Add sbt-dependency-check

apache · Apr 15, 2023 · 2d9fa7f · 2d9fa7f
1 parent 3a8d86f
commit 2d9fa7f
Show file tree

Hide file tree

Showing 5 changed files with 805 additions and 0 deletions.
diff --git a/build.sbt b/build.sbt
@@ -7,6 +7,9 @@ scalaVersion := Dependencies.allScalaVersions.head
 ThisBuild / apacheSonatypeProjectProfile := "pekko"
 sourceDistName := "incubating-pekko"
 
+dependencyCheckOutputDirectory := Some(baseDirectory.value / "dependency-check")
+dependencyCheckSuppressionFile := Some(baseDirectory.value / "dependency-check" / "suppression.xml")
+
 enablePlugins(
   UnidocRoot,
   UnidocWithPrValidation,

diff --git a/dependency-check/dependency-check-report.html b/dependency-check/dependency-check-report.html
diff --git a/dependency-check/suppression.xml b/dependency-check/suppression.xml
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+</suppressions>
diff --git a/docs/src/main/paradox/security/index.md b/docs/src/main/paradox/security/index.md
@@ -17,6 +17,16 @@ Please follow the [guidelines](https://www.apache.org/security/) laid down by th
 Ideally, any issues affecting Apache Pekko and Akka should be reported to Apache team first. We will share the
 report with the Lightbend Akka team.
 
+## Dependency check scanner
+
+This project uses [sbt-dependency-check](https://github.com/albuch/sbt-dependency-check) in order to scan the
+projects dependencies against [OWASP](https://owasp.org/) in order to see if there are any security issues. The
+report can be generated by running `dependencyCheckAggregate` in the sbt shell. This will generate a
+[report](github:dependency-check/dependency-check-report.html).
+
+If you want to suppress the checking of some dependencies then there is a [supression](github:dependency-check/suppression.xml)
+file. The format of this file is documented [here](https://jeremylong.github.io/DependencyCheck/general/suppression.html).
+
 ## Security Related Documentation
 
  * [Akka security fixes]($pekko.doc.dns$/docs/pekko/current/security/index.html)

diff --git a/project/plugins.sbt b/project/plugins.sbt
@@ -22,6 +22,7 @@ addSbtPlugin("com.lightbend.sbt" % "sbt-publish-rsync" % "0.2")
 addSbtPlugin("com.github.pjfanning" % "sbt-source-dist" % "0.1.5")
 addSbtPlugin("org.mdedetrich" % "sbt-apache-sonatype" % "0.1.6")
 addSbtPlugin("com.github.reibitto" % "sbt-welcome" % "0.2.2")
+addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % "5.1.0")
 
 // allow access to snapshots for pekko-sbt-paradox
 resolvers += "Apache Nexus Snapshots".at("https://repository.apache.org/content/repositories/snapshots/")