Runs OWASP Dependency Check using the CocoaPods Analyser and creates Jira tickets for any CVEs found.
Uses Reload Security Issue library, which requires the following environment variables:
JIRA_TOKEN: A reference to the repo secretJiraApiToken(REQUIRED)JIRA_HOST: The endpoint for your Jira instance, e.g. https://foo.atlassian.net (REQUIRED)JIRA_USER: The ID of the Jira user which is associated with the 'JiraApiToken' secret, eg 'someuser@reload.dk' (REQUIRED)JIRA_PROJECT: The project key for the Jira project where issues should be created, egTESTorABC. (REQUIRED)JIRA_ISSUE_TYPE: Type of issue to create, e.g.Security. Defaults toBug. (Optional)JIRA_WATCHERS: Jira users to add as watchers to tickets. Separate multiple watchers with comma (no spaces). (Optional)JIRA_RESTRICTED_COMMENT_ROLE: A comment with restricted visibility to this role is posted with info about who was added as watchers to the issue. Defaults toDevelopers. (Optional)
Use --dry-run to run without actually creating issues, or
--trial-run to create a test issue in the given project.
There's both Behat and PHPUnit tests.
The Behat tests are slow as they build the image (not that slow,
actually) and run it in dry-run mode, which runs dependency-checker
(very slow), but it tests both the image and that checkdep parses
actual dependency-checker output.
PHPUnit tests are way faster, but only test specific parts.