owasp-dependency-check.yml

name: OWASP

env:
  MAVEN_OPTS: -Djava.awt.headless=true
  MAVEN_VERSION: '3.9.7'

concurrency:
  # More info: https://stackoverflow.com/a/68422069/253468
  group: ${{ github.workflow }}-${{ ( github.ref == 'refs/heads/main' || github.ref == 'refs/heads/release' ) && format('ci-master-{0}', github.sha) || format('ci-master-{0}', github.ref) }}
  cancel-in-progress: true

on:
  pull_request:
  schedule:
    - cron: "17 23 * * 0"
  workflow_dispatch:

jobs:
  build:
    name: Dependency Check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up JDK
        uses: actions/setup-java@v4
        with:
          distribution: 'temurin'
          java-version: 17
          cache: 'maven'

      - name: 'Set up Maven'
        uses: stCarolas/setup-maven@v5
        with:
          maven-version: ${{ env.MAVEN_VERSION }}

      - name: OWASP Dependency Check
        continue-on-error: true
        env:
          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
        run: mvn -U package -DskipTests -DskipITs -Ddocker.skip=true org.owasp:dependency-check-maven:check -fae -B -Dorg.slf4j.simpleLogger.defaultLogLevel=WARN -DfailBuildOnCVSS=5

      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: target/dependency-check-report.sarif

      - name: Cleanup snapshots
        if: always()
        run: |
          find ~/.m2/repository -name "*SNAPSHOT*" -type d | xargs rm -rf {}