Vulnerability scanning

.github/workflows/vulnerability-scan.yml

@@ -0,0 +1,85 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: "Vulnerability Scan"
+on:
+  push:
+    branches:
+      - '7.0.x'
+      - '7.1.x'
+      - '8.0.x'
+  schedule:
+    # Run every Monday at 03:00 UTC
+    - cron: '0 3 * * 1'
+  workflow_dispatch:
+# Do not scan concurrently; OSS Index has per-account rate limits
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+jobs:
+  scan-grails-core:
+    name: "OSS Index Scan - grails-core"
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: "📥 Checkout repository"
+        uses: actions/checkout@v6
+      - name: "☕️ Setup JDK"
+        uses: actions/setup-java@v4
+        with:
+          distribution: liberica
+          java-version: 17
+      - name: "🐘 Setup Gradle"
+        uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
+        with:
+          develocity-access-key: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
+      - name: "🔍 Run OSS Index Vulnerability Scan"
+        env:
+          SONATYPE_GUIDE_USERNAME: ${{ secrets.SONATYPE_GUIDE_USERNAME }}
+          SONATYPE_GUIDE_TOKEN: ${{ secrets.SONATYPE_GUIDE_TOKEN }}
+        continue-on-error: true
+        id: scan
+        run: ./gradlew ossIndexAudit --continue --info 2>&1 | tee /tmp/ossindex-scan.log; exit ${PIPESTATUS[0]}
+      - name: "📋 Publish Vulnerability Summary"
+        if: always()
+        run: |
+          echo "## 🔍 OSS Index Vulnerability Scan — grails-core" >> $GITHUB_STEP_SUMMARY
+          if [ "${{ steps.scan.outcome }}" = "success" ]; then
+            echo "✅ No vulnerabilities found." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "❌ Vulnerabilities detected." >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            awk '
+              BEGIN { in_section=0; in_vuln=0 }
+              { gsub(/\033\[[0-9;]*m/, "") }
+              /^##\[ossIndexAudit:begin\]/ { in_section=1; next }
+              /^##\[ossIndexAudit:end\]/ { in_section=0; in_vuln=0; next }
+              !in_section { next }
+              /^\[[0-9]+\/[0-9]+\] - pkg:maven\// {
+                sub(/^\[[0-9]+\/[0-9]+\] - /, "")
+                if (!seen_coord[$0]++) { print ""; print }
+                next
+              }
+              /^   Vulnerability Title:/ { in_vuln=1; block=$0 "\n"; cve_id=""; next }
+              in_vuln && /^   CVE:/ { match($0,/CVE-[0-9-]+/); if (RSTART) cve_id=substr($0,RSTART,RLENGTH); block=block $0 "\n"; next }
+              in_vuln && /^   Reference:/ { block=block $0 "\n"; if (cve_id && !seen_cve[cve_id]++) printf "%s",block; in_vuln=0; next }
+              in_vuln { block=block $0 "\n" }
+            ' /tmp/ossindex-scan.log >> $GITHUB_STEP_SUMMARY \
+              || echo "(no scan output captured — check the full log)" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+          fi

build-logic/plugins/build.gradle

@@ -38,6 +38,7 @@ dependencies {
     implementation "${gradleBomDependencies['grails-publish-plugin']}"
     implementation "org.gradle.crypto.checksum:org.gradle.crypto.checksum.gradle.plugin:${gradleProperties.gradleChecksumPluginVersion}"
     implementation "org.cyclonedx.bom:org.cyclonedx.bom.gradle.plugin:${gradleProperties.gradleCycloneDxPluginVersion}"
+    implementation "org.sonatype.gradle.plugins:scan-gradle-plugin:${gradleProperties.sonatypeScanPluginVersion}"
 }
 
 gradlePlugin {
@@ -78,5 +79,9 @@ gradlePlugin {
             id = 'org.apache.grails.buildsrc.dependency-validator'
             implementationClass = 'org.apache.grails.buildsrc.GrailsDependencyValidatorPlugin'
         }
+        register('vulnerabilityScanPlugin') {
+            id = 'org.apache.grails.buildsrc.vulnerability-scan'
+            implementationClass = 'org.apache.grails.buildsrc.VulnerabilityScanPlugin'
+        }
     }
 }

build-logic/plugins/src/main/groovy/org/apache/grails/buildsrc/VulnerabilityScanPlugin.groovy

@@ -0,0 +1,75 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ */
+
+package org.apache.grails.buildsrc
+
+import groovy.transform.CompileStatic
+
+import org.gradle.api.GradleException
+import org.gradle.api.Plugin
+import org.gradle.api.Project
+import org.sonatype.gradle.plugins.scan.ossindex.OssIndexPluginExtension
+
+/**
+ * Convention plugin that configures Sonatype OSS Index / Guide vulnerability scanning.
+ *
+ * <p>Credentials are supplied via environment variables:
+ * <ul>
+ *   <li>{@code SONATYPE_GUIDE_USERNAME} - Guide account email / user token username</li>
+ *   <li>{@code SONATYPE_GUIDE_TOKEN} - Guide Personal Access Token (PAT)</li>
+ * </ul>
+ * The {@code ossIndexAudit} task is skipped silently when credentials are absent.</p>
+ */
+@CompileStatic
+class VulnerabilityScanPlugin implements Plugin<Project> {
+
+    static final String TASK_NAME = 'ossIndexAudit'
+
+    @Override
+    void apply(Project project) {
+        project.pluginManager.apply('org.sonatype.gradle.plugins.scan')
+
+        OssIndexPluginExtension extension = project.extensions.getByType(OssIndexPluginExtension)
+        extension.username = System.getenv('SONATYPE_GUIDE_USERNAME') ?: ''
+        extension.password = System.getenv('SONATYPE_GUIDE_TOKEN') ?: ''
+        extension.excludeCoordinates = [
+            'org.hibernate:hibernate-core:5.6.11.Final',
+            // CVE-2018-14335: Sonatype flags this against all H2 versions; no upstream fix exists.
+            'com.h2database:h2:2.4.240',
+            // CVE-2026-22747: spring-security-web 6.5.10 is the latest available release; no fix exists yet upstream.
+            // Remove this exclusion once Spring Security releases a patched version and spring-boot.version is bumped.
+            'org.springframework.security:spring-security-web:6.5.10',
+        ] as Set
+
+        project.tasks.named(TASK_NAME) { task ->
+            task.group = 'verification'
+            task.description = "Scans ${project.name} runtime dependencies for known vulnerabilities via Sonatype Guide"
+            task.doFirst {
+                if (!System.getenv('SONATYPE_GUIDE_TOKEN')) {
+                    throw new GradleException('SONATYPE_GUIDE_TOKEN environment variable is not set. ' +
+                        'A Sonatype Guide Personal Access Token is required to run the vulnerability scan.')
+                }
+                println "##[ossIndexAudit:begin] ${project.path}"
+            }
+            task.doLast {
+                println "##[ossIndexAudit:end] ${project.path}"
+            }
+        }
+    }
+}