Skip to content

Commit 002c659

Browse files
MahoneyMahoney
authored
Merge pull request #8 from wiremock/fix-vulns
Fix / ignore vulnerabilities
2 parents 6ed66f7 + 0684bf1 commit 002c659

File tree

4 files changed

+50
-3
lines changed

4 files changed

+50
-3
lines changed

.github/workflows/gradle.yml

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -21,12 +21,12 @@ jobs:
2121
JDK_VERSION: ${{ matrix.jdk }}
2222

2323
steps:
24-
- uses: actions/checkout@v2
24+
- uses: actions/checkout@v4
2525
with:
2626
fetch-depth: 0
2727

2828
- name: Set up JDK
29-
uses: actions/setup-java@v2
29+
uses: actions/setup-java@v4
3030
with:
3131
java-version: ${{ matrix.jdk }}
3232
distribution: 'temurin'
@@ -43,3 +43,18 @@ jobs:
4343

4444
- name: Test with Gradle
4545
run: ./gradlew check --stacktrace --no-daemon
46+
47+
gradle-scan:
48+
name: Snyk gradle scan
49+
runs-on: ubuntu-latest
50+
51+
steps:
52+
- uses: actions/checkout@v4
53+
54+
- name: Run Snyk to check build.gradle for vulnerabilities
55+
uses: snyk/actions/gradle-jdk17@master
56+
env:
57+
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
58+
with:
59+
command: test
60+
args: --severity-threshold=high --org=f310ee2f-5552-444d-84ee-ec8c44c33adb

.github/workflows/release.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,3 +38,17 @@ jobs:
3838
OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
3939
OSSRH_GPG_SECRET_KEY: ${{ secrets.OSSRH_GPG_SECRET_KEY }}
4040
OSSRH_GPG_SECRET_KEY_PASSWORD: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
41+
42+
gradle-monitor:
43+
name: Snyk gradle monitor
44+
runs-on: ubuntu-latest
45+
steps:
46+
- uses: actions/checkout@v4
47+
48+
- name: Run Snyk to monitor build.gradle for vulnerabilities
49+
uses: snyk/actions/gradle-jdk17@master
50+
env:
51+
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
52+
with:
53+
command: monitor
54+
args: --org=f310ee2f-5552-444d-84ee-ec8c44c33adb --project-name=wiremock-jwt-extension --policy-path=.snyk

.snyk

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
2+
version: v1.25.0
3+
# ignores vulnerabilities until expiry date; change duration by modifying expiry date
4+
ignore:
5+
SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744:
6+
- '*':
7+
reason: No fix available
8+
expires: 2025-09-13T11:22:43.997Z
9+
created: 2024-09-13T11:22:43.999Z
10+
'snyk:lic:maven:junit:junit:EPL-1.0':
11+
- '*':
12+
reason: Not relevant, we do not repackage junit
13+
expires: 2034-09-13T12:29:48.476Z
14+
created: 2024-09-13T12:29:48.481Z
15+
patch: {}

build.gradle

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ plugins {
1212
id 'eclipse'
1313
id 'project-report'
1414
id 'com.diffplug.spotless' version '6.21.0'
15-
id 'org.wiremock.tools.gradle.wiremock-extension-convention' version '0.2.0'
15+
id 'org.wiremock.tools.gradle.wiremock-extension-convention' version '0.3.0'
1616
}
1717

1818
repositories {
@@ -67,6 +67,9 @@ dependencies {
6767
implementation('com.fasterxml.jackson.core:jackson-core:2.15.0') {
6868
because 'version 2.14.2 brought in transitively by com.auth0:auth0@2.12.0 has CWE-400'
6969
}
70+
implementation('org.apache.commons:commons-compress:1.26.0') {
71+
because 'version 1.24.0 brought in transitively by org.wiremock:wiremock:3.9.1 has CVE-2024-25710'
72+
}
7073
}
7174
}
7275

0 commit comments

Comments
 (0)