[RORDEV-1474] Bump dependency-check plugin version

[mateuszkp96]

Summary by CodeRabbit

• New Features

  • Added support for configuring the dependency check data directory and NVD API key via environment variables for enhanced security scanning flexibility.
  • Implemented caching of the CVE database in the build pipeline to optimize vulnerability checks.

• Bug Fixes

  • Updated dependency versions for improved compatibility and security, including refined_3 and the OWASP Dependency Check Gradle plugin.

• Chores

  • Cleaned up and updated CVE suppression rules to reduce false positives and focus on current dependencies.
  • Bumped plugin version in configuration files.
  • Disabled the TEST stage in the build pipeline to streamline the process.

[coderabbitai]

📝 Walkthrough

Walkthrough

This set of changes updates dependency management and security scanning configurations. The Azure Pipeline YAML introduces variables and Cache@2 tasks to cache the CVE database, restoring it before and saving it after the CVE check, and passes the NVD API key and data directory as environment variables to the scan. The OWASP Dependency Check Gradle plugin is upgraded to version 12.1.3 and configured to use these environment variables. Dependencies like refined_3 are bumped to newer versions. The CVE suppression XML is cleaned up by removing outdated entries and adding clarifications for cryptographic library false positives. The TEST stage in the pipeline is effectively disabled by adding a false condition.

Sequence Diagram(s)

sequenceDiagram
    participant AzurePipeline
    participant GradleBuild
    participant DependencyCheckPlugin
    participant NVD_API

    AzurePipeline->>AzurePipeline: Set variables (currentDate, dependencyCheckCacheKey, dependencyCheckDataDir)
    AzurePipeline->>AzurePipeline: Restore CVE DB cache using Cache@2 with cacheKey
    AzurePipeline->>GradleBuild: Run CVE check with DEPENDENCY_CHECK_DATA_DIR and NVD_API_KEY env vars
    GradleBuild->>DependencyCheckPlugin: Configure with dataDir and apiKey
    DependencyCheckPlugin->>NVD_API: Fetch CVE data using API key
    DependencyCheckPlugin-->>GradleBuild: Report scan results
    AzurePipeline->>AzurePipeline: Save updated CVE DB cache using Cache@2 if job succeeds

Loading

sequenceDiagram
    participant Developer
    participant BuildScript
    participant DependencyCheckPlugin

    Developer->>BuildScript: Update OWASP Dependency Check plugin version to 12.1.3
    BuildScript->>DependencyCheckPlugin: Configure plugin with environment variables (dataDir, apiKey)
    DependencyCheckPlugin-->>BuildScript: Use updated configuration for scanning

Loading

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c3c7f0f and d5a4030.

📒 Files selected for processing (1)

• build-base/src/main/groovy/readonlyrest.base-common-conventions.gradle (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• build-base/src/main/groovy/readonlyrest.base-common-conventions.gradle

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: ror (CVE check Job)

✨ Finishing Touches

🧪 Generate Unit Tests

• Create PR with Unit Tests
• Post Copyable Unit Tests in Comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai auto-generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

build-base/src/main/groovy/readonlyrest.base-common-conventions.gradle (1)

58-59: Validate NVD API key presence
Plugin may skip NVD updates silently if NVD_API_KEY is unset. Consider failing the build or emitting a warning when the key is missing.

suppressions_cve.xml (2)

84-97: Consolidate suppressions for bcpkix-fips-1.0.7.jar
There are two separate <suppress> blocks for the same artifact with distinct CVEs. Consider merging them into a single entry listing both <cve> elements to reduce duplication.

---

98-111: Consolidate suppressions for bctls-fips-1.0.19.jar
Two blocks suppress CVE-2020-26939 and CVE-2023-33202 for bctls-fips-1.0.19.jar. Merging them into one <suppress> entry will keep the file DRY.

azure-pipelines.yml (1)

76-79: Remove trailing whitespace
Lines contain trailing spaces that should be removed to satisfy YAML lint rules.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 76-76: trailing spaces

(trailing-spaces)

---

[error] 79-79: trailing spaces

(trailing-spaces)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 80ff506 and 2ccbdde.

