Skip to content

chore: validate OWASP job with NVD_API_KEY#6

Merged
ahincho merged 4 commits into
mainfrom
chore/validate-owasp-key
Jul 13, 2026
Merged

chore: validate OWASP job with NVD_API_KEY#6
ahincho merged 4 commits into
mainfrom
chore/validate-owasp-key

Conversation

@ahincho

@ahincho ahincho commented Jul 13, 2026

Copy link
Copy Markdown
Owner

PR de prueba para validar que el job OWASP corre correctamente con NVD_API_KEY configurado en los 12 repos.

ahincho and others added 4 commits July 12, 2026 20:09
- data.directory now points at the shared, build-tool-agnostic path
  (~/.dependency-check-data) that reusable-owasp-check.yml caches and
  restores the centralized nova-devops NVD mirror into. The plugin's
  implicit default was never verified/documented; previous cache sizes
  (15-57MB) strongly suggest it did not match what was being cached.
- Disabled analyzers for ecosystems that plainly do not exist in this
  repo (assembly/nuspec/nugetconf/msbuild/.NET, golang, swift, cocoapods,
  composer/PHP, cpan/Perl, cmake/autoconf, bundleAudit/rubygems, python,
  dart, retirejs) - zero detection-feature cost since none of these file
  types are present. Node/nodeAudit analyzers are NOT disabled (package.json
  is real - commitlint/lefthook devDependencies).
- Verified property names against the actually-installed 12.2.2 Gradle
  plugin jar (javap on AnalyzerExtension.class) rather than assumed from
  docs - e.g. carthageAnalyzerEnabled does not exist in this version.

See docs/java/06-semantic-versioning-en-java.md for the investigation
into why OWASP scans were taking 30-50+ min.
The previous run (29219748882) started BEFORE the nova-devops NVD mirror
release was published (run started 02:33 UTC, mirror published 03:49 UTC),
so it fell back to a direct NVD sync. This empty commit forces a fresh
run that should hit the mirror.
End-to-end validation in run 29222920036 found 4 real vulnerabilities
in deps that ended up in the compile/runtime classpath:

- CVE-2026-54428 (7.5) and CVE-2026-54399 (7.5) - DoS in httpcore/httpcore5
- CVE-2025-67030 (8.8) - RCE in plexus-utils (Directory Traversal)
- CVE-2025-48734 (8.8) - RCE in commons-beanutils (Access Control)

Two layers of fix:

1. scanConfigurations = [compileClasspath, runtimeClasspath]
   Restricts OWASP analysis to what actually propagates to consumers of
   this library. mask-utils has no runtime deps declared, so the
   test/buildscript plugin classpaths were being scanned, surfacing CVEs
   in deps that never reach a downstream project consuming this artifact.

2. resolutionStrategy.eachDependency constraints
   Patches the listed deps to their CVE-free minimum versions:
   - httpcore 4.4.14 -> 4.4.16 (CVE-2026-54428, CVE-2026-54399)
   - httpcore5 5.1.3 -> 5.4.2 (CVE-2026-54428, CVE-2026-54399)
   - commons-beanutils 1.10.1 -> 1.11.0 (CVE-2025-48734)
   - plexus-utils 3.3.0 -> 3.5.1 (CVE-2025-67030)

Verified locally: 'gradlew dependencyCheckAnalyze' reports 0 vulnerabilities.
@ahincho ahincho merged commit 15e6fe6 into main Jul 13, 2026
7 checks passed
@ahincho ahincho deleted the chore/validate-owasp-key branch July 13, 2026 14:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant