chore: update cve exclude list [skip ci] #3862
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: SBOM | |
on: | |
pull_request: | |
types: [opened, synchronize, reopened, edited] | |
paths: ["versions.json", "**/pom.xml", ".github/workflows/sbom.yml", "scripts/generateAndCheckSBOM.js", "scripts/generator/templates/*.xml"] | |
release: | |
types: ["published"] | |
workflow_dispatch: | |
inputs: | |
useSnapshots: | |
description: 'Use snapthots for all vaadin products' | |
required: false | |
type: boolean | |
default: false | |
useBomber: | |
description: 'Use bomber' | |
required: false | |
type: boolean | |
default: true | |
useOSV: | |
description: 'Use osv-scanner' | |
required: false | |
type: boolean | |
default: true | |
useOWASP: | |
description: 'Use owasp:dependency-check-maven' | |
required: false | |
type: boolean | |
default: true | |
useFullOWASP: | |
description: 'Use full owasp:dependency-check' | |
required: false | |
type: boolean | |
default: false | |
version: | |
description: 'Use set Platform Version to:' | |
required: false | |
type: string | |
default: '' | |
jobs: | |
run: | |
runs-on: ubuntu-latest | |
steps: | |
- run: | | |
[ -z "${{secrets.TB_LICENSE}}" ] \ | |
&& echo "🚫 **TB_LICENSE** is not defined, check that **${{github.repository}}** repo has a valid secret" \ | |
| tee -a $GITHUB_STEP_SUMMARY && exit 1 || exit 0 | |
name: Check secrets | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: actions/setup-node@v4 | |
with: | |
node-version: '22' | |
- uses: actions/setup-java@v4 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
- uses: stCarolas/setup-maven@v5 | |
with: | |
maven-version: '3.8.2' | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: 'stable' | |
- run: go install github.com/google/osv-scanner/cmd/osv-scanner@v1 | |
- run: | | |
wget -q https://github.com/devops-kung-fu/bomber/releases/download/v0.5.0/bomber_0.5.0_linux_amd64.deb | |
sudo dpkg -i bomber_0.5.0_linux_amd64.deb | |
name: Install bomber-0.5.0 | |
- run: | | |
# Install dependency-check-9.0.7 | |
cd /tmp | |
wget -q https://github.com/jeremylong/DependencyCheck/releases/download/v9.0.7/dependency-check-9.0.7-release.zip | |
unzip dependency-check-9.0.7-release.zip | |
sudo ln -s /tmp/dependency-check/bin/dependency-check.sh /usr/bin/dependency-check | |
name: Install dependency-check-9.0.7 | |
- run: | | |
mkdir -p ~/.vaadin/ | |
echo '{"username":"'`echo ${{secrets.TB_LICENSE}} | cut -d / -f1`'","proKey":"'`echo ${{secrets.TB_LICENSE}} | cut -d / -f2`'"}' > ~/.vaadin/proKey | |
name: Install proKey | |
- run: | | |
[ false = "${{github.event.inputs.useBomber}}" ] && A="$A --disable-bomber" | |
[ false = "${{github.event.inputs.useOSV}}" ] && A="$A --disable-osv-scan" | |
[ false = "${{github.event.inputs.useOWASP}}" ] && A="$A --disable-owasp" | |
[ true = "${{github.event.inputs.useFullOWASP}}" ] && A="$A --enable-full-owasp" | |
[ true = "${{github.event.inputs.useSnapshots}}" ] && A="$A --useSnapshots" | |
V="${{ github.event.inputs.version || github.event.release.tag_name }}" | |
[ -n "$V" ] && A="$A --version $V" | |
cmd="scripts/generateAndCheckSBOM.js $A" | |
echo "Running: $cmd" | |
$cmd | |
name: Generate And Check SBOM | |
env: | |
OSSINDEX_USER: ${{secrets.OSSINDEX_USER}} | |
OSSINDEX_TOKEN: ${{secrets.OSSINDEX_TOKEN}} | |
NVD_API_KEY: ${{secrets.NVD_API_KEY}} | |
- if: ${{always() && env.DEPENDENCIES_REPORT && github.event.pull_request}} | |
uses: thollander/actions-comment-pull-request@v2 | |
with: | |
message: "${{env.DEPENDENCIES_REPORT}}\n[[Click for more Details](${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}})]" | |
comment_tag: dependencies_report | |
- if: ${{always()}} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: files | |
path: | | |
**/target/bom-vaadin.json | |
**/target/*-report.json | |
**/target/tree-*.txt | |
**/target/dependencies.html | |
if-no-files-found: error | |
retention-days: 60 | |
- if: ${{ always() && (github.event.release.tag_name || github.event.inputs.version) }} | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
repo_token: ${{ secrets.GITHUB_TOKEN }} | |
file: vaadin-platform-sbom/target/bom-vaadin.json | |
asset_name: "Software.Bill.Of.Materials.json" | |
tag: ${{ github.event.inputs.version || github.event.release.tag_name }} | |
overwrite: true | |
- if: ${{ always() && (github.event.release.tag_name || github.event.inputs.version) }} | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
repo_token: ${{ secrets.GITHUB_TOKEN }} | |
file: vaadin-platform-sbom/target/dependencies.html | |
asset_name: "Dependencies.Report.html" | |
tag: ${{ github.event.inputs.version || github.event.release.tag_name }} | |
overwrite: true | |