From 764518eb49d50180c3460de353530a30bb2699d9 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Mon, 11 Dec 2023 10:34:44 +0100 Subject: [PATCH 01/28] correct dependabot file --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c2b928dc..9f706d7d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,7 +6,7 @@ updates: interval: "weekly" day: "monday" time: "06:00" - timezone: "UTC" + timezone: "Etc/UTC" groups: java-test-dependencies: patterns: From d456db199738a8d980ac19dc4dd3dc234068f422 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Mon, 11 Dec 2023 11:14:08 +0100 Subject: [PATCH 02/28] update dependency check: * use latest version * read nvd api key from env * remove unused property --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 391185a7..efc5e0b0 100644 --- a/pom.xml +++ b/pom.xml @@ -32,7 +32,7 @@ 1.3.0 - 9.0.1 + 9.0.4 1.2.1 0.8.11 1.6.13 @@ -247,11 +247,11 @@ dependency-check-maven ${dependency-check.version} - 24 0 true true suppression.xml + ${env.NVD_API_KEY} From 5fb77b988b195694b7aed6d2b2d7261d2549dfde Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Mon, 11 Dec 2023 11:14:57 +0100 Subject: [PATCH 03/28] add scheduled dependency check to repo --- .github/workflows/dependency-check.yml | 39 ++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/dependency-check.yml diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml new file mode 100644 index 00000000..4acef8af --- /dev/null +++ b/.github/workflows/dependency-check.yml @@ -0,0 +1,39 @@ +name: OWASP Maven Dependency Check +on: + schedule: + - cron: '0 7 * * 0' + workflow_call: + +jobs: + check-dependencies: + name: Check dependencies + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + show-progress: false + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: 17 + cache: 'maven' + - name: Run org.owasp:dependency-check plugin + id: plugin-run + continue-on-error: true + run: mvn verfiy -Pdependency-check + env: + NVD_API_KEY: ${{ secrets.NVD_API_KEY }} + - name: Upload report on failure + if: "${{ steps.plugin-run.outcome == 'failure'}}" + uses: actions/upload-artifact@v3 + with: + name: dependency-check-report + path: target/dependency-check-report.html + if-no-files-found: error + - name: Indicate failure, if necessary + if: "${{ steps.plugin-run.outcome == 'failure'}}" + shell: bash + run: | + echo "Dependency check failed! See uploaded report for details." + exit 1; From 76109d4a782ed68e024d4cfd1d56727306e144fc Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Mon, 11 Dec 2023 11:15:20 +0100 Subject: [PATCH 04/28] execute dependency check before release --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fa25f713..cebbc581 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -40,6 +40,8 @@ jobs: with: name: artifacts path: target/*.jar + - uses: ./github/workflows/dependency-check.yml + secrets: inherit - name: Create release if: startsWith(github.ref, 'refs/tags/') uses: softprops/action-gh-release@v1 From 114678a0c9b106105e3d4858871bf60880721252 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Mon, 11 Dec 2023 12:16:31 +0100 Subject: [PATCH 05/28] change dependency check workflow from call to dispatch --- .github/workflows/dependency-check.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index 4acef8af..8af9d792 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -2,7 +2,8 @@ name: OWASP Maven Dependency Check on: schedule: - cron: '0 7 * * 0' - workflow_call: + workflow_dispatch: + jobs: check-dependencies: @@ -21,7 +22,7 @@ jobs: - name: Run org.owasp:dependency-check plugin id: plugin-run continue-on-error: true - run: mvn verfiy -Pdependency-check + run: mvn -B verify -Pdependency-check -DskipTests env: NVD_API_KEY: ${{ secrets.NVD_API_KEY }} - name: Upload report on failure From c4ae543a705d3d620032900d641cec4b95a7d0ad Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Mon, 11 Dec 2023 12:16:56 +0100 Subject: [PATCH 06/28] run dependency check before release --- .github/workflows/build.