Add OWASP dependency checks to build

jt-nti · mbwhite · commit 4a130091b4c6 · 2019-12-12T11:25:54.000Z
Signed-off-by: James Taylor &lt;jamest@uk.ibm.com&gt;
diff --git a/ci/azure-pipelines.yml b/ci/azure-pipelines.yml
@@ -66,6 +66,25 @@ stages:
               publishJUnitResults: true
               testResultsFiles: "$(System.DefaultWorkingDirectory)/**/TEST-*.xml"
               tasks: "build"
+          - task: PublishTestResults@2
+            inputs:
+              testResultsFormat: 'JUnit'
+              testResultsFiles: 'fabric-chaincode-shim/build/reports/dependency-check-junit.xml'
+              mergeTestResults: true
+              failTaskOnFailedTests: false
+              testRunTitle: OWASP Dependency Check
+            displayName: 'Publish OWASP Dependency Check JUnit results'
+          - task: CopyFiles@2
+            inputs:
+              contents: |
+                fabric-chaincode-shim/build/reports/dependency-check-*.*
+              targetFolder: $(Build.ArtifactStagingDirectory)/dependency-check
+            displayName: 'Collect OWASP Dependency Check results'
+          - task: PublishBuildArtifacts@1
+            inputs:
+              pathToPublish: $(Build.ArtifactStagingDirectory)/dependency-check
+              artifactName: 'Dependency Check Report'
+            displayName: 'Publish full OWASP Dependency Check result'
           - task: PublishCodeCoverageResults@1
             inputs:
               summaryFileLocation: "$(System.DefaultWorkingDirectory)/**/fabric-chaincode-shim/build/reports/jacoco/test/jacocoTestReport.xml"
diff --git a/fabric-chaincode-protos/build.gradle b/fabric-chaincode-protos/build.gradle
@@ -45,11 +45,11 @@ buildscript {
 }
 
 dependencies {
-    compile 'com.google.protobuf:protobuf-java:3.9.1'
-    compile 'com.google.protobuf:protobuf-java-util:3.9.1'
-    compile 'io.grpc:grpc-netty:1.23.0'
-    compile 'io.grpc:grpc-protobuf:1.23.0'
-    compile 'io.grpc:grpc-stub:1.23.0'
+    compile 'com.google.protobuf:protobuf-java:3.11.1'
+    compile 'com.google.protobuf:protobuf-java-util:3.11.1'
+    compile 'io.grpc:grpc-netty:1.25.0'
+    compile 'io.grpc:grpc-protobuf:1.25.0'
+    compile 'io.grpc:grpc-stub:1.25.0'
     // Required if using Java 11+ as no longer bundled in the core libraries
     compile 'javax.annotation:javax.annotation-api:1.3.2'
 }
diff --git a/fabric-chaincode-shim/build.gradle b/fabric-chaincode-shim/build.gradle
@@ -3,6 +3,14 @@
  *
  * SPDX-License-Identifier: Apache-2.0
  */
+ buildscript {
+    repositories {
+        mavenCentral()
+    }
+    dependencies {
+        classpath 'org.owasp:dependency-check-gradle:5.2.1'
+    }
+}
 
 plugins {
     id 'maven-publish'
@@ -11,11 +19,14 @@ plugins {
     id 'signing'
 }
 
+apply plugin: 'org.owasp.dependencycheck'
+
+check.dependsOn dependencyCheckAnalyze
+
 tasks.withType(org.gradle.api.tasks.testing.Test) {
     systemProperty 'CORE_CHAINCODE_LOGGING_LEVEL', 'DEBUG'
 }
 
-
 dependencies {
     compile project(':fabric-chaincode-protos')
     compile 'org.bouncycastle:bcpkix-jdk15on:1.62'
@@ -27,13 +38,15 @@ dependencies {
     testCompile group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1'
 }
 
+dependencyCheck {
+    format='ALL'
+}
+
 sourceSets {
     main {
         java {
             srcDirs 'src/main/java'
         }
-
-
     }
 
     test {