📒 Files selected for processing (8)

• azure-pipelines.yml (2 hunks)
• build-base/build.gradle (1 hunks)
• build-base/src/main/groovy/readonlyrest.base-common-conventions.gradle (1 hunks)
• core/build.gradle (1 hunks)
• gradle.properties (1 hunks)
• gradle/wrapper/gradle-wrapper.properties (1 hunks)
• suppressions_cve.xml (2 hunks)
• tests-utils/build.gradle (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

azure-pipelines.yml

[error] 76-76: trailing spaces

(trailing-spaces)

---

[error] 79-79: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (11)

• GitHub Check: ror (Run all tests IT_es67x)
• GitHub Check: ror (Run all tests IT_es80x)
• GitHub Check: ror (Run all tests IT_es70x)
• GitHub Check: ror (Run all tests IT_es810x)
• GitHub Check: ror (Run all tests IT_es710x)
• GitHub Check: ror (Run all tests IT_es818x)
• GitHub Check: ror (CVE check Job)
• GitHub Check: ror (Run all tests IT_es717x)
• GitHub Check: ror (Run all tests UNIT)
• GitHub Check: ror (Run all tests IT_es90x)
• GitHub Check: ror (Run all tests LICENSE)

🔇 Additional comments (11)

core/build.gradle (1)

98-98: Confirm refined_3 version bump to 0.11.3
The eu.timepit:refined_3 dependency was updated from 0.11.2 to 0.11.3, matching the PR’s consistency goal.

tests-utils/build.gradle (1)

69-69: Validate refined_3 version alignment
The eu.timepit:refined_3 library was bumped to 0.11.3 here as well, keeping it in sync with the core module.

gradle/wrapper/gradle-wrapper.properties (1)

5-5: Upgrade Gradle wrapper distribution to 8.14.2
The distributionUrl was updated to use Gradle 8.14.2. Verify that all plugins and toolchains remain compatible with this version.

gradle.properties (1)

2-2: Review publishedPluginVersion consistency
pluginVersion was bumped to 1.65.0-pre5, but publishedPluginVersion remains at 1.64.2. Confirm whether publishedPluginVersion needs to be updated to match.

build-base/build.gradle (1)

29-29: Update OWASP Dependency Check plugin coordinates
The plugin dependency was changed to org.owasp.dependencycheck:org.owasp.dependencycheck.gradle.plugin:12.1.3. Ensure this new artifact ID and version resolve correctly and preserve expected task behavior.

build-base/src/main/groovy/readonlyrest.base-common-conventions.gradle (2)

51-52: Disable assembly analyzer as intended
Disables scanning of exe/dll assemblies to reduce unnecessary analysis overhead.

---

53-57: Externalize data directory for caching
Correctly reads DEPENDENCY_CHECK_DATA_DIR env var to allow pipeline cache reuse while falling back to defaults for local builds.

suppressions_cve.xml (1)

12-16: Verify refined-3 suppression SHA1
Suppression updated to refined_3-0.11.3.jar pending bump to 0.11.3. Please verify that the SHA1 matches the actual artifact.

azure-pipelines.yml (3)

7-8: Introduce CVE DB cache variables
Defines dependencyCheckDataDir and dependencyCheckCacheKey to configure cache directory and key for CVE DB caching.

---

59-67: Cache restore step for CVE database
Restores the CVE DB from previous runs using the defined key and path, with prefix fallback and cache hit logging.

---

87-92: Cache save step for CVE database
Saves the updated CVE DB back to the cache on successful execution, using the same monthly cache key.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

azure-pipelines.yml (1)

77-78: Ensure variable substitution in script
Using $dependencyCheckDataDir in Bash will not expand the Azure DevOps variable. Replace with $(dependencyCheckDataDir) or map it via env: to pass the variable into the script, and uncomment the export DEPENDENCY_CHECK_DATA_DIR line.

🧹 Nitpick comments (3)

azure-pipelines.yml (3)

7-8: Include plugin version in cache key
Without the plugin version, cached CVE data may become invalid after upgrading the Dependency Check plugin. Consider appending the plugin version (e.g., 12.1.3) to dependencyCheckCacheKey.

---

59-67: Decide on caching strategy for the CVE DB
The commented-out Cache@2 tasks for restoring and saving the CVE database suggest you intend to cache the CVE data. If caching is desired, uncomment these steps and verify the key, restoreKeys, and path settings; otherwise, remove the commented blocks to clean up the pipeline.

Also applies to: 86-93

---

76-76: Remove trailing spaces
YAMLlint has flagged trailing spaces on these lines. Removing them will clean up the YAML and satisfy the linter.

Also applies to: 79-79

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 76-76: trailing spaces

(trailing-spaces)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2ccbdde and fc7bc50.