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cebbc581..7006575f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -23,7 +23,7 @@ jobs: restore-keys: ${{ runner.os }}-sonar - name: Ensure to use tagged version if: startsWith(github.ref, 'refs/tags/') - run: mvn versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/} + run: mvn -B versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/} - name: Build and Test run: > mvn -B verify @@ -40,8 +40,11 @@ jobs: with: name: artifacts path: target/*.jar - - uses: ./github/workflows/dependency-check.yml - secrets: inherit + - name: Check dependencies for releases + if: startsWith(github.ref, 'refs/tags/') + run: mvn -B verify -Pdependency-check -DskipTests + env: + NVD_API_KEY: ${{ secrets.NVD_API_KEY }} - name: Create release if: startsWith(github.ref, 'refs/tags/') uses: softprops/action-gh-release@v1 From 60b98e43a14a8b3d7e2bb835307cbef05c4ecf4b Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Mon, 11 Dec 2023 16:11:06 +0100 Subject: [PATCH 07/28] apply suggestions from code review Co-authored-by: Sebastian Stenzel --- .github/dependabot.yml | 2 +- .github/workflows/build.yml | 5 ----- .github/workflows/dependency-check.yml | 10 +++++++--- 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9f706d7d..c2b928dc 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,7 +6,7 @@ updates: interval: "weekly" day: "monday" time: "06:00" - timezone: "Etc/UTC" + timezone: "UTC" groups: java-test-dependencies: patterns: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7006575f..de05a67c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -40,11 +40,6 @@ jobs: with: name: artifacts path: target/*.jar - - name: Check dependencies for releases - if: startsWith(github.ref, 'refs/tags/') - run: mvn -B verify -Pdependency-check -DskipTests - env: - NVD_API_KEY: ${{ secrets.NVD_API_KEY }} - name: Create release if: startsWith(github.ref, 'refs/tags/') uses: softprops/action-gh-release@v1 diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index 8af9d792..db7b4ee0 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -2,6 +2,10 @@ name: OWASP Maven Dependency Check on: schedule: - cron: '0 7 * * 0' + push: + branches: + - 'release/**' + - 'hotfix/**' workflow_dispatch: @@ -20,20 +24,20 @@ jobs: java-version: 17 cache: 'maven' - name: Run org.owasp:dependency-check plugin - id: plugin-run + id: dependency-check continue-on-error: true run: mvn -B verify -Pdependency-check -DskipTests env: NVD_API_KEY: ${{ secrets.NVD_API_KEY }} - name: Upload report on failure - if: "${{ steps.plugin-run.outcome == 'failure'}}" + if: "${{ steps.dependency-check.outcome == 'failure'}}" uses: actions/upload-artifact@v3 with: name: dependency-check-report path: target/dependency-check-report.html if-no-files-found: error - name: Indicate failure, if necessary - if: "${{ steps.plugin-run.outcome == 'failure'}}" + if: "${{ steps.dependency-check.outcome == 'failure'}}" shell: bash run: | echo "Dependency check failed! See uploaded report for details." From 8e20b707f52e62dd33db206ed6bf827c9c06df15 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Mon, 11 Dec 2023 16:26:34 +0100 Subject: [PATCH 08/28] send slack notification instead of failing the workflow --- .github/workflows/dependency-check.yml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index db7b4ee0..a079ba99 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -36,9 +36,15 @@ jobs: name: dependency-check-report path: target/dependency-check-report.html if-no-files-found: error - - name: Indicate failure, if necessary - if: "${{ steps.dependency-check.outcome == 'failure'}}" - shell: bash - run: | - echo "Dependency check failed! See uploaded report for details." - exit 1; + - name: Slack Notification + uses: rtCamp/action-slack-notify@v2 + env: + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_USERNAME: 'Cryptobot' + SLACK_ICON: false + SLACK_ICON_EMOJI: ':bot:' + SLACK_CHANNEL: 'cryptomator-desktop' + SLACK_TITLE: "Vulnerabilities in ${{ github.event.repository.name }} detected." + SLACK_MESSAGE: "Download the for more details." + SLACK_FOOTER: false + MSG_MINIMAL: true \ No newline at end of file From fa95799a061f3e290c832a5d33f3d3387c2ed1df Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Mon, 11 Dec 2023 22:30:02 +0100 Subject: [PATCH 09/28] fail workflow, if the event is push and only notify on regular schedule --- .github/workflows/dependency-check.