Skip to content

Upgrade commons-text to 1.10.0 to remediate CVE-2022-42889 (Text4Shell) #18

Upgrade commons-text to 1.10.0 to remediate CVE-2022-42889 (Text4Shell)

Upgrade commons-text to 1.10.0 to remediate CVE-2022-42889 (Text4Shell) #18

name: Build and SBOM Scan
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
permissions:
contents: write # required for Dependency Graph Submission API
security-events: write # required for CodeQL / SARIF uploads
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up JDK 11
uses: actions/setup-java@v4
with:
java-version: '11'
distribution: 'temurin'
cache: 'maven'
- name: Build WAR with Maven
run: mvn --batch-mode package -DskipTests
- name: Upload WAR artifact
uses: actions/upload-artifact@v4
with:
name: demo-java-war
path: webapp/target/demo-java-war.war
# ---------------------------------------------------------------
# Install Syft manually so we control the exact scan invocation.
# anchore/sbom-action@v0 passes a dir: scheme internally which
# causes Syft 1.x to fail with exit code 1 on a .war file path.
# Running syft scan directly avoids this.
# ---------------------------------------------------------------
- name: Install Syft
run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
- name: Scan WAR — print dependency table
run: syft scan webapp/target/demo-java-war.war -o table
- name: Scan WAR — generate CycloneDX SBOM
run: syft scan webapp/target/demo-java-war.war -o cyclonedx-json=sbom.cdx.json
- name: Scan WAR — generate SPDX SBOM
run: syft scan webapp/target/demo-java-war.war -o spdx-json=sbom.spdx.json
- name: Upload CycloneDX SBOM artifact
uses: actions/upload-artifact@v4
with:
name: sbom-cyclonedx-json
path: sbom.cdx.json
- name: Upload SPDX SBOM artifact
uses: actions/upload-artifact@v4
with:
name: sbom-spdx-json
path: sbom.spdx.json
# ---------------------------------------------------------------
# Submit SBOM to GitHub Dependency Graph API.
# anchore/sbom-action is used here ONLY for the submission step,
# pointed at the target directory (not the .war file directly)
# to avoid the dir: scheme mismatch that caused the earlier failure.
# The root pom.xml is a bare aggregator and webapp/pom.xml uses
# property placeholders, so all dependency data flows from here.
# ---------------------------------------------------------------
- name: Submit SBOM to GitHub Dependency Graph
uses: anchore/sbom-action@v0
with:
path: webapp/target/
format: spdx-json
artifact-name: sbom-dependency-graph.spdx.json
upload-artifact: false
dependency-snapshot: true