-
Notifications
You must be signed in to change notification settings - Fork 1
164 lines (157 loc) · 5.91 KB
/
code-analysis-and-dependency-check.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
name: Code Analysis and OWASP Dependency Check
on:
workflow_call:
inputs:
with-frontend:
required: true
type: boolean
java-version:
required: false
type: string
default: 17
java-distribution:
required: false
type: string
default: corretto
additional-tools:
required: false
type: string
default: ""
frontend-directory:
required: false
type: string
default: ./angular
node-version:
required: false
type: string
default: 16.x
code-coverage-enabled:
required: false
type: string
default: false
nvd-data-feed-url:
required: false
type: string
default: https://storage.googleapis.com/dnastack-nvd-cve-cache/nvdcve-{0}.json.gz
secrets:
sonar-host-url:
required: true
sonar-token:
required: true
pat-with-read-packages-permission:
required: false
test-environment-variables:
required: false
permissions:
contents: write
jobs:
code-analysis-and-dependency-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Set up JDK ${{ inputs.java-version }}
uses: actions/setup-java@v3
with:
java-version: ${{ inputs.java-version }}
distribution: ${{ inputs.java-distribution }}
cache: maven
- name: Install additional tools
if: ${{ inputs.additional-tools != '' }}
run: |
sudo apt-get update
sudo apt-get install -y ${{ inputs.additional-tools }}
# Sets the m2 settings.xml with the permissions for GitHub server (uses GITHUB_TOKEN under hood)
- uses: s4u/[email protected]
with:
servers: |
[{
"id": "github",
"username": "$GITHUB_ACTOR",
"password": "${{ secrets.pat-with-read-packages-permission }}"
}]
githubServer: false # we are overriding it
# Sets the npmrc with the permissions for private GitHub packages
- name: Use Node.js ${{ inputs.node-version }}
if: ${{ inputs.with-frontend }}
uses: actions/setup-node@v3
with:
node-version: ${{ inputs.node-version }}
cache: 'npm'
cache-dependency-path: "${{ inputs.frontend-directory }}/package-lock.json"
registry-url: 'https://npm.pkg.github.com'
scope: '@dnastack'
- name: Cache SonarQube packages
uses: actions/cache@v3
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Initialize build (with frontend) # Install Node, and NPM dependencies - so they can be analyzed
if: ${{ inputs.with-frontend }}
env:
NODE_AUTH_TOKEN: ${{ secrets.pat-with-read-packages-permission }}
run: mvn -B initialize -P 'install-npm-and-node,resolve-dependencies,!full-build'
- name: Initialize build
if: ${{ !inputs.with-frontend }}
run: mvn -B initialize -P 'install-npm-and-node,!resolve-dependencies,!full-build'
- name: Maven Dependency Tree Dependency Submission
uses: advanced-security/[email protected]
- name: OWASP Dependency check
run: mvn -B verify -DskipTests -DnvdDatafeedUrl=${{ inputs.nvd-data-feed-url }} dependency-check:aggregate -P '!install-npm-and-node,!resolve-dependencies,!full-build'
- name: Analyze and upload to SonarQube (with frontend)
if: ${{ inputs.with-frontend }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.sonar-token }}
SONAR_HOST_URL: ${{ secrets.sonar-host-url }}
run: mvn -B verify -DskipTests -Dsonar.nodejs.executable=./node_installation/node/node sonar:sonar -P '!full-build'
- name: Analyze and upload to SonarQube
if: ${{ !inputs.with-frontend }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.sonar-token }}
SONAR_HOST_URL: ${{ secrets.sonar-host-url }}
run: mvn -B verify -DskipTests sonar:sonar -P '!full-build'
- name: SonarQube Code coverage
if: ${{ inputs.code-coverage-enabled }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.sonar-token }}
SONAR_HOST_URL: ${{ secrets.sonar-host-url }}
run: |
# If secret env variables provided, source them for integration tests
if [[ ! -z "${{ secrets.test-environment-variables }}" ]]
then
set -a
source <(
# Can't indent this part because of heredoc
cat << 'EOF'
${{ secrets.test-environment-variables }}
EOF
)
set +a
fi
mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
- uses: actions/upload-artifact@v3
with:
name: report-task.txt
path: target/sonar/report-task.txt
if-no-files-found: error
retention-days: 1
quality-gate-check:
name: SonarQube Quality Gate check
needs: code-analysis-and-dependency-check
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v3
with:
name: report-task.txt
- uses: sonarsource/sonarqube-quality-gate-action@master
timeout-minutes: 5 # Force to fail step after specific time.
env:
SONAR_TOKEN: ${{ secrets.sonar-token }}
SONAR_HOST_URL: ${{ secrets.sonar-host-url }}
with:
scanMetadataReportFile: ./report-task.txt