📒 Files selected for processing (1)

• azure-pipelines.yml (2 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

azure-pipelines.yml

[error] 76-76: trailing spaces

(trailing-spaces)

---

[error] 79-79: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (11)

• GitHub Check: ror (Run all tests IT_es67x)
• GitHub Check: ror (Run all tests IT_es80x)
• GitHub Check: ror (Run all tests IT_es70x)
• GitHub Check: ror (Run all tests IT_es810x)
• GitHub Check: ror (Run all tests IT_es710x)
• GitHub Check: ror (Run all tests IT_es818x)
• GitHub Check: ror (Run all tests IT_es717x)
• GitHub Check: ror (Run all tests UNIT)
• GitHub Check: ror (Run all tests LICENSE)
• GitHub Check: ror (CVE check Job)
• GitHub Check: ror (Run all tests IT_es90x)

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

azure-pipelines.yml (1)

59-73: Clean up or enable CVE DB caching steps

The commented-out Cache@2 tasks and log steps introduce dead code. Once caching is confirmed working with the bumped plugin version, uncomment and test these blocks. If caching is not yet in scope, consider moving them to a shared template or removing them to reduce noise.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fc7bc50 and 1afd2de.

📒 Files selected for processing (1)

• azure-pipelines.yml (2 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

azure-pipelines.yml

[error] 76-76: trailing spaces

(trailing-spaces)

---

[error] 79-79: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (11)

• GitHub Check: ror (Run all tests IT_es67x)
• GitHub Check: ror (Run all tests IT_es70x)
• GitHub Check: ror (Run all tests IT_es710x)
• GitHub Check: ror (Run all tests IT_es717x)
• GitHub Check: ror (Run all tests IT_es80x)
• GitHub Check: ror (Run all tests IT_es810x)
• GitHub Check: ror (Run all tests UNIT)
• GitHub Check: ror (Run all tests IT_es818x)
• GitHub Check: ror (CVE check Job)
• GitHub Check: ror (Run all tests LICENSE)
• GitHub Check: ror (Run all tests IT_es90x)

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (2)

azure-pipelines.yml (2)

7-8: 🛠️ Refactor suggestion

Replace unsupported date macro for cache key
Azure Pipelines doesn’t support the $(Date:yyyyMM) macro. Define a variable that formats the pipeline start time, then use it:

variables:
+  currentDate: $[format('{0:yyyyMM}', pipeline.startTime)]
   dependencyCheckDataDir: '$(Pipeline.Workspace)/dependency-check-data/v1'
-  dependencyCheckCacheKey: 'dependency-check-v1-$(Date:yyyyMM)'
+  dependencyCheckCacheKey: 'dependency-check-v1-$(currentDate)'

---

77-84: ⚠️ Potential issue

Fix environment variable expansion and mapping
Bash won’t expand $dependencyCheckDataDir here—use the Azure macro $(dependencyCheckDataDir) by mapping it under env: instead of exporting it in-script. For example:

-              export DEPENDENCY_CHECK_DATA_DIR=$dependencyCheckDataDir
+              # removed in-script export, moved under env

-            env:
-              ROR_TASK: cve_check
-              NVD_API_KEY: $(nvd_api_key)
+            env:
+              ROR_TASK: cve_check
+              DEPENDENCY_CHECK_DATA_DIR: $(dependencyCheckDataDir)
+              NVD_API_KEY: $(nvd_api_key)

This ensures variables are correctly substituted and available to the dependency check plugin.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 78-78: trailing spaces

(trailing-spaces)

🧹 Nitpick comments (1)

azure-pipelines.yml (1)

76-78: Remove trailing whitespace
Lines 76 and 78 contain unnecessary spaces which trigger linter warnings. Please remove them.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 76-76: trailing spaces

(trailing-spaces)

---

[error] 78-78: trailing spaces

(trailing-spaces)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1afd2de and 7ea88fa.

📒 Files selected for processing (1)

• azure-pipelines.yml (2 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

azure-pipelines.yml

[error] 76-76: trailing spaces

(trailing-spaces)

---

[error] 78-78: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (11)

• GitHub Check: ror (Run all tests IT_es67x)
• GitHub Check: ror (Run all tests IT_es80x)
• GitHub Check: ror (Run all tests IT_es70x)
• GitHub Check: ror (Run all tests IT_es710x)
• GitHub Check: ror (Run all tests IT_es810x)
• GitHub Check: ror (Run all tests UNIT)
• GitHub Check: ror (Run all tests IT_es818x)
• GitHub Check: ror (Run all tests IT_es717x)
• GitHub Check: ror (Run all tests LICENSE)
• GitHub Check: ror (Run all tests IT_es90x)
• GitHub Check: ror (CVE check Job)

🔇 Additional comments (3)

azure-pipelines.yml (3)

59-66: Cache restore task configuration looks correct
The Cache@2 step is properly set up to restore the CVE DB using the defined key and data directory.

