diff --git a/.github/workflows/owasp-dc.yml b/.github/workflows/owasp-dc.yml index 17d1ebd..42ae330 100644 --- a/.github/workflows/owasp-dc.yml +++ b/.github/workflows/owasp-dc.yml @@ -1,94 +1,63 @@ -name: OWASP Dependency Check (CAS TypeScript SDK) +name: OWASP Dependency Scan on: - workflow_dispatch: - schedule: - - cron: "0 9 * * 1" - push: - branches: [ main ] - paths: - - "src/**" - - "src-ts/**" - - "lib/**" - - "tests/**" - - "package.json" - - "package-lock.json" - - "Cargo.toml" - - "Cargo.lock" - - "tsconfig.json" - - ".github/workflows/owasp-dependency-check.yml" pull_request: - branches: [ main ] - paths: - - "src/**" - - "src-ts/**" - - "lib/**" - - "tests/**" - - "package.json" - - "package-lock.json" - - "Cargo.toml" - - "Cargo.lock" - - "tsconfig.json" - - ".github/workflows/owasp-dependency-check.yml" - -permissions: - contents: read - security-events: write + branches: [ "main" ] + push: + branches: [ "main" ] + workflow_dispatch: jobs: - dependency-check: - name: Scan dependencies + depscan: runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v4 + - uses: actions/checkout@v4 + + - name: Set up Rust + uses: dtolnay/rust-toolchain@stable + + - name: Generate lockfile when missing + run: | + if [ ! -f Cargo.lock ]; then + cargo generate-lockfile + fi + + - name: Set up Node.js + uses: actions/setup-node@v4 with: - submodules: recursive + node-version: "24" + cache: npm + + - name: Install Node dependencies + run: npm ci - - name: Prepare Dependency-Check data directory - run: mkdir -p .dependency-check-data + - name: Build the project + run: cargo build --release --verbose - - name: Cache Dependency-Check data - uses: actions/cache@v4 + - name: Set up Python + uses: actions/setup-python@v5 with: - path: .dependency-check-data - key: dependency-check-data-${{ runner.os }}-${{ hashFiles('package-lock.json', 'Cargo.lock') }} - restore-keys: | - dependency-check-data-${{ runner.os }}- + python-version: "3.11" - - name: Run OWASP Dependency-Check (Docker) - env: - NVD_API_KEY: ${{ secrets.NVD_API_KEY }} + - name: Install OWASP scanning tools run: | - set -euo pipefail - mkdir -p dependency-check-report - docker run --rm \ - -e NVD_API_KEY="${NVD_API_KEY:-}" \ - -v "${{ github.workspace }}:/src" \ - -v "${{ github.workspace }}/.dependency-check-data:/usr/share/dependency-check/data" \ - -v "${{ github.workspace }}/dependency-check-report:/report" \ - owasp/dependency-check:latest \ - --project "cas-typescript-sdk" \ - --scan /src/src \ - --scan /src/src-ts \ - --scan /src/lib \ - --format "HTML" \ - --format "JSON" \ - --format "SARIF" \ - --out /report \ - --failOnCVSS 7 \ - ${NVD_API_KEY:+--nvdApiKey "${NVD_API_KEY}"} + npm install -g @cyclonedx/cdxgen + python -m pip install --upgrade pip + pip install owasp-depscan - - name: Upload OWASP dependency report - uses: actions/upload-artifact@v4 - with: - name: dependency-check-report - path: dependency-check-report - retention-days: 7 + - name: Create reports directory + run: mkdir -p reports - - name: Upload SARIF to code scanning - if: success() && hashFiles('dependency-check-report/*.sarif') != '' - uses: github/codeql-action/upload-sarif@v3 + - name: Generate CycloneDX SBOM + run: cdxgen -o reports/sbom.json . + + - name: Run OWASP dep-scan + run: depscan --bom reports/sbom.json --reports-dir reports + + - name: Upload dependency scan reports + uses: actions/upload-artifact@v4 + if: always() with: - sarif_file: dependency-check-report/dependency-check-report.sarif + name: dependency-scan-reports + path: reports/