ENT-2684 Fix owasp dependency checker to fail builds based on CVSS level ()

OWASP Dependency Checker has been updated so that it can be configured to automatically fail a build when a vulnerable dependency is detected. This option is exposed through gradle settings, so that a build can be configured in TeamCity to pass/fail. This change is backward-compatible - i.e. it does not affect a build by default unless configured to do so.

Ability to fail a build is exposed by the new owasp.failBuildOnCVSS gradle property
By default this is set to '11.0' which will always pass a build even if a vulnerability is found (so will not affect anything by default)
Reduce the CVSS level between 0-10 to indicate what level to fail a build on
Example usage to catch Medium severity (and above) issues:

Configure gradle with the option -Powasp.failBuildOnCVSS=4
This commit is contained in:
James Brown 2018-11-07 09:00:19 +00:00 committed by GitHub
parent 6fd724338a
commit c205a10ec0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 0 deletions

View File

@ -160,6 +160,9 @@ allprojects {
suppressionFile = '.ci/dependency-checker/suppressedLibraries.xml'
cveValidForHours = 1
format = 'ALL'
failOnError = project.getProperty('owasp.failOnError')
// by default CVSS is '11' which passes everything. Set between 0-10 to catch vulnerable deps
failBuildOnCVSS = project.getProperty('owasp.failBuildOnCVSS').toFloat()
}
sourceCompatibility = 1.8
targetCompatibility = 1.8

View File

@ -1,3 +1,5 @@
kotlin.incremental=true
org.gradle.jvmargs=-XX:+UseG1GC -Xmx1g -Dfile.encoding=UTF-8
org.gradle.caching=true
owasp.failOnError=false
owasp.failBuildOnCVSS=11.0