cve-scanning.yml

name: CVE Scanning

on:
  workflow_dispatch:
  push:
    branches:
      - main
    paths:
      - 'pom.xml'
      - 'CVE-suppressions.xml'
      - '.github/workflows/cve-scanning.yml'
  pull_request:
    paths:
      - 'pom.xml'
      - 'CVE-suppressions.xml'
      - '.github/workflows/cve-scanning.yml'

# Cancel previous jobs
concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

jobs:
  depcheck:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - uses: ./.github/actions/maven-build
      with:
        run-tests: false
    - name: CVE scanning
      uses: dependency-check/Dependency-Check_Action@1.1.0
      env:
        JAVA_HOME: /opt/jdk
      with:
        project: ${{github.repository}}
        path: '.'
        format: 'HTML'
        out: 'reports'
        args: >
          --suppression CVE-suppressions.xml
          --failOnCVSS 7
    - name: Upload results
      uses: actions/upload-artifact@v4
      with:
        name: CVE Scan Report
        path: ${{github.workspace}}/reports