From 9ca79af8c4353cd83d0d41f7caf68111a30ecb2a Mon Sep 17 00:00:00 2001 From: Jonathan Putney Date: Wed, 20 May 2026 12:28:57 -0400 Subject: [PATCH] ci(depcheck): narrow scan to runtime closure, drop plugin-transitive noise MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Dependency-Check_Action wrapper with `path: '.'` was scanning the whole workspace post-`mvn install`, which includes target/local-repo materialized by maven-invoker-plugin for integration tests. That tree contains build-time Maven plugin transitives (plexus-utils 4.0.2, aircompressor 0.27) that never ship to consumers but trip the failOnCVSS=7 gate. Empirical check: every relevant plugin's latest version still pins the same vulnerable transitives, so upgrading plugins doesn't resolve the finding — it's a scope problem, not a version problem. Switch to `dependency:copy-dependencies -DincludeScope=runtime` per module to materialize only the runtime closure into target/depcheck-deps, then `--scan` exactly those two directories. The magika-java library JAR itself is reached transitively via magika-java-tika's depcheck-deps, so no version-pinned paths are needed. --- .github/workflows/dependency-check.yml | 37 ++++++++++++++++++++------ 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index dce1e58..a622f05 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -34,31 +34,52 @@ jobs: key: m2-${{ hashFiles('**/pom.xml') }} restore-keys: m2- - # Populate ~/.m2 + module target/ so the dependency-check CLI can - # walk the resolved dependency graph from on-disk JARs. - - name: Resolve dependency graph + # Two-step setup so the scan only sees the consumer-facing surface: + # 1. `install` populates each module's target/ with its built JAR. + # 2. `dependency:copy-dependencies` (runtime scope) materializes the + # transitive runtime deps into target/depcheck-deps per module — + # e.g. jackson, slf4j, onnxruntime, tika-core. Build-time stuff + # (Maven plugin transitives like plexus-utils, aircompressor) + # stays out of this directory by construction. + - name: Resolve runtime dependencies run: | mvn -B -ntp -DskipTests \ -Dspotless.check.skip=true \ -Dlicense.skip=true \ install + mvn -B -ntp -DskipTests \ + -Dspotless.check.skip=true \ + -Dlicense.skip=true \ + dependency:copy-dependencies \ + -DincludeScope=runtime \ + -DoutputDirectory=target/depcheck-deps # Action wrapper runs in a Docker image that ships with a pre-warmed # NVD dataset, so cold runs only fetch the daily delta — no multi-hour - # cold-cache download like the Maven plugin path. OssIndex and the - # JS-ecosystem analyzers are disabled: OssIndex requires a Sonatype - # auth token since Sep 2025, and the JS analyzers have nothing to scan - # in a Java-only repo. + # cold-cache download like the Maven plugin path. + # + # Scan scope is the runtime closure (target/depcheck-deps), NOT the + # entire workspace: `path: '.'` previously picked up Maven plugin + # transitives that the invoker-plugin materializes under target/local-repo + # for integration tests. Those are build-time only and never ship to + # consumers, so their CVEs are noise in this gate. We do still scan + # each module's built JAR for completeness — the lib's own coordinates + # would never match a CPE today, but it's a free check. + # + # OssIndex and the JS-ecosystem analyzers stay disabled: OssIndex + # requires a Sonatype auth token since Sep 2025; the JS analyzers + # have nothing to scan in a Java-only repo. - name: Run OWASP Dependency-Check uses: dependency-check/Dependency-Check_Action@main env: JAVA_HOME: /opt/jdk with: project: 'magika-java' - path: '.' + path: 'magika-java/target/depcheck-deps' format: 'HTML' out: 'target' args: > + --scan magika-java-tika/target/depcheck-deps --format SARIF --failOnCVSS 7 --nvdApiKey ${{ secrets.NVD_API_KEY }}