Add a check for CVEs present in new transitive dependencies

tdcmeehan · tdcmeehan · commit b6992c7665d0 · 2025-09-22T10:28:27.000-04:00
This action will compare the baseline and PR's CVE count, and 
fail if new high or critical CVEs are present in the PR.
diff --git a/.github/workflows/owasp-dependency-check.yml b/.github/workflows/owasp-dependency-check.yml
@@ -0,0 +1,138 @@
+name: Maven OWASP Dependency Check
+on:
+  pull_request:
+  workflow_dispatch:
+    inputs:
+      cvss-threshold:
+        description: 'CVSS score threshold for failing (7.0 = high/critical)'
+        required: false
+        default: '7.0'
+        type: string
+
+jobs:
+  dependency-check:
+    runs-on: ubuntu-latest
+    env:
+      CVSS_THRESHOLD: ${{ github.event.inputs.cvss-threshold || '7.0' }}
+      OWASP_VERSION: '12.1.3'
+    steps:
+      - name: Checkout PR branch
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          path: pr
+
+      - name: Checkout base branch
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.base.sha }}
+          path: base
+
+      - name: Set up Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: 17
+          cache: 'maven'
+
+      - name: Get date for cache key
+        id: get-date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+      - name: Restore OWASP database cache
+        uses: actions/cache/restore@v4
+        id: cache-owasp-restore
+        with:
+          path: ~/.owasp/dependency-check-data
+          key: owasp-cache-${{ runner.os }}-${{ env.OWASP_VERSION }}-${{ steps.get-date.outputs.date }}
+          restore-keys: |
+            owasp-cache-${{ runner.os }}-${{ env.OWASP_VERSION }}-
+            owasp-cache-${{ runner.os }}-
+
+      - name: Run OWASP check on base branch
+        working-directory: base
+        run: |
+          mvn org.owasp:dependency-check-maven:${{ env.OWASP_VERSION }}:aggregate \
+            -DskipTests \
+            -Dformat=JSON \
+            -DprettyPrint=true \
+            -DfailOnError=false \
+            -DossindexAnalyzerEnabled=true \
+            -DnvdApiAnalyzerEnabled=false \
+            -DnodeAnalyzerEnabled=false \
+            -DassemblyAnalyzerEnabled=false \
+            -DcentralAnalyzerEnabled=false \
+            -DnuspecAnalyzerEnabled=false \
+            -DnvdValidForHours=168 \
+            -DdataDirectory=$HOME/.owasp/dependency-check-data
+
+      - name: Save OWASP cache after base scan
+        if: steps.cache-owasp-restore.outputs.cache-hit != 'true'
+        uses: actions/cache/save@v4
+        with:
+          path: ~/.owasp/dependency-check-data
+          key: owasp-cache-${{ runner.os }}-${{ env.OWASP_VERSION }}-${{ steps.get-date.outputs.date }}-partial
+
+      - name: Run OWASP check on PR branch
+        working-directory: pr
+        run: |
+          mvn org.owasp:dependency-check-maven:${{ env.OWASP_VERSION }}:aggregate \
+            -DskipTests \
+            -Dformat=JSON \
+            -DprettyPrint=true \
+            -DfailOnError=false \
+            -DossindexAnalyzerEnabled=true \
+            -DnvdApiAnalyzerEnabled=false \
+            -DnodeAnalyzerEnabled=false \
+            -DassemblyAnalyzerEnabled=false \
+            -DcentralAnalyzerEnabled=false \
+            -DnuspecAnalyzerEnabled=false \
+            -DnvdValidForHours=168 \
+            -DdataDirectory=$HOME/.owasp/dependency-check-data
+
+      - name: Compare and fail on new CVEs above threshold
+        run: |
+          # Extract CVEs above threshold from both branches (CVSS >= $CVSS_THRESHOLD)
+          threshold="${{ env.CVSS_THRESHOLD }}"
+          base_cves=$(cat base/target/dependency-check-report.json 2>/dev/null | jq -r ".dependencies[].vulnerabilities[]? | select((.cvssv2.score // 0) >= $threshold or (.cvssv3.baseScore // 0) >= $threshold) | .name" | grep -E '^CVE-[0-9]{4}-[0-9]+$' | sort -u)
+          pr_cves=$(cat pr/target/dependency-check-report.json 2>/dev/null | jq -r ".dependencies[].vulnerabilities[]? | select((.cvssv2.score // 0) >= $threshold or (.cvssv3.baseScore // 0) >= $threshold) | .name" | grep -E '^CVE-[0-9]{4}-[0-9]+$' | sort -u)
+
+          # Find new CVEs introduced in PR
+          new_cves=$(comm -13 <(echo "$base_cves") <(echo "$pr_cves"))
+
+          if [ -n "$new_cves" ]; then
+            echo "❌ New vulnerabilities introduced in PR:"
+            echo "$new_cves"
+            echo ""
+
+            for cve in $new_cves; do
+              echo "=================================================="
+              echo "CVE: $cve"
+              echo "=================================================="
+
+              # Find which dependencies have this CVE (with safe access to packages)
+              cat pr/target/dependency-check-report.json | jq -r ".dependencies[] | select(.vulnerabilities[]?.name == \"$cve\") | \"Module: \" + (.projectReferences // [\"root\"])[0] + \"\nDependency: \" + .fileName + \"\nPackage: \" + (if .packages and .packages[0] then .packages[0].id else \"N/A\" end) + \"\nDescription: \" + (.vulnerabilities[] | select(.name == \"$cve\") | .description)"
+
+              echo ""
+            done
+
+            exit 1
+          else
+            echo "✅ No new vulnerabilities introduced"
+          fi
+
+      - name: Save OWASP database cache
+        if: always()
+        uses: actions/cache/save@v4
+        with:
+          path: ~/.owasp/dependency-check-data
+          key: owasp-cache-${{ runner.os }}-${{ env.OWASP_VERSION }}-${{ steps.get-date.outputs.date }}
+
+      - name: Upload reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: owasp-reports
+          path: |
+            base/target/dependency-check-report.json
+            pr/target/dependency-check-report.json
