From 272d0591ef933fa3331a4df55eec6db5125f5b2d Mon Sep 17 00:00:00 2001 From: WingZer0o Date: Sun, 22 Mar 2026 08:21:53 -0400 Subject: [PATCH 1/4] OWASP --- .github/workflows/owasp-dependency-check.yml | 70 +++++--------------- 1 file changed, 17 insertions(+), 53 deletions(-) diff --git a/.github/workflows/owasp-dependency-check.yml b/.github/workflows/owasp-dependency-check.yml index 17d1ebd..8cf5cbf 100644 --- a/.github/workflows/owasp-dependency-check.yml +++ b/.github/workflows/owasp-dependency-check.yml @@ -1,35 +1,10 @@ -name: OWASP Dependency Check (CAS TypeScript SDK) +name: OWASP Dependency Check on: - workflow_dispatch: - schedule: - - cron: "0 9 * * 1" push: - branches: [ main ] - paths: - - "src/**" - - "src-ts/**" - - "lib/**" - - "tests/**" - - "package.json" - - "package-lock.json" - - "Cargo.toml" - - "Cargo.lock" - - "tsconfig.json" - - ".github/workflows/owasp-dependency-check.yml" + branches: [ main ] pull_request: branches: [ main ] - paths: - - "src/**" - - "src-ts/**" - - "lib/**" - - "tests/**" - - "package.json" - - "package-lock.json" - - "Cargo.toml" - - "Cargo.lock" - - "tsconfig.json" - - ".github/workflows/owasp-dependency-check.yml" permissions: contents: read @@ -46,39 +21,28 @@ jobs: with: submodules: recursive - - name: Prepare Dependency-Check data directory - run: mkdir -p .dependency-check-data - - name: Cache Dependency-Check data uses: actions/cache@v4 with: - path: .dependency-check-data - key: dependency-check-data-${{ runner.os }}-${{ hashFiles('package-lock.json', 'Cargo.lock') }} + path: ~/.dependency-check + key: dependency-check-${{ runner.os }}-${{ hashFiles('package-lock.json', 'Cargo.lock') }} restore-keys: | - dependency-check-data-${{ runner.os }}- + dependency-check-${{ runner.os }}- - - name: Run OWASP Dependency-Check (Docker) + - name: Run OWASP Dependency-Check + uses: dependency-check/Dependency-Check_Action@main env: NVD_API_KEY: ${{ secrets.NVD_API_KEY }} - run: | - set -euo pipefail - mkdir -p dependency-check-report - docker run --rm \ - -e NVD_API_KEY="${NVD_API_KEY:-}" \ - -v "${{ github.workspace }}:/src" \ - -v "${{ github.workspace }}/.dependency-check-data:/usr/share/dependency-check/data" \ - -v "${{ github.workspace }}/dependency-check-report:/report" \ - owasp/dependency-check:latest \ - --project "cas-typescript-sdk" \ - --scan /src/src \ - --scan /src/src-ts \ - --scan /src/lib \ - --format "HTML" \ - --format "JSON" \ - --format "SARIF" \ - --out /report \ - --failOnCVSS 7 \ - ${NVD_API_KEY:+--nvdApiKey "${NVD_API_KEY}"} + with: + project: "cas-typescript-sdk" + path: "." + format: "HTML" + out: "dependency-check-report" + args: > + --format JSON + --format SARIF + --failOnCVSS 7 + --enableRetired - name: Upload OWASP dependency report uses: actions/upload-artifact@v4 From f64a641018aa3d6acf41bc814c4b540b3e829e91 Mon Sep 17 00:00:00 2001 From: WingZer0o Date: Sun, 22 Mar 2026 08:23:29 -0400 Subject: [PATCH 2/4] owasp dc --- .github/workflows/owasp-dependency-check.