[pull] master from owasp-dep-scan:master #39

Workflow file for this run

.github/workflows/repotests.yml at 7fbcaf5

	name: Repo tests

	on:
	pull_request:
	workflow_dispatch:

	concurrency:
	group: "${{ github.workflow }}-${{ github.head_ref \|\| github.run_id }}"
	cancel-in-progress: true

	jobs:
	os-repo-tests:
	strategy:
	fail-fast: true
	matrix:
	os: ['ubuntu-24.04', 'ubuntu-24.04-arm', 'macos-26', 'windows-latest']
	python-version: ['3.10', '3.11', '3.12', '3.13']
	runs-on: ${{ matrix.os }}
	steps:
	- uses: actions/checkout@v4
	- uses: actions/checkout@v4
	with:
	repository: 'hoolicorp/java-sec-code'
	path: 'repotests/java-sec-code'
	- uses: actions/checkout@v4
	with:
	repository: 'wix/greyhound'
	path: 'repotests/greyhound'
	ref: '385bb84a6f712ee18064a3b5ecb8d9dcbc1c75f3'
	- uses: actions/checkout@v4
	with:
	repository: 'HooliCorp/vulnerable-aws-koa-app'
	path: 'repotests/vulnerable-aws-koa-app'
	- uses: actions/checkout@v4
	with:
	repository: 'microsoft/dotnet-podcasts'
	path: 'repotests/dotnet-podcasts'
	- uses: actions/setup-go@v5
	with:
	go-version: '1.23'
	- name: Set up JDK
	uses: actions/setup-java@v4
	with:
	distribution: 'temurin'
	java-version: '21'
	- name: Use Node.js
	uses: actions/setup-node@v4
	with:
	node-version: '23.x'
	- uses: sbt/setup-sbt@v1
	- name: Setup Android SDK
	uses: android-actions/setup-android@v3
	with:
	packages: 'platform-tools'
	- uses: ruby/setup-ruby@v1
	with:
	ruby-version: '3.4.4'
	- name: Install uv
	uses: astral-sh/setup-uv@v5
	with:
	python-version: ${{ matrix.python-version }}
	- uses: actions/setup-dotnet@v4
	with:
	dotnet-version: '8.x'
	- name: Trim CI agent
	run: \|
	chmod +x contrib/free_disk_space.sh
	./contrib/free_disk_space.sh
	if: ${{ matrix.os != 'windows-latest' }}
	- name: Install depscan
	run: \|
	uv sync --all-extras --all-packages --dev
	uv pip install -U "huggingface_hub[cli]"
	npm install -g @cyclonedx/cdxgen
	- name: repotests java-sec-code
	run: \|
	mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/java-sec-code ${GITHUB_WORKSPACE}/depscan_reports/java-sec-code1 ${GITHUB_WORKSPACE}/depscan_reports/java-sec-code2
	uv run depscan --src ${GITHUB_WORKSPACE}/repotests/java-sec-code --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/java-sec-code -t java --bom-engine CdxgenGenerator
	uv run depscan --src ${GITHUB_WORKSPACE}/repotests/java-sec-code --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/java-sec-code1 --profile research -t java --bom-engine CdxgenGenerator --reachability-analyzer FrameworkReachability --explain
	uv run depscan --src ${GITHUB_WORKSPACE}/repotests/java-sec-code --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/java-sec-code2 --profile research -t java --bom-engine CdxgenGenerator --reachability-analyzer SemanticReachability --explain
	rm -rf ${GITHUB_WORKSPACE}/depscan_reports
	shell: bash
	env:
	BLINTDB_HOME: ${{ runner.temp }}/blintdb-home
	- name: repotests dotnet-podcasts
	run: \|
	mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/dotnet-podcasts ${GITHUB_WORKSPACE}/depscan_reports/dotnet-podcasts1 ${GITHUB_WORKSPACE}/depscan_reports/dotnet-podcasts2
	dotnet build ${GITHUB_WORKSPACE}/repotests/dotnet-podcasts/NetPodcast.Services.sln
	dotnet build ${GITHUB_WORKSPACE}/repotests/dotnet-podcasts/NetPodcast.sln
	dotnet build ${GITHUB_WORKSPACE}/repotests/dotnet-podcasts/Podcast.Web.sln
	uv run depscan --src ${GITHUB_WORKSPACE}/repotests/dotnet-podcasts --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/dotnet-podcasts -t dotnet --bom-engine CdxgenGenerator
	uv run depscan --src ${GITHUB_WORKSPACE}/repotests/dotnet-podcasts --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/dotnet-podcasts1 --profile research -t dotnet --bom-engine CdxgenGenerator --reachability-analyzer FrameworkReachability --explain
	uv run depscan --src ${GITHUB_WORKSPACE}/repotests/dotnet-podcasts --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/dotnet-podcasts2 --profile research -t dotnet --bom-engine CdxgenGenerator --reachability-analyzer SemanticReachability --explain
