Merge pull request #1742 from zalando/dependency-review

Check for Vulnerabilities via GHE Action
zalando · Jan 22, 2024 · 4630e01 · 4630e01
2 parents 2f38272 + 261bf75
commit 4630e01
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 48 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -26,6 +26,12 @@ jobs:
     steps:
     - name: Checkout
       uses: actions/checkout@v3
+    - name: Dependency Review
+      uses: actions/dependency-review-action@v4
+      with:
+        vulnerability-check: true
+        license-check: false
+        comment-summary-in-pr: on-failure
     - name: Set up JDK
       uses: actions/setup-java@v3
       with:

diff --git a/cve-suppressions.xml b/cve-suppressions.xml
diff --git a/logbook-parent/pom.xml b/logbook-parent/pom.xml
@@ -547,25 +547,6 @@
                         <generateBackupPoms>false</generateBackupPoms>
                     </configuration>
                 </plugin>
-                <plugin>
-                    <groupId>org.owasp</groupId>
-                    <artifactId>dependency-check-maven</artifactId>
-                    <version>8.4.3</version>
-                    <executions>
-                        <execution>
-                            <goals>
-                                <goal>check</goal>
-                            </goals>
-                        </execution>
-                    </executions>
-                    <configuration>
-                        <failBuildOnCVSS>0.0</failBuildOnCVSS>
-                        <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
-                        <suppressionFiles>
-                            <suppressionFile>cve-suppressions.xml</suppressionFile>
-                        </suppressionFiles>
-                    </configuration>
-                </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-shade-plugin</artifactId>
@@ -636,10 +617,6 @@
                 <groupId>org.jacoco</groupId>
                 <artifactId>jacoco-maven-plugin</artifactId>
             </plugin>
-            <plugin>
-                <groupId>org.owasp</groupId>
-                <artifactId>dependency-check-maven</artifactId>
-            </plugin>
         </plugins>
     </build>
     <profiles>