powertools-lambda-java chore: add owasp vulnerability check

After the log4j event in dec/jan, good to have a check

Issue #, if available:

Description of changes:

Added the owasp dependency-check plugin that scan dependencies for known CVEs. Fails the build if a CVE is found with level > 8

Checklist

[ ] Meet tenets criteria
[ ] Update tests
[ ] Update docs
[ ] PR title follows conventional commit semantics

Breaking change checklist

RFC issue #:

[ ] Migration process documented
[ ] Implement warnings (if it can live side by side)

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Mar 23 '22 16:03 jeromevdl

@jeromevdl Curious how is it different from dependabot dependency upgrades which gets merged automatically too ?

Mar 24 '22 19:03 pankajagrawal16

In several personal repo, dependabot didn't detect the log4j version in December... So I'm a kind of suspicious about it and prefer to have another belt.

Mar 24 '22 21:03 jeromevdl

@jeromevdl I wonder why there are no build checks that ran with this? 🤔

Apr 04 '22 11:04 pankajagrawal16

@jeromevdl I wonder why there are no build checks that ran with this? 🤔

Yes, right. This is weird, as I only add a plug-in in the pom...

Workflow runs completed with no jobs

Do we check what is updated to perform the full checks? If only the pom changed, no checks?

Apr 04 '22 11:04 jeromevdl

Hey @jeromevdl and @pankajagrawal16, I had a look on this change and there are couple of topics that I would like to discuss:

This plugin is attached to verify mvn's phase, so it will by only invoked by SpotBug and Publish builds ('Build' builds uses `package phase, which is earlier).
Do we have dedicated machine for running our builds? Plugin documentation says It is important to understand that the first time this task is executed it may take 20 minutes or more as it downloads and processes the data from the National Vulnerability Database (NVD) - I have try to run it on my machine and it failed after couple of minutes due to issues with downloading the data. Rerun helped ;-)
Do you have any opinion about CVSS failing level? Right now it is 8 and it does not impact our build. When I changed it to 7, it started complaining about jackson-databind (CVE-2020-36518(7.5), CVE-2022-42003(7.5), CVE-2022-42004(7.5)). Level 7 is also considered as high risk.

Feb 21 '23 14:02 kozub

@kozub, you are right, this is the verify phase. Maybe we should do that together wit the spotbug check (verify instead of install). For the rest, let's just try !

Jun 23 '23 13:06 jeromevdl

Codecov Report

Patch and project coverage have no change.

Comparison is base (acf91bc) 70.87% compared to head (4b333ee) 70.87%.

:exclamation: Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more.

Additional details and impacted files

@@            Coverage Diff            @@
##               main     #803   +/-   ##
=========================================
  Coverage     70.87%   70.87%           
  Complexity      541      541           
=========================================
  Files            72       72           
  Lines          2328     2328           
  Branches        254      254           
=========================================
  Hits           1650     1650           
  Misses          558      558           
  Partials        120      120

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.

Jun 23 '23 13:06 codecov-commenter

looks like it runs with spotbugs... don't know what happened.

But it is also not super reliable (error 504): https://github.com/jeremylong/DependencyCheck/issues/5702

Jun 23 '23 13:06 jeromevdl

Closing due to overlap with existing tooling (dependabot, sonar, etc.)

Oct 09 '23 11:10 scottgerring