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index a079ba99..fec82074 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -36,7 +36,8 @@ jobs: name: dependency-check-report path: target/dependency-check-report.html if-no-files-found: error - - name: Slack Notification + - name: Slack Notification on regular check + if: github.event_name == 'schedule' uses: rtCamp/action-slack-notify@v2 env: SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} @@ -47,4 +48,8 @@ jobs: SLACK_TITLE: "Vulnerabilities in ${{ github.event.repository.name }} detected." SLACK_MESSAGE: "Download the for more details." SLACK_FOOTER: false - MSG_MINIMAL: true \ No newline at end of file + MSG_MINIMAL: true + - name: Failing workflow on release/hotfix branch + if: github.event_name == 'push' + shell: bash + run: exit 1 \ No newline at end of file From 55bb22c6de8a49a69fb410a31aa92d8acddc7a5d Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Tue, 12 Dec 2023 09:51:14 +0100 Subject: [PATCH 10/28] only fail/notify if dependency check detects something --- .github/workflows/dependency-check.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index fec82074..5bb7bc18 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -37,7 +37,7 @@ jobs: path: target/dependency-check-report.html if-no-files-found: error - name: Slack Notification on regular check - if: github.event_name == 'schedule' + if: github.event_name == 'schedule' && steps.dependency-check.outcome == 'failure' uses: rtCamp/action-slack-notify@v2 env: SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} @@ -50,6 +50,6 @@ jobs: SLACK_FOOTER: false MSG_MINIMAL: true - name: Failing workflow on release/hotfix branch - if: github.event_name == 'push' + if: github.event_name == 'push' && steps.dependency-check.outcome == 'failure' shell: bash run: exit 1 \ No newline at end of file From 27cfac139aa7dfdddc1b1ec7dfb9d09526660a4c Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Tue, 12 Dec 2023 09:54:48 +0100 Subject: [PATCH 11/28] remove hotfix branches from check --- .github/workflows/dependency-check.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index 5bb7bc18..cc86895e 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -5,7 +5,6 @@ on: push: branches: - 'release/**' - - 'hotfix/**' workflow_dispatch: @@ -49,7 +48,7 @@ jobs: SLACK_MESSAGE: "Download the for more details." SLACK_FOOTER: false MSG_MINIMAL: true - - name: Failing workflow on release/hotfix branch + - name: Failing workflow on release branch if: github.event_name == 'push' && steps.dependency-check.outcome == 'failure' shell: bash run: exit 1 \ No newline at end of file From d523d09817feef33e03e86c58a0c5a696481543b Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Tue, 12 Dec 2023 10:38:50 +0100 Subject: [PATCH 12/28] Remove unnecessary enclosing --- .github/workflows/dependency-check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index cc86895e..f0bfd71b 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -29,7 +29,7 @@ jobs: env: NVD_API_KEY: ${{ secrets.NVD_API_KEY }} - name: Upload report on failure - if: "${{ steps.dependency-check.outcome == 'failure'}}" + if: steps.dependency-check.outcome == 'failure' uses: actions/upload-artifact@v3 with: name: dependency-check-report From 7620a0798377356b416355c57789201ff41b1af9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Dec 2023 15:05:10 +0000 Subject: [PATCH 13/28] Bump the github-actions group with 1 update (#188) --- .github/workflows/build.yml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/publish-central.yml | 2 +- .github/workflows/publish-github.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index de05a67c..c4544e0a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -10,7 +10,7 @@ jobs: with: fetch-depth: 0 show-progress: false - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: java-version: 17 distribution: 'temurin' diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index b90c55f8..c1d0c5c1 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -20,7 +20,7 @@ jobs: with: fetch-depth: 2 show-progress: false - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: java-version: 17 distribution: 'temurin' diff --git a/.github/workflows/publish-central.yml b/.github/workflows/publish-central.yml index 3260070c..9eb1b363 100644 --- a/.github/workflows/publish-central.yml +++ b/.github/workflows/publish-central.yml @@ -14,7 +14,7 @@ jobs: with: ref: "refs/tags/${{ github.event.inputs.tag }}" show-progress: false - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: java-version: 17 distribution: 'temurin' diff --git a/.github/workflows/publish-github.yml b/.github/workflows/publish-github.yml index 37166beb..e0f8b793 100644 --- a/.github/workflows/publish-github.yml +++ b/.github/workflows/publish-github.yml @@ -10,7 +10,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: java-version: 17 distribution: 'temurin' From 88e41bd5e8c2c6b900807d491035939df845099f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Dec 2023 15:06:37 +0000 Subject: [PATCH 14/28] Bump the java-production-dependencies group with 2 updates (#190) --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index efc5e0b0..34becdbe 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ 2.1.2 4.4.0 - 2.48.1 + 2.49 32.1.3-jre 3.1.8 2.0.9 From 1d6349fd5d1b41131e9536a8a8383bb6f79934c2 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Wed, 13 Dec 2023 16:32:14 +0100 Subject: [PATCH 15/28] use separate cache for dependency-cache data --- .github/workflows/dependency-check.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index f0bfd71b..f4c2f110 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -22,6 +22,15 @@ jobs: distribution: 'temurin' java-version: 17 cache: 'maven' + - name: Cache NVD DB + uses: actions/cache@v3 + with: + path: ~/.m2/repository/org/owasp/dependency-check-data/ + key: dependency-check-${{ github.run_id }} + restore-keys: | + dependency-check + env: + SEGMENT_DOWNLOAD_TIMEOUT_MINS: 5 - name: Run org.owasp:dependency-check plugin id: dependency-check continue-on-error: true From 9f50c170117b9a43b18849b7c6748f9c935aa8d0 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Wed, 13 Dec 2023 16:33:15 +0100 Subject: [PATCH 16/28] adjust dependency check plugin --- .github/workflows/dependency-check.yml | 2 +- pom.xml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index f4c2f110..fbfe28ac 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -34,7 +34,7 @@ jobs: - name: Run org.owasp:dependency-check plugin id: dependency-check continue-on-error: true - run: mvn -B verify -Pdependency-check -DskipTests + run: mvn -B validate -Pdependency-check env: NVD_API_KEY: ${{ secrets.NVD_API_KEY }} - name: Upload report on failure diff --git a/pom.xml b/pom.xml index 34becdbe..3fe19252 100644 --- a/pom.xml +++ b/pom.xml @@ -247,6 +247,7 @@ dependency-check-maven ${dependency-check.version} + 24 0 true true @@ -258,6 +259,7 @@ check + validate From 36548a3da543301ef96b688018a4a266c5e44cdc Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Mon, 18 Dec 2023 10:50:40 +0100 Subject: [PATCH 17/28] Update dependency-check.yml to not run into 403 due to rate limit --- .github/workflows/dependency-check.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index fbfe28ac..18e5d3ba 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -1,7 +1,7 @@ name: OWASP Maven Dependency Check on: schedule: - - cron: '0 7 * * 0' + - cron: '0 10 * * 0' push: branches: - 'release/**' @@ -60,4 +60,4 @@ jobs: - name: Failing workflow on release branch if: github.event_name == 'push' && steps.dependency-check.outcome == 'failure' shell: bash - run: exit 1 \ No newline at end of file + run: exit 1 From 7a64b4d29e1ab5c1170d5896de3780fa45785988 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Dec 2023 04:29:54 +0000 Subject: [PATCH 18/28] Bump the maven-build-plugins group with 4 updates (#196) --- pom.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pom.xml b/pom.xml index 3fe19252..46829155 100644 --- a/pom.xml +++ b/pom.xml @@ -32,7 +32,7 @@ 1.3.0 - 9.0.4 + 9.0.7 1.2.1 0.8.11 1.6.13 @@ -143,7 +143,7 @@ org.apache.maven.plugins maven-compiler-plugin - 3.11.0 + 3.12.1 true @@ -158,7 +158,7 @@ org.apache.maven.plugins maven-surefire-plugin - 3.2.2 + 3.2.3 me.fabriciorby @@ -197,7 +197,7 @@ maven-javadoc-plugin - 3.6.2 + 3.6.3 attach-javadocs From a6e69c9ea4da9f3785e988aad19a13825648a90c Mon Sep 17 00:00:00 2001 From: JaniruTEC <52893617+JaniruTEC@users.noreply.github.com> Date: Mon, 15 Jan 2024 16:41:29 +0100 Subject: [PATCH 19/28] Externalized dependency-check --- .github/workflows/dependency-check.yml | 59 ++++---------------------- 1 file changed, 8 insertions(+), 51 deletions(-) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index 18e5d3ba..ab505a64 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -10,54 +10,11 @@ on: jobs: check-dependencies: - name: Check dependencies - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - show-progress: false - - name: Setup Java - uses: actions/setup-java@v4 - with: - distribution: 'temurin' - java-version: 17 - cache: 'maven' - - name: Cache NVD DB - uses: actions/cache@v3 - with: - path: ~/.m2/repository/org/owasp/dependency-check-data/ - key: dependency-check-${{ github.run_id }} - restore-keys: | - dependency-check - env: - SEGMENT_DOWNLOAD_TIMEOUT_MINS: 5 - - name: Run org.owasp:dependency-check plugin - id: dependency-check - continue-on-error: true - run: mvn -B validate -Pdependency-check - env: - NVD_API_KEY: ${{ secrets.NVD_API_KEY }} - - name: Upload report on failure - if: steps.dependency-check.outcome == 'failure' - uses: actions/upload-artifact@v3 - with: - name: dependency-check-report - path: target/dependency-check-report.html - if-no-files-found: error - - name: Slack Notification on regular check - if: github.event_name == 'schedule' && steps.dependency-check.outcome == 'failure' - uses: rtCamp/action-slack-notify@v2 - env: - SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} - SLACK_USERNAME: 'Cryptobot' - SLACK_ICON: false - SLACK_ICON_EMOJI: ':bot:' - SLACK_CHANNEL: 'cryptomator-desktop' - SLACK_TITLE: "Vulnerabilities in ${{ github.event.repository.name }} detected." - SLACK_MESSAGE: "Download the for more details." - SLACK_FOOTER: false - MSG_MINIMAL: true - - name: Failing workflow on release branch - if: github.event_name == 'push' && steps.dependency-check.outcome == 'failure' - shell: bash - run: exit 1 + uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@main + with: + runner-os: 'ubuntu-latest' + java-distribution: 'temurin' + java-version: 17 + secrets: + nvd-api-key: ${{ secrets.NVD_API_KEY }} + slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} From dc0f07f4970559924b99e6bb0782b6a8871012ac Mon Sep 17 00:00:00 2001 From: JaniruTEC <52893617+JaniruTEC@users.noreply.github.com> Date: Tue, 16 Jan 2024 20:21:09 +0100 Subject: [PATCH 20/28] Changed version specifier for dependency-check --- .github/workflows/dependency-check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index ab505a64..4e7e7d0f 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -10,7 +10,7 @@ on: jobs: check-dependencies: - uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@main + uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@v1 with: runner-os: 'ubuntu-latest' java-distribution: 'temurin' From c2651e293e3e2b7ca6648d44eb080fa978230d59 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 31 Jan 2024 15:28:18 +0000 Subject: [PATCH 21/28] Bump the github-actions group with 3 updates (#203) --- .github/workflows/build.yml | 4 ++-- .github/workflows/codeql-analysis.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c4544e0a..88f8da8a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -16,7 +16,7 @@ jobs: distribution: 'temurin' cache: 'maven' - name: Cache SonarCloud packages - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: ~/.sonar/cache key: ${{ runner.os }}-sonar @@ -36,7 +36,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: artifacts path: target/*.jar diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index c1d0c5c1..237bcac3 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -26,10 +26,10 @@ jobs: distribution: 'temurin' cache: 'maven' - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: java - name: Build run: mvn -B install -DskipTests - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 \ No newline at end of file + uses: github/codeql-action/analyze@v3 \ No newline at end of file From dae30acbea19c1ee46cb1a76e9f0afc1a4a80b71 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 31 Jan 2024 15:28:57 +0000 Subject: [PATCH 22/28] Bump the maven-build-plugins group with 2 updates (#204) --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 46829155..025c515d 100644 --- a/pom.xml +++ b/pom.xml @@ -32,7 +32,7 @@ 1.3.0 - 9.0.7 + 9.0.9 1.2.1 0.8.11 1.6.13 @@ -158,7 +158,7 @@ org.apache.maven.plugins maven-surefire-plugin - 3.2.3 + 3.2.5 me.fabriciorby From d16f84b2cd29dc6b21df8cd51cba0adc4126ad62 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Mon, 12 Feb 2024 11:57:22 +0100 Subject: [PATCH 23/28] fixes #205 --- .../java/org/cryptomator/cryptofs/ch/CleartextFileChannel.java | 1 + 1 file changed, 1 insertion(+) diff --git a/src/main/java/org/cryptomator/cryptofs/ch/CleartextFileChannel.java b/src/main/java/org/cryptomator/cryptofs/ch/CleartextFileChannel.java index 97791365..2a99c233 100644 --- a/src/main/java/org/cryptomator/cryptofs/ch/CleartextFileChannel.java +++ b/src/main/java/org/cryptomator/cryptofs/ch/CleartextFileChannel.java @@ -322,6 +322,7 @@ long beginOfChunk(long cleartextPos) { protected void implCloseChannel() throws