name: Upload OWASP Dependency Check results
+        uses: actions/upload-artifact@master
+        with:
+          name: OWASP Dependency Check Report
+          path: ${{github.workspace}}/reports
       - name: Log in to the Container registry
         if: ${{ github.ref == 'refs/heads/main' }}
         uses: docker/login-action@v3
diff --git a/.github/workflows/product-ci.yaml b/.github/workflows/product-ci.yaml
index 4e241f4c59..543f918cf7 100644
--- a/.github/workflows/product-ci.yaml
+++ b/.github/workflows/product-ci.yaml
@@ -43,6 +43,19 @@ jobs:
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -f product
+      - name: OWASP Dependency Check
+        uses: dependency-check/Dependency-Check_Action@main
+        env:
+          JAVA_HOME: /opt/jdk
+        with:
+          project: 'yas'
+          path: '.'
+          format: 'HTML'
+      - name: Upload OWASP Dependency Check results
+        uses: actions/upload-artifact@master
+        with:
+          name: OWASP Dependency Check Report
+          path: ${{github.workspace}}/reports
       - name: Log in to the Container registry
         if: ${{ github.ref == 'refs/heads/main' }}
         uses: docker/login-action@v3
diff --git a/.github/workflows/promotion-ci.yaml b/.github/workflows/promotion-ci.yaml
index 71c744b2d7..f5df4cc04b 100644
--- a/.github/workflows/promotion-ci.yaml
+++ b/.github/workflows/promotion-ci.yaml
@@ -43,6 +43,19 @@ jobs:
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -f promotion
+      - name: OWASP Dependency Check
+        uses: dependency-check/Dependency-Check_Action@main
+        env:
+          JAVA_HOME: /opt/jdk
+        with:
+          project: 'yas'
+          path: '.'
+          format: 'HTML'
+      - name: Upload OWASP Dependency Check results
+        uses: actions/upload-artifact@master
+        with:
+          name: OWASP Dependency Check Report
+          path: ${{github.workspace}}/reports
       - name: Log in to the Container registry
         if: ${{ github.ref == 'refs/heads/main' }}
         uses: docker/login-action@v3
diff --git a/.github/workflows/rating-ci.yaml b/.github/workflows/rating-ci.yaml
index e9bd032140..2853a3796a 100644
--- a/.github/workflows/rating-ci.yaml
+++ b/.github/workflows/rating-ci.yaml
@@ -43,6 +43,19 @@ jobs:
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -f rating
+      - name: OWASP Dependency Check
+        uses: dependency-check/Dependency-Check_Action@main
+        env:
+          JAVA_HOME: /opt/jdk
+        with:
+          project: 'yas'
+          path: '.'
+          format: 'HTML'
+      - name: Upload OWASP Dependency Check results
+        uses: actions/upload-artifact@master
+        with:
+          name: OWASP Dependency Check Report
+          path: ${{github.workspace}}/reports
       - name: Log in to the Container registry
         if: ${{ github.ref == 'refs/heads/main' }}
         uses: docker/login-action@v3
diff --git a/.github/workflows/search-ci.yaml b/.github/workflows/search-ci.yaml
index c35a009718..73fad012d1 100644
--- a/.github/workflows/search-ci.yaml
+++ b/.github/workflows/search-ci.yaml
@@ -43,6 +43,19 @@ jobs:
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -f search
+      - name: OWASP Dependency Check
+        uses: dependency-check/Dependency-Check_Action@main
+        env:
+          JAVA_HOME: /opt/jdk
+        with:
+          project: 'yas'
+          path: '.'
