Skip to content

Commit 12ba177

Browse files
chore(build): drop dependency-check binding from verify (RAN-24 review)
Per reviewer feedback on #72: the OWASP dependency-check binding added in 15b5e6c red-lines every CI run because the public NVD 2.0 API rate-limits anonymous callers (HTTP 429), which corrupts the partial H2 NVD store and trips NPEs in the plugin's worker pool. Root cause is infra, not a real CVE finding, but the failing binding still breaks the build - the opposite of "CI enforces them." Path B (reviewer's recommendation): keep the SpotBugs binding (already green on this branch), drop the dep-check binding + skip property from this PR, and track the NVD secret + cache work in a follow-up. Removes from pom.xml: - `<dependency-check.skip>` property and comment - `<configuration>` + `<executions>` blocks on dependency-check-maven (the plugin declaration itself stays for the follow-up to re-enable) Updates .github/workflows/ci-java.yml comment to reference only the SpotBugs gate. Keeps dependency-check-suppressions.xml so the next PR can turn the gate on without re-introducing the stub. Verified locally (`mvn -B clean compile spotbugs:check ...`): [INFO] --- spotbugs-maven-plugin:4.9.8.3:check (default-cli) @ code-iq --- [INFO] BugInstance size is 0 [INFO] BUILD SUCCESS Full `mvn clean verify` on this branch pre-edits produced `Tests run: 3395, Failures: 0, Errors: 0, Skipped: 31` before the dep-check step failed (per CI run 24913046002); removing that step is the only CI delta this commit introduces. Co-Authored-By: Paperclip <noreply@paperclip.ing>
1 parent 15b5e6c commit 12ba177

2 files changed

Lines changed: 2 additions & 24 deletions

File tree

.github/workflows/ci-java.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,8 +19,8 @@ jobs:
1919
java-version: '25'
2020
cache: 'maven'
2121
# `verify` is the enforced quality gate: it runs unit + integration tests
22-
# AND the spotbugs:check + dependency-check:check executions bound in pom.xml.
23-
# Any of those failing breaks the build.
22+
# AND the spotbugs:check execution bound in pom.xml. Any of those
23+
# failing breaks the build.
2424
- run: mvn clean verify -B
2525
- uses: actions/upload-artifact@v4
2626
if: always()

pom.xml

Lines changed: 0 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -30,14 +30,6 @@
3030
<owasp.dependency-check.version>12.2.0</owasp.dependency-check.version>
3131
<checkstyle-plugin.version>3.6.0</checkstyle-plugin.version>
3232

33-
<!--
34-
Toggle for the OWASP dependency-check execution bound to `verify`.
35-
Default: false (gate runs in CI). Override locally with
36-
`-Ddependency-check.skip=true` since the first run downloads the
37-
NVD database (~1GB).
38-
-->
39-
<dependency-check.skip>false</dependency-check.skip>
40-
4133
<!--
4234
Security override: Spring Boot 4.0.5 pulls tomcat-embed-core 11.0.20
4335
and jackson (tools.jackson.core) 3.1.0; both have CVEs fixed in the
@@ -423,20 +415,6 @@
423415
<groupId>org.owasp</groupId>
424416
<artifactId>dependency-check-maven</artifactId>
425417
<version>${owasp.dependency-check.version}</version>
426-
<configuration>
427-
<skip>${dependency-check.skip}</skip>
428-
<failBuildOnCVSS>7</failBuildOnCVSS>
429-
<suppressionFiles>
430-
<suppressionFile>dependency-check-suppressions.xml</suppressionFile>
431-
</suppressionFiles>
432-
</configuration>
433-
<executions>
434-
<execution>
435-
<id>dependency-check-verify</id>
436-
<phase>verify</phase>
437-
<goals><goal>check</goal></goals>
438-
</execution>
439-
</executions>
440418
</plugin>
441419

442420
<plugin>

0 commit comments

Comments
 (0)