diff --git a/.github/workflows/dependencies_check.yml b/.github/workflows/dependencies_check.yml index a210627f..8ac43e7a 100644 --- a/.github/workflows/dependencies_check.yml +++ b/.github/workflows/dependencies_check.yml @@ -1,12 +1,15 @@ -name: Dependencies Check +name: Report Security Issues for Repository on: + workflow_dispatch: schedule: - cron: "0 2 * * *" jobs: - build: + report_security_issues: runs-on: ubuntu-latest + permissions: + issues: write steps: - uses: actions/checkout@v4 @@ -17,6 +20,22 @@ jobs: java-version: 11 cache: "maven" - name: Install Projects - run: mvn --batch-mode install -DskipTests # This fixes https://github.com/exasol/project-keeper/issues/330 - - name: Checking dependencies for vulnerabilities - run: mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f pom.xml + # This fixes https://github.com/exasol/project-keeper/issues/330 + run: | + mvn --batch-mode install -DskipTests \ + -Dproject-keeper.skip=true -Dossindex.skip=true -Dmaven.javadoc.skip=true \ + -Djacoco.skip=true -Derror-code-crawler.skip=true -Dreproducible.skip=true + + - name: Generate ossindex report + run: | + mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit \ + org.sonatype.ossindex.maven:ossindex-maven-plugin:audit-aggregate \ + -Dossindex.reportFile=$(pwd)/ossindex-report.json \ + -Dossindex.fail=false + + - name: Report Security Issues + uses: exasol/python-toolbox/.github/actions/security-issues@main + with: + format: "maven" + command: "cat ossindex-report.json" + github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/doc/changes/changes_2.9.15.md b/doc/changes/changes_2.9.15.md index 2983a5a6..575147e5 100644 --- a/doc/changes/changes_2.9.15.md +++ b/doc/changes/changes_2.9.15.md @@ -1,9 +1,15 @@ -# Project Keeper 2.9.15, released 2023-??-?? +# Project Keeper 2.9.15, released 2023-10-30 -Code name: +Code name: Create issues for vulnerabilities ## Summary +This release updates the `dependencies_check.yml` GitHub workflow to use new [security_issues](https://exasol.github.io/python-toolbox/github_actions/security_issues.html) action. This action will automatically create GitHub issues for vulnerable dependencies found by the [ossindex-maven plugin](https://sonatype.github.io/ossindex-maven/maven-plugin/). + +## Features + +* #489: Added security_issues workflow + ## Documentation * #485: Added note about `--projects .` command line option to user guide diff --git a/project-keeper/src/main/resources/templates/.github/workflows/dependencies_check.yml b/project-keeper/src/main/resources/templates/.github/workflows/dependencies_check.yml index 3059964b..4b6eadf6 100644 --- a/project-keeper/src/main/resources/templates/.github/workflows/dependencies_check.yml +++ b/project-keeper/src/main/resources/templates/.github/workflows/dependencies_check.yml @@ -1,12 +1,15 @@ -name: Dependencies Check +name: Report Security Issues for Repository on: + workflow_dispatch: schedule: - cron: "0 2 * * *" jobs: - build: + report_security_issues: runs-on: ubuntu-latest + permissions: + issues: write steps: - uses: actions/checkout@v4 @@ -16,5 +19,17 @@ jobs: distribution: "temurin" java-version: 11 cache: "maven" - - name: Checking dependencies for vulnerabilities - run: mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f pom.xml + + - name: Generate ossindex report + run: | + mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit \ + org.sonatype.ossindex.maven:ossindex-maven-plugin:audit-aggregate \ + -Dossindex.reportFile=$(pwd)/ossindex-report.json \ + -Dossindex.fail=false + + - name: Report Security Issues + uses: exasol/python-toolbox/.github/actions/security-issues@main + with: + format: "maven" + command: "cat ossindex-report.json" + github-token: ${{ secrets.GITHUB_TOKEN }}