+          format: 'HTML'
+      - name: Upload OWASP Dependency Check results
+        uses: actions/upload-artifact@master
+        with:
+          name: OWASP Dependency Check Report
+          path: ${{github.workspace}}/reports
       - name: Log in to the Container registry
         if: ${{ github.ref == 'refs/heads/main' }}
         uses: docker/login-action@v3
diff --git a/.github/workflows/storefront-bff-ci.yaml b/.github/workflows/storefront-bff-ci.yaml
index 3648e2d33b..ad80ef5e41 100644
--- a/.github/workflows/storefront-bff-ci.yaml
+++ b/.github/workflows/storefront-bff-ci.yaml
@@ -34,6 +34,19 @@ jobs:
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -f storefront-bff
+      - name: OWASP Dependency Check
+        uses: dependency-check/Dependency-Check_Action@main
+        env:
+          JAVA_HOME: /opt/jdk
+        with:
+          project: 'yas'
+          path: '.'
+          format: 'HTML'
+      - name: Upload OWASP Dependency Check results
+        uses: actions/upload-artifact@master
+        with:
+          name: OWASP Dependency Check Report
+          path: ${{github.workspace}}/reports
       - name: Log in to the Container registry
         if: ${{ github.ref == 'refs/heads/main' }}
         uses: docker/login-action@v3
diff --git a/.github/workflows/storefront-ci.yaml b/.github/workflows/storefront-ci.yaml
index 9d498436d5..d5cd57eece 100644
--- a/.github/workflows/storefront-ci.yaml
+++ b/.github/workflows/storefront-ci.yaml
@@ -42,7 +42,7 @@ jobs:
           projectBaseDir: storefront
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}    
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       - name: Log in to the Container registry
         if: ${{ github.ref == 'refs/heads/main' }}
         uses: docker/login-action@v3
diff --git a/.github/workflows/tax-ci.yaml b/.github/workflows/tax-ci.yaml
index 92025b28bb..9995c75068 100644
--- a/.github/workflows/tax-ci.yaml
+++ b/.github/workflows/tax-ci.yaml
@@ -43,6 +43,19 @@ jobs:
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -f tax
+      - name: OWASP Dependency Check
+        uses: dependency-check/Dependency-Check_Action@main
+        env:
+          JAVA_HOME: /opt/jdk
+        with:
+          project: 'yas'
+          path: '.'
+          format: 'HTML'
+      - name: Upload OWASP Dependency Check results
+        uses: actions/upload-artifact@master
+        with:
+          name: OWASP Dependency Check Report
+          path: ${{github.workspace}}/reports
       - name: Log in to the Container registry
         if: ${{ github.ref == 'refs/heads/main' }}
         uses: docker/login-action@v3
diff --git a/.github/workflows/webhook-ci.yaml b/.github/workflows/webhook-ci.yaml
index 255123c076..abcf0389c6 100644
--- a/.github/workflows/webhook-ci.yaml
+++ b/.github/workflows/webhook-ci.yaml
@@ -43,6 +43,19 @@ jobs:
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -f webhook
+      - name: OWASP Dependency Check
+        uses: dependency-check/Dependency-Check_Action@main
+        env:
+          JAVA_HOME: /opt/jdk
+        with:
+          project: 'yas'
+          path: '.'
+          format: 'HTML'
+      - name: Upload OWASP Dependency Check results
+        uses: actions/upload-artifact@master
+        with:
+          name: OWASP Dependency Check Report
+          path: ${{github.workspace}}/reports
       - name: Log in to the Container registry
         if: ${{ github.ref == 'refs/heads/main' }}
         uses: docker/login-action@v3
diff --git a/pom.xml b/pom.xml
index 842be73d31..94589648b9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -191,6 +191,17 @@
                         </annotationProcessorPaths>
                     </configuration>
                 </plugin>
+                <plugin>
+                    <groupId>org.owasp</groupId>
+                    <artifactId>dependency-check-maven</artifactId>
+                    <executions>
+                        <execution>
+                            <goals>
+                                <goal>check</goal>
+                            </goals>
+                        </execution>
+                    </executions>
+                </plugin>
             </plugins>
         </pluginManagement>
     </build>