Add Build Backend Module CI and OWASP dependency check#522
Add Build Backend Module CI and OWASP dependency check#522dkayiwa merged 4 commits intoopenmrs:masterfrom
Conversation
wikumChamith
commented
Feb 16, 2026
wikumChamith
commented
- Add OWASP dependency check workflow and integrate it into the CI pipeline
- Fix ChromeHeadless sandbox issue in GitHub Actions by switching to a custom ChromeHeadlessNoSandbox launcher
- Disable Node Audit Analyzer due to incompatible npm-shrinkwrap.json
| @@ -0,0 +1,86 @@ | |||
| name: OWASP Dependency Check | |||
|
|
|||
| on: | |||
There was a problem hiding this comment.
Are we going to duplicate this in every module?
There was a problem hiding this comment.
Nope. We can simplify this after the PR in the openmrs/openmrs-contrib-gha-workflows gets merged.
name: Build with Maven
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
workflow_dispatch:
jobs:
build:
uses: openmrs/openmrs-contrib-gha-workflows/.github/workflows/build-backend-module.yml@main
with:
java_versions: '[8, 11, 17, 21]'
main_java_version: '8'
secrets:
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
There was a problem hiding this comment.
@dkayiwa My goal here was to have a smaller blast radius to look at the effects this will have. My concern is that there will be vulnerable dependencies marked in this module, but which are included as part of openmrs-core and not directly as part of this module. This is is a useful testbed because coreapps literally has no dependencies that it bundles itself, so everything is transitive and should be excluded.
There was a problem hiding this comment.
@wikumChamith However, can we inline this so that the build can be done on the PR? That way we don't need to merge this in to get a result.
wikumChamith
force-pushed
the
gh
branch
2 times, most recently
from
f23bffe to
55637f2
Compare
- Add OWASP dependency check workflow and integrate it into the CI pipeline - Fix ChromeHeadless sandbox issue in GitHub Actions by switching to a custom ChromeHeadlessNoSandbox launcher - Disable Node Audit Analyzer due to incompatible npm-shrinkwrap.json
Also, we could just disable the OWASP check in I’ll leave it to you two to decide which approach makes more sense 🙂 |
|
Oh... I don't really love that as That said, I think the approach in the PR makes the most sense. |
@ibacher Could this be because NodeAuditAnalyzer doesn’t support lockfileVersion: 1? I updated it to version 2, but npm-shrinkwrap.json contains very old packages, and the upgrade is running into multiple errors. This feels like it would be a significant dependency update effort on its own. |
Oh, yes, it definitely will be, but there's not a lot of value in a dependency check that skips something just because it's flagging a lot of things. |
Since the report is still being generated successfully, can we ignore this error for now? |
This is simply because we told it to generate the report even if it failed with errors. |
|
Alright... I'm satisfied. The report is just flagging the massively out of date Javascript files, so I guess that's ok. |
3 participants