	rm -rf ${GITHUB_WORKSPACE}/depscan_reports
	shell: bash
	env:
	BLINTDB_HOME: ${{ runner.temp }}/blintdb-home
	- name: repotests vulnerable-aws-koa-app
	run: \|
	mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/vulnerable-aws-koa-app
	uv run depscan --src ${GITHUB_WORKSPACE}/repotests/vulnerable-aws-koa-app --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/vulnerable-aws-koa-app -t js --bom-engine CdxgenGenerator
	uv run depscan --src ${GITHUB_WORKSPACE}/repotests/vulnerable-aws-koa-app --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/vulnerable-aws-koa-app -t js --bom-engine CdxgenGenerator --reachability-analyzer FrameworkReachability --explain
	uv run depscan --src ${GITHUB_WORKSPACE}/repotests/vulnerable-aws-koa-app --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/vulnerable-aws-koa-app -t js --bom-engine CdxgenGenerator --reachability-analyzer SemanticReachability --explain
	rm -rf ${GITHUB_WORKSPACE}/depscan_reports
	shell: bash
	env:
	BLINTDB_HOME: ${{ runner.temp }}/blintdb-home
	- name: repotests Signal-Android
	run: \|
	mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/Signal-Android
	uv run hf download AppThreat/ukaina --include "java/Signal-Android/.json" --exclude "java/Signal-Android/.vdr.json" --repo-type dataset --local-dir ${GITHUB_WORKSPACE}/depscan_reports/Signal-Android
	uv run depscan --src ${GITHUB_WORKSPACE}/depscan_reports/Signal-Android --bom-dir ${GITHUB_WORKSPACE}/depscan_reports/Signal-Android --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/Signal-Android --reachability-analyzer SemanticReachability --explain
	rm -rf ${GITHUB_WORKSPACE}/depscan_reports
	shell: bash
	- name: repotests dependency-track
	run: \|
	mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/dependency-track
	uv run hf download AppThreat/ukaina --include "java/dependency-track/.json" --exclude "java/dependency-track/.vdr.json" --repo-type dataset --local-dir ${GITHUB_WORKSPACE}/depscan_reports/dependency-track
	uv run depscan --src ${GITHUB_WORKSPACE}/depscan_reports/dependency-track --bom-dir ${GITHUB_WORKSPACE}/depscan_reports/dependency-track --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/dependency-track --reachability-analyzer SemanticReachability --explain
	uv run depscan --src ${GITHUB_WORKSPACE}/depscan_reports/dependency-track --bom-dir ${GITHUB_WORKSPACE}/depscan_reports/dependency-track --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/dependency-track --reachability-analyzer SemanticReachability --explain --explanation-mode NonReachables
	rm -rf ${GITHUB_WORKSPACE}/depscan_reports
	shell: bash
	- name: repotests kafka-4.0.0-src
	run: \|
	mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/kafka-4.0.0-src
	uv run hf download AppThreat/ukaina --include "java/kafka-4.0.0-src/.json" --exclude "java/kafka-4.0.0-src/.vdr.json" --repo-type dataset --local-dir ${GITHUB_WORKSPACE}/depscan_reports/kafka-4.0.0-src
	uv run depscan --src ${GITHUB_WORKSPACE}/depscan_reports/kafka-4.0.0-src --bom-dir ${GITHUB_WORKSPACE}/depscan_reports/kafka-4.0.0-src --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/kafka-4.0.0-src --reachability-analyzer SemanticReachability --explain
	rm -rf ${GITHUB_WORKSPACE}/depscan_reports
	shell: bash
	- name: repotests cdxgen
	run: \|
	mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/cdxgen
	uv run hf download AppThreat/ukaina --include "js/cdxgen/.json" --exclude "js/cdxgen/.vdr.json" --repo-type dataset --local-dir ${GITHUB_WORKSPACE}/depscan_reports/cdxgen
	uv run depscan --src ${GITHUB_WORKSPACE}/depscan_reports/cdxgen --bom-dir ${GITHUB_WORKSPACE}/depscan_reports/cdxgen --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/cdxgen --reachability-analyzer SemanticReachability --explain
	uv run depscan --src ${GITHUB_WORKSPACE}/depscan_reports/cdxgen --bom-dir ${GITHUB_WORKSPACE}/depscan_reports/cdxgen --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/cdxgen --reachability-analyzer SemanticReachability --explain --explanation-mode NonReachables
