Upgrade commons-text to 1.10.0 to remediate CVE-2022-42889 (Text4Shell)
#17
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and SBOM Scan | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| permissions: | |
| contents: write # required for Dependency Graph Submission API | |
| security-events: write # required for CodeQL / SARIF uploads | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK 11 | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: '11' | |
| distribution: 'temurin' | |
| cache: 'maven' | |
| - name: Build WAR with Maven | |
| run: mvn --batch-mode package -DskipTests | |
| - name: Upload WAR artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: demo-java-war | |
| path: webapp/target/demo-java-war.war | |
| # --------------------------------------------------------------- | |
| # Install Syft manually so we control the exact scan invocation. | |
| # anchore/sbom-action@v0 passes a dir: scheme internally which | |
| # causes Syft 1.x to fail with exit code 1 on a .war file path. | |
| # Running syft scan directly avoids this. | |
| # --------------------------------------------------------------- | |
| - name: Install Syft | |
| run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin | |
| - name: Scan WAR — print dependency table | |
| run: syft scan webapp/target/demo-java-war.war -o table | |
| - name: Scan WAR — generate CycloneDX SBOM | |
| run: syft scan webapp/target/demo-java-war.war -o cyclonedx-json=sbom.cdx.json | |
| - name: Scan WAR — generate SPDX SBOM | |
| run: syft scan webapp/target/demo-java-war.war -o spdx-json=sbom.spdx.json | |
| - name: Upload CycloneDX SBOM artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom-cyclonedx-json | |
| path: sbom.cdx.json | |
| - name: Upload SPDX SBOM artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom-spdx-json | |
| path: sbom.spdx.json | |
| # --------------------------------------------------------------- | |
| # Submit SBOM to GitHub Dependency Graph API. | |
| # anchore/sbom-action is used here ONLY for the submission step, | |
| # pointed at the target directory (not the .war file directly) | |
| # to avoid the dir: scheme mismatch that caused the earlier failure. | |
| # The root pom.xml is a bare aggregator and webapp/pom.xml uses | |
| # property placeholders, so all dependency data flows from here. | |
| # --------------------------------------------------------------- | |
| - name: Submit SBOM to GitHub Dependency Graph | |
| uses: anchore/sbom-action@v0 | |
| with: | |
| path: webapp/target/ | |
| format: spdx-json | |
| artifact-name: sbom-dependency-graph.spdx.json | |
| upload-artifact: false | |
| dependency-snapshot: true |