Merge main

.github/workflows/dependency-check.yaml

@@ -0,0 +1,41 @@
+name: Dependency Check
+
+on:
+  schedule:
+    - cron: "34 14 * * 2"
+  workflow_dispatch:
+
+jobs:
+  dep-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/cache@v3
+        with:
+          path: ~/.gradle
+          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*') }}
+          restore-keys: |
+            ${{ runner.os }}-gradle-
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: .tool-versions
+          bundler-cache: true
+      - run: |
+          bundle install
+          gem install bundler-audit
+          bundle-audit update
+
+      - uses: actions/setup-java@v3
+        with:
+          distribution: "temurin"
+          java-version: "17"
+
+      - run: chmod +x gradlew
+
+      - run: ./gradlew dependencyCheckAggregate
+
+      - uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: reports/dependency-check-report.sarif

README.md

@@ -53,7 +53,8 @@ This boilerplate comes with batteries included, you’ll find:
 
 ### Building the project
 
-Make sure you have [Bundler](https://rubygems.org/gems/bundler) installed (`gem install bundler`)
+* Run `asdf install` to install the dependencies described in `.tool-versions` on your system
+* Make sure you have [Bundler](https://rubygems.org/gems/bundler) installed (`gem install bundler`)
 
 #### Android
 
@@ -66,7 +67,6 @@ Make sure you have [Bundler](https://rubygems.org/gems/bundler) installed (`gem
 
 1. Install iOS specific gems in the `/ios` folder (`cd ios && bundle install`)
 2. Open the [workspace](./ios/iosApp.xcworkspace) using [Xcode](https://developer.apple.com/xcode/)
-   or [AppCode](https://www.jetbrains.com/objc/)
 3. Specify your Development Team under the `Signing and Capabilities` tab of the `iosApp` target
 4. Build and run the app on your device or simulator 🚀
 
@@ -86,6 +86,10 @@ started:
 | Declarative UI framework | [`trikot-viewmodels-declarative-flow`](https://github.com/mirego/trikot/tree/master/trikot-viewmodels-declarative-flow) |
 | Date & time              | [`kotlinx-datetime`](https://github.com/Kotlin/kotlinx-datetime)                                                        |
 
+## OWASP Dependency-Check
+
+[OWASP Dependency-Check](http://jeremylong.github.io/DependencyCheck/index.html) is installed as a Gradle plugin to scan your project to identify the use of known vulnerable components. It mainly checks for vulnerabilities in Gradle dependencies, but if [bundle-audit](https://github.com/rubysec/bundler-audit) is present on the system, it will also scan the Ruby Gems dependencies. It also has the capability to scan for Cocoapods/Swift Package Manager dependencies if executed on a macOS system.
+
 ## License
 
 Kmp Boilerplate is © 2023 [Mirego](https://www.mirego.com) and may be freely distributed under

boilerplate-setup.sh

@@ -137,6 +137,10 @@ header "Removing boilerplate license → https://choosealicense.com"
 run rm -fr LICENSE.md
 success "Done!\n"
 
+header "Changing the Dependency-Check report format to HTML"
+run sed -i '' 's/SARIF/HTML/' build.gradle.kts
+success "Done!\n"
+
 header "Removing boilerplate setup script..."
 run rm -fr boilerplate-setup.sh
 success "Done!\n"

build.gradle.kts

@@ -7,8 +7,20 @@ plugins {
     alias(libs.plugins.kotlin.native.cocoapods) apply false
     alias(libs.plugins.serialization) apply false
     alias(libs.plugins.ktlint) apply false
+    alias(libs.plugins.owasp.dependencycheck)
 }
 
 tasks.register("clean", Delete::class) {
     delete(rootProject.buildDir)
 }
+
+dependencyCheck {
+    format = "SARIF"
+    outputDirectory = "reports"
+
+    analyzers.apply {
+        assemblyEnabled = false
+        experimentalEnabled = true
+        knownExploitedEnabled = true
+    }
+}

gradle/libs.versions.toml

@@ -14,6 +14,7 @@ kotlinxCoroutines = "1.7.3"
 kotlinxSerialization = "1.6.0"
 kword-plugin = "4.0.0"
 ktlint = "11.6.1"
+owasp = "8.4.2"
 trikot = "5.2.0"
 
 [libraries]
@@ -26,9 +27,9 @@ androidx-compose-material = { group = "androidx.compose.material", name = "mater
 koin-core = { module = "io.insert-koin:koin-core", version.ref = "koin" }
 koin-annotations = { module = "io.insert-koin:koin-annotations", version.ref = "koin_ksp" }
 ksp-koinCompiler = { module = "io.insert-koin:koin-ksp-compiler", version.ref = "koin_ksp" }
-koin-android = { module = "io.insert-koin:koin-android", version.ref = "koin-android"}
-koin-androidx-compose = { module = "io.insert-koin:koin-androidx-compose", version.ref = "koin-androidx-compose"}
-koin-androidx-compose-navigation = { module = "io.insert-koin:koin-androidx-compose-navigation", version.ref = "koin-androidx-compose"}
+koin-android = { module = "io.insert-koin:koin-android", version.ref = "koin-android" }
+koin-androidx-compose = { module = "io.insert-koin:koin-androidx-compose", version.ref = "koin-androidx-compose" }
+koin-androidx-compose-navigation = { module = "io.insert-koin:koin-androidx-compose-navigation", version.ref = "koin-androidx-compose" }
 kotlinx-coroutines-core = { module = "org.jetbrains.kotlinx:kotlinx-coroutines-core", version.ref = "kotlinxCoroutines" }
 kotlinx-coroutines-test = { module = "org.jetbrains.kotlinx:kotlinx-coroutines-test", version.ref = "kotlinxCoroutines" }
 kotlinx-serialization-json = { module = "org.jetbrains.kotlinx:kotlinx-serialization-json", version.ref = "kotlinxSerialization" }
@@ -50,6 +51,7 @@ kotlin-native-cocoapods = { id = "org.jetbrains.kotlin.native.cocoapods", versio
 kspPlugin = { id = "com.google.devtools.ksp", version.ref = "ksp" }
 ktlint = { id = "org.jlleitschuh.gradle.ktlint", version.ref = "ktlint" }
 mirego-kwordPlugin = { id = "mirego.kword", version.ref = "kword-plugin" }
+owasp-dependencycheck = { id = "org.owasp.dependencycheck", version.ref = "owasp" }
 serialization = { id = "org.jetbrains.kotlin.plugin.serialization", version.ref = "kotlin" }
 
 [bundles]