Merge pull request #282 from marklogic/feature/dependency-check

Added support for detecting dependency vulnerabilities

Author: rjrudin

.gitignore

@@ -16,5 +16,7 @@ logs
 .ipynb_checkpoints
 venv
 .venv
-docker
+docker/marklogic
+docker/sonarqube/data
+docker/sonarqube/logs
 export

CONTRIBUTING.md

@@ -83,6 +83,10 @@ you've introduced on the feature branch you're working on. You can then click on
 Note that if you only need results on code smells and vulnerabilities, you can repeatedly run `./gradlew sonar`
 without having to re-run the tests.
 
+Our Sonar instance is also configured to scan for dependency vulnerabilities 
+[via the dependency-check plugin](https://github.com/dependency-check/dependency-check-sonar-plugin). For more 
+information, see the `dependencyCheck` block in this project's `build.gradle` file.
+
 ## Accessing MarkLogic logs in Grafana
 
 This project's `docker-compose-3nodes.yaml` file includes

build.gradle

@@ -7,6 +7,7 @@ plugins {
   id 'signing'
   id "jacoco"
   id "org.sonarqube" version "4.4.1.3373"
+  id "org.owasp.dependencycheck" version "10.0.3"
 }
 
 group 'com.marklogic'
@@ -88,6 +89,16 @@ dependencies {
   testImplementation "org.skyscreamer:jsonassert:1.5.1"
 }
 
+// See https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration.html for more information.
+dependencyCheck {
+  // Need a JSON report to integrate with Sonar. And HTML is easier for humans to read.
+  formats = ["HTML", "JSON"]
+  // We don't include compileOnly since that includes Spark, and Spark and its dependencies are not actual dependencies
+  // of our connector.
+  scanConfigurations = ["shadowDependencies"]
+  suppressionFile = "config/dependency-check-suppressions.xml"
+}
+
 test {
   useJUnitPlatform()
   finalizedBy jacocoTestReport
@@ -106,6 +117,8 @@ sonar {
   properties {
     property "sonar.projectKey", "marklogic-spark"
     property "sonar.host.url", "http://localhost:9000"
+    // See https://github.com/dependency-check/dependency-check-sonar-plugin for more information.
+    property "sonar.dependencyCheck.jsonReportPath", "build/reports/dependency-check-report.json"
   }
 }
 

config/dependency-check-suppressions.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <suppress>
+    <notes><![CDATA[
+   file name: jackson-databind-2.14.3.jar
+
+   See https://nvd.nist.gov/vuln/detail/CVE-2023-35116 and https://github.com/FasterXML/jackson-databind/issues/3972 .
+   The Jackson team heartily refutes that this is a vulnerability, and we agree.
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson-databind@.*$</packageUrl>
+    <cve>CVE-2023-35116</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: commons-compress-1.24.0.jar
+   This is brought in by Jena 4.10. It's a medium, and we don't want to interfere with Jena dependencies.
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.commons/commons-compress@.*$</packageUrl>
+    <cve>CVE-2024-25710</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: commons-compress-1.24.0.jar
+   This is brought in by Jena 4.10. It's a medium, and we don't want to interfere with Jena dependencies.
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.commons/commons-compress@.*$</packageUrl>
+    <cve>CVE-2024-26308</cve>
+  </suppress>
+</suppressions>

docker-compose.yaml

@@ -28,9 +28,10 @@ services:
       SONAR_JDBC_USERNAME: sonar
       SONAR_JDBC_PASSWORD: sonar
     volumes:
-      - sonarqube_data:/opt/sonarqube/data
-      - sonarqube_extensions:/opt/sonarqube/extensions
-      - sonarqube_logs:/opt/sonarqube/logs
+      - ./docker/sonarqube/data:/opt/sonarqube/data
+      - ./docker/sonarqube/logs:/opt/sonarqube/logs
+      # Allows for Sonar plugins to be installed by including plugin jar files in this directory.
+      - ./docker/sonarqube/extensions:/opt/sonarqube/extensions
     ports:
       - "9000:9000"