From cf173f6eb94d666437e1df8c7ad14337c8e773cb Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Mon, 11 Dec 2023 23:04:51 +0100
Subject: [PATCH] update dependecy-check to 9.0.4 and refactor it to own
 workflow

---
 .github/workflows/build.yml            |  4 +-
 .github/workflows/dependency-check.yml | 54 ++++++++++++++++++++++++++
 pom.xml                                |  8 ++--
 3 files changed, 59 insertions(+), 7 deletions(-)
 create mode 100644 .github/workflows/dependency-check.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 555d6b7..cc122cc 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -15,10 +15,10 @@ jobs:
           cache: 'maven'
       - name: Ensure to use tagged version
         if: startsWith(github.ref, 'refs/tags/')
-        run: mvn versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
+        run: mvn -B versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
       - name: Build and Test
         id: buildAndTest
-        run: mvn -B clean install jacoco:report -Pcoverage,dependency-check
+        run: mvn -B clean install jacoco:report -Pcoverage
       - name: Upload code coverage report
         id: codacyCoverageReporter
         run: bash <(curl -Ls https://coverage.codacy.com/get.sh)
diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml
new file mode 100644
index 0000000..45d69ba
--- /dev/null
+++ b/.github/workflows/dependency-check.yml
@@ -0,0 +1,54 @@
+name: OWASP Maven Dependency Check
+on:
+  schedule:
+    - cron: '0 7 * * 0'
+  push:
+    branches:
+      - 'release/**'
+  workflow_dispatch:
+
+
+jobs:
+  check-dependencies:
+    name: Check dependencies
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          show-progress: false
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'zulu'
+          java-version: 21
+          cache: 'maven'
+      - name: Run org.owasp:dependency-check plugin
+        id: dependency-check
+        continue-on-error: true
+        run: mvn -B verify -Pdependency-check -DskipTests
+        env:
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+      - name: Upload report on failure
+        if: steps.dependency-check.outcome == 'failure'
+        uses: actions/upload-artifact@v3
+        with:
+          name: dependency-check-report
+          path: target/dependency-check-report.html
+          if-no-files-found: error
+      - name: Slack Notification on regular check
+        if: github.event_name == 'schedule' && steps.dependency-check.outcome == 'failure'
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_USERNAME: 'Cryptobot'
+          SLACK_ICON: false
+          SLACK_ICON_EMOJI: ':bot:'
+          SLACK_CHANNEL: 'cryptomator-desktop'
+          SLACK_TITLE: "Vulnerabilities in ${{ github.event.repository.name }} detected."
+          SLACK_MESSAGE: "Download the <https://github.com/${{ github.repository }}/actions/run/${{ github.run_id }}|report> for more details."
+          SLACK_FOOTER: false
+          MSG_MINIMAL: true
+      - name: Failing workflow on release branch
+        if: github.event_name == 'push' && steps.dependency-check.outcome == 'failure'
+        shell: bash
+        run: exit 1
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 4c41e4c..632cc8e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -31,7 +31,7 @@
         <cryptofs.version>2.6.7</cryptofs.version>
 
         <!-- build dependencies -->
-        <dependency-check.version>8.4.2</dependency-check.version>
+        <dependency-check.version>9.0.4</dependency-check.version>
         <maven.deploy.version>3.1.1</maven.deploy.version>
         <jacoco.version>0.8.11</jacoco.version>
     </properties>
@@ -236,13 +236,11 @@
                         <artifactId>dependency-check-maven</artifactId>
                         <version>${dependency-check.version}</version>
                         <configuration>
-                            <cveValidForHours>24</cveValidForHours>
                             <failBuildOnCVSS>0</failBuildOnCVSS>
                             <skipTestScope>true</skipTestScope>
                             <detail>true</detail>
-                            <suppressionFiles>
-                                <suppressionFile>suppression.xml</suppressionFile>
-                            </suppressionFiles>
+                            <suppressionFile>suppression.xml</suppressionFile>
+                            <nvdApiKey>${env.NVD_API_KEY}</nvdApiKey>
                         </configuration>
                         <executions>
                             <execution>