	rm -rf ${GITHUB_WORKSPACE}/depscan_reports
	shell: bash
	- name: repotests Signal-Desktop
	run: \|
	mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/Signal-Desktop
	uv run hf download AppThreat/ukaina --include "js/Signal-Desktop/.json" --exclude "js/Signal-Desktop/.vdr.json" --repo-type dataset --local-dir ${GITHUB_WORKSPACE}/depscan_reports/Signal-Desktop
	uv run depscan --src ${GITHUB_WORKSPACE}/depscan_reports/Signal-Desktop --bom-dir ${GITHUB_WORKSPACE}/depscan_reports/Signal-Desktop --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/Signal-Desktop --reachability-analyzer SemanticReachability --explain
	rm -rf ${GITHUB_WORKSPACE}/depscan_reports
	shell: bash
	- name: repotests forgejo
	run: \|
	mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/forgejo
	uv run hf download AppThreat/ukaina --include "js/forgejo/.json" --exclude "js/forgejo/.vdr.json" --repo-type dataset --local-dir ${GITHUB_WORKSPACE}/depscan_reports/forgejo
	uv run depscan --src ${GITHUB_WORKSPACE}/depscan_reports/forgejo --bom-dir ${GITHUB_WORKSPACE}/depscan_reports/forgejo --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/forgejo --reachability-analyzer SemanticReachability --explain
	rm -rf ${GITHUB_WORKSPACE}/depscan_reports
	shell: bash
	- name: repotests biome
	run: \|
	mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/biome
	uv run hf download AppThreat/ukaina --include "rust/biome/.json" --exclude "rust/biome/.vdr.json" --repo-type dataset --local-dir ${GITHUB_WORKSPACE}/depscan_reports/biome
	uv run depscan --src ${GITHUB_WORKSPACE}/depscan_reports/biome --bom-dir ${GITHUB_WORKSPACE}/depscan_reports/biome --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/biome --reachability-analyzer SemanticReachability --explain
	rm -rf ${GITHUB_WORKSPACE}/depscan_reports
	shell: bash
	- name: repotests rustdesk
	run: \|
	mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/rustdesk
	uv run hf download AppThreat/ukaina --include "rust/rustdesk/.json" --exclude "rust/rustdesk/.vdr.json" --repo-type dataset --local-dir ${GITHUB_WORKSPACE}/depscan_reports/rustdesk
	uv run depscan --src ${GITHUB_WORKSPACE}/depscan_reports/rustdesk --bom-dir ${GITHUB_WORKSPACE}/depscan_reports/rustdesk --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/rustdesk --reachability-analyzer SemanticReachability --explain
	rm -rf ${GITHUB_WORKSPACE}/depscan_reports
	shell: bash
	- name: repotests rustpad
	run: \|
	mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/rustpad
	uv run hf download AppThreat/ukaina --include "rust/rustpad/.json" --exclude "rust/rustpad/.vdr.json" --repo-type dataset --local-dir ${GITHUB_WORKSPACE}/depscan_reports/rustpad
	uv run depscan --src ${GITHUB_WORKSPACE}/depscan_reports/rustpad --bom-dir ${GITHUB_WORKSPACE}/depscan_reports/rustpad --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/rustpad --reachability-analyzer SemanticReachability --explain
	rm -rf ${GITHUB_WORKSPACE}/depscan_reports
	shell: bash
	- name: repotests django-DefectDojo
	run: \|
	mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/django-DefectDojo
	uv run hf download AppThreat/ukaina --include "python/django-DefectDojo/.json" --exclude "python/django-DefectDojo/.vdr.json" --repo-type dataset --local-dir ${GITHUB_WORKSPACE}/depscan_reports/django-DefectDojo
	uv run depscan --src ${GITHUB_WORKSPACE}/depscan_reports/django-DefectDojo --bom-dir ${GITHUB_WORKSPACE}/depscan_reports/django-DefectDojo --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/django-DefectDojo --reachability-analyzer SemanticReachability --explain
	uv run depscan --src ${GITHUB_WORKSPACE}/depscan_reports/django-DefectDojo --bom-dir ${GITHUB_WORKSPACE}/depscan_reports/django-DefectDojo --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/django-DefectDojo --reachability-analyzer SemanticReachability --explain --explanation-mode Endpoints