IOException { try { flush(); + ciphertextFileChannel.force(true); try { persistLastModified(); } catch (NoSuchFileException nsfe) { From 35f63e08532746f3ce3ebf322892f55916ac24a3 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Mon, 12 Feb 2024 11:57:46 +0100 Subject: [PATCH 24/28] add unit test --- .../cryptofs/ch/CleartextFileChannel.java | 4 +++- .../cryptofs/ch/CleartextFileChannelTest.java | 13 +++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/cryptomator/cryptofs/ch/CleartextFileChannel.java b/src/main/java/org/cryptomator/cryptofs/ch/CleartextFileChannel.java index 2a99c233..4723e80b 100644 --- a/src/main/java/org/cryptomator/cryptofs/ch/CleartextFileChannel.java +++ b/src/main/java/org/cryptomator/cryptofs/ch/CleartextFileChannel.java @@ -1,5 +1,6 @@ package org.cryptomator.cryptofs.ch; +import com.google.common.annotations.VisibleForTesting; import com.google.common.base.Preconditions; import org.cryptomator.cryptofs.CryptoFileSystemStats; import org.cryptomator.cryptofs.EffectiveOpenOptions; @@ -245,7 +246,8 @@ private void flush() throws IOException { * * @throws IOException */ - private void persistLastModified() throws IOException { + @VisibleForTesting + void persistLastModified() throws IOException { FileTime lastModifiedTime = isWritable() ? FileTime.from(lastModified.get()) : null; FileTime lastAccessTime = FileTime.from(Instant.now()); var p = currentFilePath.get(); diff --git a/src/test/java/org/cryptomator/cryptofs/ch/CleartextFileChannelTest.java b/src/test/java/org/cryptomator/cryptofs/ch/CleartextFileChannelTest.java index 8b07565a..89213ddf 100644 --- a/src/test/java/org/cryptomator/cryptofs/ch/CleartextFileChannelTest.java +++ b/src/test/java/org/cryptomator/cryptofs/ch/CleartextFileChannelTest.java @@ -51,7 +51,9 @@ import static org.mockito.ArgumentMatchers.anyLong; import static org.mockito.Mockito.doNothing; import static org.mockito.Mockito.doThrow; +import static org.mockito.Mockito.inOrder; import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.spy; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; @@ -240,6 +242,17 @@ public void testCloseTriggersCloseListener() throws IOException { verify(closeListener).closed(inTest); } + @Test + @DisplayName("On close, first flush channel, then persist lastModified") + public void testCloseFlushBeforePersist() throws IOException { + var inSpy = spy(inTest); + inSpy.implCloseChannel(); + + var ordering = inOrder(inSpy, ciphertextFileChannel); + ordering.verify(ciphertextFileChannel).force(true); + ordering.verify(inSpy).persistLastModified(); + } + @Test public void testCloseUpdatesLastModifiedTimeIfWriteable() throws IOException { when(options.writable()).thenReturn(true); From 8f9b935c0eb9852e94e0439bfadf26f91d6071be Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 16 Feb 2024 12:47:11 +0000 Subject: [PATCH 25/28] Bump the java-test-dependencies group with 1 update (#207) --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 025c515d..f10d7af9 100644 --- a/pom.xml +++ b/pom.xml @@ -26,7 +26,7 @@ 2.0.9 - 5.10.1 + 5.10.2 5.2.0 2.2 1.3.0 From 93d746d00b79155e7303286f898387967e7f0052 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Fri, 16 Feb 2024 14:40:15 +0100 Subject: [PATCH 26/28] fix timezone for dependabot activity --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c2b928dc..9f706d7d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,7 +6,7 @@ updates: interval: "weekly" day: "monday" time: "06:00" - timezone: "UTC" + timezone: "Etc/UTC" groups: java-test-dependencies: patterns: From 7142643e501deef514008e8f4c6bfe3475468b44 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Fri, 16 Feb 2024 14:57:51 +0100 Subject: [PATCH 27/28] bump org.slf4j:* from 2.0.9 to 2.0.12 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index f10d7af9..10c0395e 100644 --- a/pom.xml +++ b/pom.xml @@ -23,7 +23,7 @@ 2.49 32.1.3-jre 3.1.8 - 2.0.9 + 2.0.12 5.10.2 From b5ff5a1d27bdb9f056d915ead10da4e6cff56c45 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Fri, 16 Feb 2024 15:01:14 +0100 Subject: [PATCH 28/28] prepare 2.6.9 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 10c0395e..95107f48 100644 --- a/pom.xml +++ b/pom.xml @@ -2,7 +2,7 @@ 4.0.0 org.cryptomator cryptofs - 2.7.0-SNAPSHOT + 2.6.9 Cryptomator Crypto Filesystem This library provides the Java filesystem provider used by Cryptomator. https://github.com/cryptomator/cryptofs