---

67-73: Logging the cache hit is informational and implemented correctly.

---

85-91: Cache save task configuration is correct
The Cache@2 save step uses the same key and path, conditioned on success, which aligns with best practices for immutable caches.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e58cde3 and 87d2793.

📒 Files selected for processing (1)

• azure-pipelines.yml (2 hunks)

🔇 Additional comments (5)

azure-pipelines.yml (5)

7-9: Leverage date-based cache keys
The new variables currentDate, dependencyCheckCacheKey, and dependencyCheckDataDir correctly parameterize cache paths using pipeline.startTime. This aligns with best practices for predictable, per-month cache keys.

---

53-54: Verify variable group inclusion
You’ve added a variable group TEST_GROUP at the CVE stage—please confirm it exists in Azure DevOps and that it provides all required secrets (e.g., nvd_api_key_v2).

---

79-85: Confirm NVD API key variable
You switched to $(nvd_api_key_v2) for NVD_API_KEY. Ensure that this variable is defined (via TEST_GROUP or pipeline) so the plugin can authenticate with the NVD API.

---

87-93: Save cache step setup is correct
The Cache@2 save task reuses the same key and path, ensuring immutability and proper cache writes. This matches the restore configuration.

---

99-99: Intentional TEST stage disable?
The literal false at the top of the TEST stage condition will permanently skip that stage. If this is temporary, please add a comment explaining why; otherwise remove or adjust the condition.

[coderabbitai]

⚠️ Potential issue

Fix cache hit check quoting
Using single quotes around $(CACHE_HIT) prevents environment variable expansion. Update to double quotes:

if [ "$(CACHE_HIT)" = "true" ]; then
  …
fi

🤖 Prompt for AI Agents

In azure-pipelines.yml lines 71 to 77, the if condition uses single quotes
around $(CACHE_HIT), which prevents environment variable expansion. Change the
single quotes to double quotes around $(CACHE_HIT) and "true" in the if
statement to ensure the variable is properly expanded and compared.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

azure-pipelines.yml (2)

78-84: Correct cache hit check quoting
Single quotes prevent $(CACHE_HIT) from expanding, so the condition never matches. Switch to double quotes:

- if [ '$(CACHE_HIT)' = 'true' ]; then
+ if [ "$(CACHE_HIT)" = "true" ]; then

---

69-77: Fix invalid restoreKeys placeholder
The restoreKeys field still has the literal dependency-check-v1- todo, which breaks cache fallback. Update it to a valid prefix or parameterize it. For example:

- restoreKeys: |
-   dependency-check-v1- todo
+ restoreKeys: |
+   dependency-check-v1-

🧹 Nitpick comments (1)

azure-pipelines.yml (1)

2-18: Clean up YAML formatting
In the variables list, the entry on line 5 uses value : (extra space before colon). Remove the extra space so it reads value:. Also consider unifying variable naming (e.g. consistently use snake_case or camelCase) for readability.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 87d2793 and 9c19d4d.

📒 Files selected for processing (1)

• azure-pipelines.yml (2 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

azure-pipelines.yml

[warning] 5-5: too many spaces before colon

(colons)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: ror (CVE check Job)

🔇 Additional comments (1)

azure-pipelines.yml (1)

91-92: Verify NVD API key variable name
The step exports NVD_API_KEY: $(nvd_api_key_v2). Ensure that nvd_api_key_v2 is defined in the linked variable group. If the intended variable is nvd_api_key, update this mapping accordingly.

[coderabbitai]

⚠️ Potential issue

TEST stage has been disabled
The and() condition starts with false, disabling the entire TEST stage. Confirm this is intentional—otherwise remove the false literal to re-enable testing.