	uv run depscan --src ${GITHUB_WORKSPACE}/depscan_reports/django-DefectDojo --bom-dir ${GITHUB_WORKSPACE}/depscan_reports/django-DefectDojo --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/django-DefectDojo --reachability-analyzer SemanticReachability --explain --explanation-mode NonReachables
	rm -rf ${GITHUB_WORKSPACE}/depscan_reports
	shell: bash
	- name: repotests depscan
	run: \|
	mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/depscan
	uv run hf download AppThreat/ukaina --include "python/depscan/.json" --exclude "python/depscan/.vdr.json" --repo-type dataset --local-dir ${GITHUB_WORKSPACE}/depscan_reports/depscan
	uv run depscan --src ${GITHUB_WORKSPACE}/depscan_reports/depscan --bom-dir ${GITHUB_WORKSPACE}/depscan_reports/depscan --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/depscan --reachability-analyzer SemanticReachability --explain
	uv run depscan --src ${GITHUB_WORKSPACE}/depscan_reports/depscan --bom-dir ${GITHUB_WORKSPACE}/depscan_reports/depscan --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/depscan --reachability-analyzer SemanticReachability --explain --explanation-mode Endpoints
	rm -rf ${GITHUB_WORKSPACE}/depscan_reports
	shell: bash
	- name: repotests phpmyadmin
	run: \|
	mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/phpmyadmin
	uv run hf download AppThreat/ukaina --include "php/phpmyadmin/.json" --exclude "php/phpmyadmin/.vdr.json" --repo-type dataset --local-dir ${GITHUB_WORKSPACE}/depscan_reports/phpmyadmin
	uv run depscan --src ${GITHUB_WORKSPACE}/depscan_reports/phpmyadmin --bom-dir ${GITHUB_WORKSPACE}/depscan_reports/phpmyadmin --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/phpmyadmin --reachability-analyzer SemanticReachability --explain
	rm -rf ${GITHUB_WORKSPACE}/depscan_reports
	shell: bash
	- name: repotests openssl-3.5.0
	run: \|
	mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/openssl-3.5.0
	uv run hf download AppThreat/ukaina --include "c/openssl-3.5.0/.json" --exclude "c/openssl-3.5.0/.vdr.json" --repo-type dataset --local-dir ${GITHUB_WORKSPACE}/depscan_reports/openssl-3.5.0
	uv run depscan --src ${GITHUB_WORKSPACE}/depscan_reports/openssl-3.5.0 --bom-dir ${GITHUB_WORKSPACE}/depscan_reports/openssl-3.5.0 --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/openssl-3.5.0 --reachability-analyzer SemanticReachability --explain
	rm -rf ${GITHUB_WORKSPACE}/depscan_reports
	shell: bash
	- name: repotests open5gs-2.7.5
	run: \|
	mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/open5gs-2.7.5
	uv run hf download AppThreat/ukaina --include "c/open5gs-2.7.5/.json" --exclude "c/open5gs-2.7.5/.vdr.json" --repo-type dataset --local-dir ${GITHUB_WORKSPACE}/depscan_reports/open5gs-2.7.5
	uv run depscan --src ${GITHUB_WORKSPACE}/depscan_reports/open5gs-2.7.5 --bom-dir ${GITHUB_WORKSPACE}/depscan_reports/open5gs-2.7.5 --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/open5gs-2.7.5 --reachability-analyzer SemanticReachability --explain
	rm -rf ${GITHUB_WORKSPACE}/depscan_reports
	shell: bash
	- name: repotests curl-8.13.0
	run: \|
	mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/curl-8.13.0
	uv run hf download AppThreat/ukaina --include "c/curl-8.13.0/.json" --exclude "c/curl-8.13.0/.vdr.json" --repo-type dataset --local-dir ${GITHUB_WORKSPACE}/depscan_reports/curl-8.13.0
	uv run depscan --src ${GITHUB_WORKSPACE}/depscan_reports/curl-8.13.0 --bom-dir ${GITHUB_WORKSPACE}/depscan_reports/curl-8.13.0 --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/curl-8.13.0 --reachability-analyzer SemanticReachability --explain --explanation-mode NonReachables
	rm -rf ${GITHUB_WORKSPACE}/depscan_reports
	shell: bash
	- name: Set up JDK
	uses: actions/setup-java@v4
	with:
	distribution: 'temurin'
	java-version: '11'
	- name: repotests greyhound
	run: \|
	mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/greyhound
	uv run depscan --src ${GITHUB_WORKSPACE}/repotests/greyhound --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/greyhound -t java --bom-engine CdxgenGenerator
	rm -rf ${GITHUB_WORKSPACE}/depscan_reports
	shell: bash
	env:
	BLINTDB_HOME: ${{ runner.temp }}/blintdb-home

