Upgrade TCL and constraint bouncy castle due to the transitive depend…

…ency from k8s-java Upgrade other vulnerable libs that showed up during a srcclr scan. Add ability to run srcclr via gradle locally.
DataBiosphere · May 21, 2024 · f208432 · f208432
1 parent e16d3c6
commit f208432
Show file tree

Hide file tree

Showing 4 changed files with 120 additions and 83 deletions.
diff --git a/README.md b/README.md
@@ -206,3 +206,36 @@ that mention "dependency lock state" after changing a dep, you need to do this s
 
 ### Jacoco
 We use [Jacoco](https://www.eclemma.org/jacoco/) as code coverage library
+
+## SourceClear
+
+[SourceClear](https://srcclr.github.io) is a static analysis tool that scans a project's Java
+dependencies for known vulnerabilities. If you are working on addressing dependency vulnerabilities
+in response to a SourceClear finding, you may want to run a scan off of a feature branch and/or local code.
+
+### Github Action
+
+You can trigger RBS's SCA scan on demand via its
+[Github Action](https://github.com/broadinstitute/dsp-appsec-sourceclear-github-actions/actions/workflows/z-manual-terra-resource-buffer.yml),
+and optionally specify a Github ref (branch, tag, or SHA) to check out from the repo to scan.  By default,
+the scan is run off of RBS's `master` branch.
+
+High-level results are outputted in the Github Actions run.
+
+### Running Locally
+
+You will need to get the API token from Vault before running the Gradle `srcclr` task.
+
+```sh
+export SRCCLR_API_TOKEN=$(vault read -field=api_token secret/secops/ci/srcclr/gradle-agent)
+./gradlew srcclr
+```
+
+High-level results are outputted to the terminal.
+
+### Veracode
+
+Full results including dependency graphs are uploaded to
+[Veracode](https://sca.analysiscenter.veracode.com/workspaces/jppForw/projects/544768/issues)
+(if running off of a feature branch, navigate to Project Details > Selected Branch > Change to select your feature branch).
+You can request a Veracode account to view full results from #dsp-infosec-champions.
diff --git a/build.gradle b/build.gradle
@@ -18,6 +18,7 @@ plugins {
     id 'org.hidetake.swagger.generator' version '2.19.2'
     id 'org.sonarqube' version '4.0.0.2929'
     id 'org.springframework.boot' version "${springBootVersion}"
+    id 'com.srcclr.gradle' version '3.1.12'
 }
 
 sourceCompatibility = JavaVersion.VERSION_17
@@ -59,7 +60,7 @@ repositories {
 
 dependencies {
     // Terra deps - we get Stairway via TCL
-    implementation group: 'bio.terra', name: 'terra-common-lib', version: '1.1.6-SNAPSHOT'
+    implementation group: 'bio.terra', name: 'terra-common-lib', version: '1.1.11-SNAPSHOT'
     implementation group: 'bio.terra', name: 'terra-cloud-resource-lib', version: '1.2.30-SNAPSHOT'
     implementation group: 'bio.terra', name: 'terra-resource-janitor-client', version: '0.113.31-SNAPSHOT'
 
@@ -95,6 +96,7 @@ dependencies {
     implementation group: 'org.apache.commons', name: 'commons-pool2', version: '2.11.1'
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-data-jdbc', version: "${springBootVersion}"
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-web', version: "${springBootVersion}"
+    implementation group: 'org.springframework.retry', name: 'spring-retry', version: '2.0.6'
 
     // Swagger deps
     implementation group: 'com.fasterxml.jackson.dataformat', name: 'jackson-dataformat-yaml', version: '2.13.3'
@@ -143,6 +145,7 @@ apply from: "$gradleIncDir/spotbugs.gradle"
 apply from: "$gradleIncDir/spotless.gradle"
 apply from: "$gradleIncDir/swagger-server.gradle"
 apply from: "$gradleIncDir/testing.gradle"
+apply from: "$gradleIncDir/srcclr.gradle"
 
 sourceSets.main.java.srcDir "${swaggerOutputDir}/src/main/java"
 sourceSets.test.resources.srcDir 'config/' // Allow unit tests to directly load config files.