From 9e21e96dfced70c10fd895f73cdd529f2ef45e37 Mon Sep 17 00:00:00 2001 From: mikolajbrzezinski Date: Mon, 27 Nov 2023 16:35:43 +0100 Subject: [PATCH 1/8] ACS-6305 Implement SAST Pipeline Scan --- .github/workflows/ci.yml | 53 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 51 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 149cfe427..3d5142f04 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,7 +35,7 @@ env: GITHUB_ACTIONS_DEPLOY_TIMEOUT: 60 jobs: - veracode: + veracode_sca: name: "Veracode - Source Clear Scan (SCA)" runs-on: ubuntu-latest if: > @@ -52,6 +52,55 @@ jobs: with: srcclr-api-token: ${{ secrets.SRCCLR_API_TOKEN }} + veracode_sast: + name: "Pipeline SAST Scan" + runs-on: ubuntu-latest + if: > + ((github.ref_name == 'master' || startsWith(github.ref_name, 'SP/') || github.event_name == 'pull_request')) && + !contains(github.event.head_commit.message, '[skip build]') + steps: + - uses: actions/checkout@v3 + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v1.33.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v1.33.0 + - name: "Login to Docker Hub" + uses: docker/login-action@v2.1.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + - name: "Login to Quay.io" + uses: docker/login-action@v2.1.0 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_PASSWORD }} + - name: "Build" + run: mvn -B -U install -DskipTests + - name: "Create zip" + run: zip -r to-scan.zip engines/aio/target/alfresco-transform-core-aio-*.jar engines/base/target/alfresco-base-t-engine-*.jar model/target/alfresco-transform-model-*.jar + - name: "Run SAST Scan" + id: scan + uses: veracode/Veracode-pipeline-scan-action@v1.0.10 + with: + vid: '${{ secrets.VERACODE_API_ID }}' + vkey: '${{ secrets.VERACODE_API_KEY }}' + file: "to-scan.zip" + fail_build: true + project_name: alfresco-transform-core + issue_details: true + veracode_policy_name: Alfresco Default + summary_output: true + summary_output_file: readable_results.txt + summary_display: true + - name: Upload scan result + if: success() || failure() + run: zip readable_output.zip readable_results.txt + - name: Upload Artifact + if: success() || failure() + uses: actions/upload-artifact@v3 + with: + name: Veracode Pipeline-Scan Results (Human Readable) + path: readable_output.zip + build_and_test: name: "Core & Base Snapshot deployment" runs-on: ubuntu-latest @@ -146,7 +195,7 @@ jobs: release: name: "Release" runs-on: ubuntu-latest - needs: [veracode, build_and_test, all_tests_matrix] + needs: [veracode_sca, build_and_test, all_tests_matrix] if: > !(failure() || cancelled()) && contains(github.event.head_commit.message, '[release]') && From aaf36d0582423b2e68fb663ebe5b13f86bc6445a Mon Sep 17 00:00:00 2001 From: mikolajbrzezinski Date: Tue, 28 Nov 2023 00:30:57 +0100 Subject: [PATCH 2/8] ACS-6305 Check all packages --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3d5142f04..a6126248f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -76,7 +76,7 @@ jobs: - name: "Build" run: mvn -B -U install -DskipTests - name: "Create zip" - run: zip -r to-scan.zip engines/aio/target/alfresco-transform-core-aio-*.jar engines/base/target/alfresco-base-t-engine-*.jar model/target/alfresco-transform-model-*.jar + run: find engines/*/target model/target/alfresco-transform-model-*.jar -name '*.jar' -exec zip -y -r to-scan.zip {} + - name: "Run SAST Scan" id: scan uses: veracode/Veracode-pipeline-scan-action@v1.0.10 From 746ecfc22d0d03782417cba652c734eb741cb061 Mon Sep 17 00:00:00 2001 From: mikolajbrzezinski Date: Tue, 28 Nov 2023 01:00:46 +0100 Subject: [PATCH 3/8] ACS-6305 Try just aio --- .github/workflows/ci.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a6126248f..11e33692c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -75,15 +75,13 @@ jobs: password: ${{ secrets.QUAY_PASSWORD }} - name: "Build" run: mvn -B -U install -DskipTests - - name: "Create zip" - run: find engines/*/target model/target/alfresco-transform-model-*.jar -name '*.jar' -exec zip -y -r to-scan.zip {} + - name: "Run SAST Scan" id: scan uses: veracode/Veracode-pipeline-scan-action@v1.0.10 with: vid: '${{ secrets.VERACODE_API_ID }}' vkey: '${{ secrets.VERACODE_API_KEY }}' - file: "to-scan.zip" + file: "engines/aio/target/alfresco-transform-core-aio-*.jar" fail_build: true project_name: alfresco-transform-core issue_details: true From 6289a57583a3d584058c196a6f607f62831e0718 Mon Sep 17 00:00:00 2001 From: mikolajbrzezinski Date: Tue, 28 Nov 2023 01:07:32 +0100 Subject: [PATCH 4/8] ACS-6305 Try just aio --- .github/workflows/ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 11e33692c..2fea576b0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -75,13 +75,15 @@ jobs: password: ${{ secrets.QUAY_PASSWORD }} - name: "Build" run: mvn -B -U install -DskipTests + - name: "Create zip" + run: find engines/aio/target -name '*.jar' ! -name '*javadoc.jar' ! -name '*sources.jar' -exec zip -y -r to-scan.zip {} + - name: "Run SAST Scan" id: scan uses: veracode/Veracode-pipeline-scan-action@v1.0.10 with: vid: '${{ secrets.VERACODE_API_ID }}' vkey: '${{ secrets.VERACODE_API_KEY }}' - file: "engines/aio/target/alfresco-transform-core-aio-*.jar" + file: "to-scan.zip" fail_build: true project_name: alfresco-transform-core issue_details: true From 7916f34b62f5c24380bfca3518cfe17a8fc781d5 Mon Sep 17 00:00:00 2001 From: mikolajbrzezinski Date: Tue, 28 Nov 2023 01:32:10 +0100 Subject: [PATCH 5/8] back to original implementation --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2fea576b0..3d5142f04 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -76,7 +76,7 @@ jobs: - name: "Build" run: mvn -B -U install -DskipTests - name: "Create zip" - run: find engines/aio/target -name '*.jar' ! -name '*javadoc.jar' ! -name '*sources.jar' -exec zip -y -r to-scan.zip {} + + run: zip -r to-scan.zip engines/aio/target/alfresco-transform-core-aio-*.jar engines/base/target/alfresco-base-t-engine-*.jar model/target/alfresco-transform-model-*.jar - name: "Run SAST Scan" id: scan uses: veracode/Veracode-pipeline-scan-action@v1.0.10 From bb7d50c2853bc75102138a5324b593253eba7a96 Mon Sep 17 00:00:00 2001 From: mikolajbrzezinski Date: Fri, 8 Dec 2023 16:27:13 +0100 Subject: [PATCH 6/8] ACS-6305 Prepare for review --- .github/workflows/ci.yml | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3d5142f04..66e3840b1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -56,12 +56,13 @@ jobs: name: "Pipeline SAST Scan" runs-on: ubuntu-latest if: > - ((github.ref_name == 'master' || startsWith(github.ref_name, 'SP/') || github.event_name == 'pull_request')) && - !contains(github.event.head_commit.message, '[skip build]') + (github.ref_name == 'master' || startsWith(github.ref_name, 'SP/') || startsWith(github.ref_name, 'HF/') || github.event_name == 'pull_request') && + !contains(github.event.head_commit.message, '[skip tests]') && + !contains(github.event.head_commit.message, '[force') steps: - uses: actions/checkout@v3 - - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v1.33.0 - - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v1.33.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v1.34.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v1.34.0 - name: "Login to Docker Hub" uses: docker/login-action@v2.1.0 with: @@ -73,6 +74,12 @@ jobs: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} + - uses: Alfresco/alfresco-build-tools/.github/actions/github-download-file@v5.6.0 + with: + token: ${{ secrets.BOT_GITHUB_TOKEN }} + repository: "Alfresco/veracode-baseline-archive" + file-path: "alfresco-transform-core/alfresco-transform-core-baseline.json" + target: "baseline.json" - name: "Build" run: mvn -B -U install -DskipTests - name: "Create zip" @@ -89,11 +96,12 @@ jobs: issue_details: true veracode_policy_name: Alfresco Default summary_output: true - summary_output_file: readable_results.txt + summary_output_file: results.json summary_display: true + baseline_file: baseline.json - name: Upload scan result if: success() || failure() - run: zip readable_output.zip readable_results.txt + run: zip readable_output.zip results.json - name: Upload Artifact if: success() || failure() uses: actions/upload-artifact@v3 From 4f175c480ef3915a94dcd31ec171d519efc820fe Mon Sep 17 00:00:00 2001 From: mikolajbrzezinski Date: Fri, 8 Dec 2023 16:31:57 +0100 Subject: [PATCH 7/8] ACS-6305 Fix if statement --- .github/workflows/ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 66e3840b1..50e682d27 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -57,8 +57,7 @@ jobs: runs-on: ubuntu-latest if: > (github.ref_name == 'master' || startsWith(github.ref_name, 'SP/') || startsWith(github.ref_name, 'HF/') || github.event_name == 'pull_request') && - !contains(github.event.head_commit.message, '[skip tests]') && - !contains(github.event.head_commit.message, '[force') + !contains(github.event.head_commit.message, '[skip tests]') steps: - uses: actions/checkout@v3 - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v1.34.0 From 7d8122eb5874d3748741de0a00cec56e84073562 Mon Sep 17 00:00:00 2001 From: mikolajbrzezinski Date: Mon, 11 Dec 2023 16:23:05 +0100 Subject: [PATCH 8/8] ACS-6305 Prepare for review --- .github/workflows/ci.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 50e682d27..4efef9392 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -84,11 +84,10 @@ jobs: - name: "Create zip" run: zip -r to-scan.zip engines/aio/target/alfresco-transform-core-aio-*.jar engines/base/target/alfresco-base-t-engine-*.jar model/target/alfresco-transform-model-*.jar - name: "Run SAST Scan" - id: scan uses: veracode/Veracode-pipeline-scan-action@v1.0.10 with: - vid: '${{ secrets.VERACODE_API_ID }}' - vkey: '${{ secrets.VERACODE_API_KEY }}' + vid: ${{ secrets.VERACODE_API_ID }} + vkey: ${{ secrets.VERACODE_API_KEY }} file: "to-scan.zip" fail_build: true project_name: alfresco-transform-core