Add OWASP scanning to CI

nhsuk · Jan 23, 2024 · c902b1e · c902b1e
1 parent 7a3fe10
commit c902b1e
Show file tree

Hide file tree

Showing 5 changed files with 260 additions and 210 deletions.
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
@@ -13,6 +13,26 @@ jobs:
     - name: Install dependencies
       run: npm install
 
+    - name: Depcheck
+      uses: dependency-check/Dependency-Check_Action@main
+      id: Depcheck
+      with:
+        project: 'nhsuk-frontend'
+        path: '.'
+        format: 'HTML'
+        out: 'reports'
+        args: >
+          --failOnCVSS 7 
+          --nodePackageSkipDevDependencies
+          --nodeAuditSkipDevDependencies
+          --suppression owasp-dependency-check-suppressions.xml
+
+    - name: Upload OWAPS results
+      uses: actions/upload-artifact@master
+      with:
+          name: Depcheck report
+          path: ${{github.workspace}}/reports
+
     - name: Sonar analysis
       uses: sonarsource/sonarcloud-github-action@master
       with:

diff --git a/.prettierignore b/.prettierignore
@@ -6,3 +6,4 @@ tests/backstop/*
 coverage/*
 package-lock.json
 package.json
+reports/*
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <!-- Ignored Vulnerabilities -->
+    <suppress>
+        <notes><![CDATA[file name: angular.min.js]]></notes>
+        <packageUrl regex="true">^pkg:javascript/angularjs@.*$</packageUrl>
+        <cve>CVE-2019-10768</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[file name: faye-websocket:0.10.0]]></notes>
+        <packageUrl regex="true">^pkg:npm/faye\-websocket@.*$</packageUrl>
+        <cve>CVE-2020-15133</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[file name: glob-parent:3.1.0]]></notes>
+        <packageUrl regex="true">^pkg:npm/glob\-parent@.*$</packageUrl>
+        <vulnerabilityName>GHSA-ww39-953v-wcq6</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[file name: glob-parent:3.1.0]]></notes>
+        <packageUrl regex="true">^pkg:npm/glob\-parent@.*$</packageUrl>
+        <vulnerabilityName>CVE-2020-28469</vulnerabilityName>
+    </suppress>
+</suppressions>