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/owasp-dependency-check.yml b/.github/workflows/owasp-dependency-check.yml index 8cf5cbf..8ef5bf0 100644 --- a/.github/workflows/owasp-dependency-check.yml +++ b/.github/workflows/owasp-dependency-check.yml @@ -41,7 +41,6 @@ jobs: args: > --format JSON --format SARIF - --failOnCVSS 7 --enableRetired - name: Upload OWASP dependency report From bcbc1e6407e9b645106daca00a0c974c84b02826 Mon Sep 17 00:00:00 2001 From: Mike Mulchrone Date: Sun, 22 Mar 2026 09:21:24 -0400 Subject: [PATCH 3/4] testing owasp depscan --- .github/workflows/owasp-dependency-check.yml | 94 +++++++++++--------- 1 file changed, 50 insertions(+), 44 deletions(-) diff --git a/.github/workflows/owasp-dependency-check.yml b/.github/workflows/owasp-dependency-check.yml index 8ef5bf0..42ae330 100644 --- a/.github/workflows/owasp-dependency-check.yml +++ b/.github/workflows/owasp-dependency-check.yml @@ -1,57 +1,63 @@ -name: OWASP Dependency Check +name: OWASP Dependency Scan on: - push: - branches: [ main ] pull_request: - branches: [ main ] - -permissions: - contents: read - security-events: write + branches: [ "main" ] + push: + branches: [ "main" ] + workflow_dispatch: jobs: - dependency-check: - name: Scan dependencies + depscan: runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - submodules: recursive + - uses: actions/checkout@v4 - - name: Cache Dependency-Check data - uses: actions/cache@v4 - with: - path: ~/.dependency-check - key: dependency-check-${{ runner.os }}-${{ hashFiles('package-lock.json', 'Cargo.lock') }} - restore-keys: | - dependency-check-${{ runner.os }}- - - - name: Run OWASP Dependency-Check - uses: dependency-check/Dependency-Check_Action@main - env: - NVD_API_KEY: ${{ secrets.NVD_API_KEY }} + - name: Set up Rust + uses: dtolnay/rust-toolchain@stable + + - name: Generate lockfile when missing + run: | + if [ ! -f Cargo.lock ]; then + cargo generate-lockfile + fi + + - name: Set up Node.js + uses: actions/setup-node@v4 with: - project: "cas-typescript-sdk" - path: "." - format: "HTML" - out: "dependency-check-report" - args: > - --format JSON - --format SARIF - --enableRetired - - - name: Upload OWASP dependency report - uses: actions/upload-artifact@v4 + node-version: "24" + cache: npm + + - name: Install Node dependencies + run: npm ci + + - name: Build the project + run: cargo build --release --verbose + + - name: Set up Python + uses: actions/setup-python@v5 with: - name: dependency-check-report - path: dependency-check-report - retention-days: 7 + python-version: "3.11" + + - name: Install OWASP scanning tools + run: | + npm install -g @cyclonedx/cdxgen + python -m pip install --upgrade pip + pip install owasp-depscan - - name: Upload SARIF to code scanning - if: success() && hashFiles('dependency-check-report/*.sarif') != '' - uses: github/codeql-action/upload-sarif@v3 + - name: Create reports directory + run: mkdir -p reports + + - name: Generate CycloneDX SBOM + run: cdxgen -o reports/sbom.json . + + - name: Run OWASP dep-scan + run: depscan --bom reports/sbom.json --reports-dir reports + + - name: Upload dependency scan reports + uses: actions/upload-artifact@v4 + if: always() with: - sarif_file: dependency-check-report/dependency-check-report.sarif + name: dependency-scan-reports + path: reports/ From 05359f3ea429ca8dbcb6021ae54f334f9a60c557 Mon Sep 17 00:00:00 2001 From: Mike Mulchrone Date: Sun, 22 Mar 2026 09:36:27 -0400 Subject: [PATCH 4/4] rename file --- .github/workflows/{owasp-dependency-check.yml => owasp-dc.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{owasp-dependency-check.yml => owasp-dc.yml} (100%) diff --git a/.github/workflows/owasp-dependency-check.yml b/.github/workflows/owasp-dc.yml similarity index 100% rename from .github/workflows/owasp-dependency-check.yml rename to .github/workflows/owasp-dc.yml