🤖 Prompt for AI Agents

In azure-pipelines.yml at line 106, the TEST stage is disabled because the
`and()` condition begins with a `false` literal, which causes the entire
condition to evaluate to false. To re-enable the TEST stage, remove the `false`
literal from the condition so that it can evaluate based on the intended
criteria.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (3)

azure-pipelines.yml (3)

70-74: Ensure proper quoting for cache hit check
Using single quotes around $(CACHE_HIT) and true prevents variable expansion. Update to double quotes:

- if [ '$(CACHE_HIT)' = 'true' ]; then
+ if [ "$(CACHE_HIT)" = "true" ]; then

---

60-68: Invalid restoreKeys placeholder
The restoreKeys entry still contains dependency-check-v1- todo, which will break cache fallback. Replace it with a valid prefix or parameterized key, for example:

- restoreKeys: |
-   dependency-check-v1- todo
+ restoreKeys: |
+   dependency-check-v1-$(currentDate)

---

79-86: Fix environment variable handling in CVE check script

• $dependencyCheckDataDir isn’t exported or expanded—use $(dependencyCheckDataDir) in the script or map it under env.
• The script sets NVD_API_KEY from $var_nvd_api_key, but the env mapping var_nvd_api_key: $(NVD_API_KEY) is confusing. Map NVD_API_KEY directly under env, e.g.:

-            env:
-              ROR_TASK: cve_check
-              var_nvd_api_key: $(NVD_API_KEY)
+            env:
+              ROR_TASK: cve_check
+              DEPENDENCY_CHECK_DATA_DIR: $(dependencyCheckDataDir)
+              NVD_API_KEY: $(nvd_api_key)

And remove the manual export lines in the script.

🧹 Nitpick comments (1)

azure-pipelines.yml (1)

78-78: Remove trailing whitespace
Blank lines 78 and 81 contain trailing spaces. Remove them to satisfy YAML lint and avoid subtle parsing issues.

Also applies to: 81-81

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9c19d4d and 9f41cf2.

📒 Files selected for processing (2)

• azure-pipelines.yml (2 hunks)
• build-base/src/main/groovy/readonlyrest.base-common-conventions.gradle (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• build-base/src/main/groovy/readonlyrest.base-common-conventions.gradle

🧰 Additional context used

🪛 YAMLlint (1.37.1)

azure-pipelines.yml

[error] 78-78: trailing spaces

(trailing-spaces)

---

[error] 81-81: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: ror (CVE check Job)

🔇 Additional comments (3)

azure-pipelines.yml (3)

7-9: New caching variables look good
Introducing currentDate, dependencyCheckCacheKey, and dependencyCheckDataDir aligns the pipeline with the updated dependency-check plugin configuration.

---

87-93: Save CVE DB cache configuration is correct
The Save updated CVE DB Cache@2 task correctly uses the same key and path. This ensures that the dependency-check data directory is cached for subsequent runs.

---

100-100: TEST stage is disabled by design or error?
The false literal in the TEST stage condition (line 100) disables the entire stage. If this is unintended, remove the false, entry so tests can run as expected.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

azure-pipelines.yml (1)

78-85: Fix variable mapping for cache directory and NVD API key

• export DEPENDENCY_CHECK_DATA_DIR=$dependencyCheckDataDir will not pick up the pipeline variable; use $(dependencyCheckDataDir) or map it under env:.
• Avoid the unnecessary var_nvd_api_key indirection; map NVD_API_KEY directly.

Apply this diff:

-              export DEPENDENCY_CHECK_DATA_DIR=$dependencyCheckDataDir
-              export NVD_API_KEY=$var_nvd_api_key
               env:
                 ROR_TASK: cve_check
-              var_nvd_api_key: $(NVD_API_KEY)
+              DEPENDENCY_CHECK_DATA_DIR: $(dependencyCheckDataDir)
+              NVD_API_KEY: $(NVD_API_KEY)

🧹 Nitpick comments (1)

azure-pipelines.yml (1)

77-80: Remove trailing whitespace
Lines 77 and 80 include trailing spaces that trigger YAML lint errors. Please trim them.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9f41cf2 and c3c7f0f.

📒 Files selected for processing (1)

• azure-pipelines.yml (2 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

azure-pipelines.yml

[error] 77-77: trailing spaces

(trailing-spaces)

---

[error] 80-80: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: ror (CVE check Job)

🔇 Additional comments (4)

azure-pipelines.yml (4)

7-9: Cache key and directory variables added
Well-structured use of currentDate, dependencyCheckCacheKey, and dependencyCheckDataDir to parameterize the cache.

---

60-67: Cache restore task looks solid
The Cache@2 step correctly restores the CVE DB using the defined key and fallback prefix.

---

68-74: Log cache hit outcome
The script conditionally logs the restore status based on CACHE_HIT, providing clear visibility.

---

99-99: Disabled TEST stage
The false literal at the start of the and() condition blocks the TEST stage entirely. Confirm this is intentional, or remove false to re-enable tests.