	os-semantics-tests:
	strategy:
	fail-fast: true
	matrix:
	python-version: ['3.13']
	runs-on: ['self-hosted', 'ubuntu', 'amd64']
	steps:
	- uses: actions/checkout@v4
	- name: Install uv
	uses: astral-sh/setup-uv@v5
	with:
	python-version: ${{ matrix.python-version }}
	- name: Install depscan
	run: \|
	uv sync --all-extras --all-packages
	sudo npm install -g @cyclonedx/cdxgen @appthreat/atom --omit=optional
	- name: semantic analysis self
	run: \|
	mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/depscan
	uv run depscan --src ${GITHUB_WORKSPACE} --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/depscan -t python --bom-engine CdxgenGenerator --reachability-analyzer SemanticReachability --explain
	ls -lh ${GITHUB_WORKSPACE}/depscan_reports/depscan
	rm -rf ${GITHUB_WORKSPACE}/depscan_reports
	shell: bash
	env:
	DEPSCAN_SOURCE_IMAGE: ghcr.io/owasp-dep-scan/dep-scan:master
	CDXGEN_TIMEOUT_MS: 3600000
	- uses: actions/checkout@v4
	with:
	repository: 'aboutcode-org/dejacode'
	path: 'repotests/dejacode'
	- name: semantic analysis dejacode
	run: \|
	mkdir -p ${GITHUB_WORKSPACE}/depscan_reports ${GITHUB_WORKSPACE}/repotests/dejacode/reports
	cd ${GITHUB_WORKSPACE}/repotests/dejacode
	docker build -t dejacode:latest -f Dockerfile .
	uv pip install --find-links=thirdparty/dist/ --no-index --no-cache-dir .
	cd ${GITHUB_WORKSPACE}
	uv run depscan --src ${GITHUB_WORKSPACE}/repotests/dejacode --reports-dir ${GITHUB_WORKSPACE}/repotests/dejacode/reports -t python --bom-engine CdxgenGenerator --reachability-analyzer SemanticReachability --explain
	cp -rf ${GITHUB_WORKSPACE}/repotests/dejacode/reports ${GITHUB_WORKSPACE}/depscan_reports/dejacode
	uv run depscan --src ${GITHUB_WORKSPACE}/repotests/dejacode --bom-dir ${GITHUB_WORKSPACE}/repotests/dejacode/reports --reports-dir ${GITHUB_WORKSPACE}/repotests/dejacode/reports --reachability-analyzer SemanticReachability --explain --explanation-mode NonReachables
	cp -rf ${GITHUB_WORKSPACE}/repotests/dejacode/reports ${GITHUB_WORKSPACE}/depscan_reports/dejacode2
	ls -lh ${GITHUB_WORKSPACE}/repotests/dejacode/reports
	shell: bash
	env:
	DEPSCAN_SOURCE_IMAGE: dejacode:latest
	CDXGEN_TIMEOUT_MS: 3600000
	- uses: actions/upload-artifact@v4
	with:
	name: dejacode_reports
	path: depscan_reports/dejacode
	- uses: actions/upload-artifact@v4
	with:
	name: dejacode_non_reachables
	path: depscan_reports/dejacode2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[pull] master from owasp-dep-scan:master #39

Workflow file

[pull] master from owasp-dep-scan:master #39

Uh oh!

Jobs

Run details

Workflow file for this run