diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 505ccc1..0204850 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,14 +3,31 @@ updates: - package-ecosystem: "maven" directory: "/" schedule: - interval: "weekly" - day: "monday" - time: "06:00" - timezone: "UTC" + interval: "monthly" groups: - maven-dependencies: + java-test-dependencies: + patterns: + - "org.junit.jupiter:*" + - "org.mockito:*" + - "org.hamcrest:*" + maven-build-plugins: + patterns: + - "org.apache.maven.plugins:*" + - "org.jacoco:jacoco-maven-plugin" + - "org.owasp:dependency-check-maven" + - "org.sonatype.plugins:nexus-staging-maven-plugin" + java-production-dependencies: patterns: - "*" + exclude-patterns: + - "org.apache.maven.plugins:*" + - "org.jacoco:jacoco-maven-plugin" + - "org.owasp:dependency-check-maven" + - "org.sonatype.plugins:nexus-staging-maven-plugin" + - "org.junit.jupiter:*" + - "org.mockito:*" + - "org.hamcrest:*" + - package-ecosystem: "github-actions" directory: "/" # even for `.github/workflows` diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1b156fa..2aeed78 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,21 +5,20 @@ jobs: build: name: Build and Test runs-on: ubuntu-latest - if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]')" steps: - uses: actions/checkout@v4 - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: - java-version: 11 + java-version: 21 distribution: 'temurin' cache: 'maven' - name: Ensure to use tagged version if: startsWith(github.ref, 'refs/tags/') - run: mvn versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/} + run: mvn -B versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/} - name: Build and Test id: buildAndTest - run: mvn -B clean install jacoco:report -Pcoverage,dependency-check - - uses: actions/upload-artifact@v3 + run: mvn -B clean install jacoco:report -Pcoverage + - uses: actions/upload-artifact@v4 with: name: artifacts path: target/*.jar diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml new file mode 100644 index 0000000..e0b77ac --- /dev/null +++ b/.github/workflows/dependency-check.yml @@ -0,0 +1,63 @@ +name: OWASP Maven Dependency Check +on: + schedule: + - cron: '0 15 * * 0' + push: + branches: + - 'release/**' + workflow_dispatch: + + +jobs: + check-dependencies: + name: Check dependencies + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + show-progress: false + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: 11 + cache: 'maven' + - name: Cache NVD DB + uses: actions/cache@v4 + with: + path: ~/.m2/repository/org/owasp/dependency-check-data/ + key: dependency-check-${{ github.run_id }} + restore-keys: | + dependency-check + env: + SEGMENT_DOWNLOAD_TIMEOUT_MINS: 5 + - name: Run org.owasp:dependency-check plugin + id: dependency-check + continue-on-error: true + run: mvn -B validate -Pdependency-check + env: + NVD_API_KEY: ${{ secrets.NVD_API_KEY }} + - name: Upload report on failure + if: steps.dependency-check.outcome == 'failure' + uses: actions/upload-artifact@v4 + with: + name: dependency-check-report + path: target/dependency-check-report.html + if-no-files-found: error + - name: Slack Notification on regular check + if: github.event_name == 'schedule' && steps.dependency-check.outcome == 'failure' + uses: rtCamp/action-slack-notify@v2 + env: + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_USERNAME: 'Cryptobot' + SLACK_ICON: false + SLACK_ICON_EMOJI: ':bot:' + SLACK_CHANNEL: 'cryptomator-desktop' + SLACK_TITLE: "Vulnerabilities in ${{ github.event.repository.name }} detected." + SLACK_MESSAGE: "Download the for more details." + SLACK_FOOTER: false + MSG_MINIMAL: true + - name: Failing workflow on release branch + if: github.event_name == 'push' && steps.dependency-check.outcome == 'failure' + shell: bash + run: exit 1 diff --git a/.github/workflows/publish-central.yml b/.github/workflows/publish-central.yml index 22333fe..afabe60 100644 --- a/.github/workflows/publish-central.yml +++ b/.github/workflows/publish-central.yml @@ -13,9 +13,9 @@ jobs: - uses: actions/checkout@v4 with: ref: "refs/tags/${{ github.event.inputs.tag }}" - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: - java-version: 11 + java-version: 21 distribution: 'temurin' cache: 'maven' server-id: ossrh # Value of the distributionManagement/repository/id field of the pom.xml diff --git a/.github/workflows/publish-github.yml b/.github/workflows/publish-github.yml index c6e4bad..be60dec 100644 --- a/.github/workflows/publish-github.yml +++ b/.github/workflows/publish-github.yml @@ -8,9 +8,9 @@ jobs: if: startsWith(github.ref, 'refs/tags/') # only allow publishing tagged versions steps: - uses: actions/checkout@v4 - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: - java-version: 11 + java-version: 21 distribution: 'temurin' cache: 'maven' gpg-private-key: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import diff --git a/pom.xml b/pom.xml index 7cca0ac..07fd6bf 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ 4.0.0 org.cryptomator webdav-nio-adapter-servlet - 1.2.4 + 1.2.5 WebDAV-NIO Adapter Servlet Servlet serving NIO directory contents as WebDAV resources. https://github.com/cryptomator/webdav-nio-adapter-servlet @@ -19,14 +19,17 @@ 4.0.1 - 2.21.19 - 32.1.2-jre - 2.0.9 + 2.21.22 + 33.0.0-jre + 2.0.11 - 5.10.0 - 5.5.0 + 5.10.1 + 5.10.0 2.2 + + + 9.0.9 @@ -120,7 +123,7 @@ org.apache.maven.plugins maven-compiler-plugin - 3.11.0 + 3.12.1 11 true @@ -128,7 +131,7 @@ maven-surefire-plugin - 3.1.2 + 3.2.5 org.apache.maven.plugins @@ -156,7 +159,7 @@ maven-javadoc-plugin - 3.6.0 + 3.6.3 attach-javadocs @@ -177,16 +180,20 @@ org.owasp dependency-check-maven - 8.4.0 + ${dependency-check.version} - 24 + 24 6 + true + true + ${env.NVD_API_KEY} check + validate @@ -201,7 +208,7 @@ org.jacoco jacoco-maven-plugin - 0.8.10 + 0.8.11 prepare-agent