Skip to content

Commit

Permalink
[#185355611] added github actions to run dependency check
Browse files Browse the repository at this point in the history
  • Loading branch information
patmagee committed Apr 11, 2024
1 parent 95ab7fa commit 2e70f69
Show file tree
Hide file tree
Showing 3 changed files with 251 additions and 4 deletions.
8 changes: 4 additions & 4 deletions .github/workflows/build-test-analyse.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,19 +9,19 @@ on:
jobs:
build-and-test-java-app:
name: Build & Test Java App
uses: DNAstack/dnastack-development-tools/.github/workflows/build-test-java-app.yml@4e75ec231d7c954329f7e47bacd5b02928c5f28e
uses: ./.github/workflows/build-and-test-java-app.yml
with:
java-version: 21
secrets:
pat-with-read-packages-permission: ${{ secrets.AUTH_TOKEN }}
code-analysis-and-dependency-check:
name: Code Analysis and OWASP Dependency Check
uses: DNAstack/dnastack-development-tools/.github/workflows/code-analysis-and-dependency-check.yml@4e75ec231d7c954329f7e47bacd5b02928c5f28e
uses: ./.github/workflows/code-analysis-and-dependency-check.yml
with:
with-frontend: false
java-version: 21
code-coverage-enabled: true
secrets:
pat-with-read-packages-permission: ${{ secrets.AUTH_TOKEN }}
sonar-token: ${{ secrets.SONAR_TOKEN }}
sonar-host-url: ${{ secrets.SONAR_HOST_URL }}
nvd-api-key: ${{ secrets.NVD_API_KEY }}
sonar-host-url: ${{ secrets.SONAR_HOST_URL }}
83 changes: 83 additions & 0 deletions .github/workflows/build-test-java-app.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
name: Build & Test Java App

on:
workflow_call:
inputs:
java-version:
required: false
type: string
default: 17
java-distribution:
required: false
type: string
default: corretto
additional-tools:
required: false
type: string
default: ""
secrets:
pat-with-read-packages-permission:
required: true
test-environment-variables:
required: false

jobs:
build-and-test:
runs-on: ubuntu-latest
services:
postgres:
image: postgres
env:
POSTGRES_PASSWORD: postgres
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
# Maps tcp port 5432 on service container to the host
- 5432:5432
steps:
- uses: actions/checkout@v3
- name: Set up JDK ${{ inputs.java-version }}
uses: actions/setup-java@v3
with:
java-version: ${{ inputs.java-version }}
distribution: ${{ inputs.java-distribution }}
cache: maven
- name: Install additional tools
if: ${{ inputs.additional-tools != '' }}
run: |
sudo apt-get update
sudo apt-get install -y ${{ inputs.additional-tools }}
- name: Set up Maven's settings.xml
uses: s4u/[email protected]
with:
servers: |
[{
"id": "github",
"username": "$GITHUB_ACTOR",
"password": "${{ secrets.pat-with-read-packages-permission }}"
}]
githubServer: false # we are overriding it
- name: Build with Maven (without Angular build)
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
run: |
# If secret env variables provided, source them for integration tests
if [[ ! -z "${{ secrets.test-environment-variables }}" ]]
then
set -a
source <(
# Can't indent this part because of heredoc
cat << 'EOF'
${{ secrets.test-environment-variables }}
EOF
)
set +a
fi
mvn -B --update-snapshots verify -P '!install-npm-and-node,!resolve-dependencies,!full-build'
164 changes: 164 additions & 0 deletions .github/workflows/code-analysis-and-dependency-check.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,164 @@
name: Code Analysis and OWASP Dependency Check

on:
workflow_call:
inputs:
with-frontend:
required: true
type: boolean
java-version:
required: false
type: string
default: 17
java-distribution:
required: false
type: string
default: corretto
additional-tools:
required: false
type: string
default: ""
frontend-directory:
required: false
type: string
default: ./angular
node-version:
required: false
type: string
default: 16.x
code-coverage-enabled:
required: false
type: string
default: false
nvd-data-feed-url:
required: false
type: string
default: https://storage.googleapis.com/dnastack-nvd-cve-cache/nvdcve-{0}.json.gz
secrets:
sonar-host-url:
required: true
sonar-token:
required: true
pat-with-read-packages-permission:
required: false
test-environment-variables:
required: false

permissions:
contents: write

jobs:
code-analysis-and-dependency-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Set up JDK ${{ inputs.java-version }}
uses: actions/setup-java@v3
with:
java-version: ${{ inputs.java-version }}
distribution: ${{ inputs.java-distribution }}
cache: maven
- name: Install additional tools
if: ${{ inputs.additional-tools != '' }}
run: |
sudo apt-get update
sudo apt-get install -y ${{ inputs.additional-tools }}
# Sets the m2 settings.xml with the permissions for GitHub server (uses GITHUB_TOKEN under hood)
- uses: s4u/[email protected]
with:
servers: |
[{
"id": "github",
"username": "$GITHUB_ACTOR",
"password": "${{ secrets.pat-with-read-packages-permission }}"
}]
githubServer: false # we are overriding it
# Sets the npmrc with the permissions for private GitHub packages
- name: Use Node.js ${{ inputs.node-version }}
if: ${{ inputs.with-frontend }}
uses: actions/setup-node@v3
with:
node-version: ${{ inputs.node-version }}
cache: 'npm'
cache-dependency-path: "${{ inputs.frontend-directory }}/package-lock.json"
registry-url: 'https://npm.pkg.github.com'
scope: '@dnastack'
- name: Cache SonarQube packages
uses: actions/cache@v3
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Initialize build (with frontend) # Install Node, and NPM dependencies - so they can be analyzed
if: ${{ inputs.with-frontend }}
env:
NODE_AUTH_TOKEN: ${{ secrets.pat-with-read-packages-permission }}
run: mvn -B initialize -P 'install-npm-and-node,resolve-dependencies,!full-build'
- name: Initialize build
if: ${{ !inputs.with-frontend }}
run: mvn -B initialize -P 'install-npm-and-node,!resolve-dependencies,!full-build'
- name: Maven Dependency Tree Dependency Submission
uses: advanced-security/[email protected]
- name: OWASP Dependency check
run: mvn -B verify -DskipTests -DnvdDatafeedUrl=${{ inputs.nvd-data-feed-url }} dependency-check:aggregate -P '!install-npm-and-node,!resolve-dependencies,!full-build'
- name: Analyze and upload to SonarQube (with frontend)
if: ${{ inputs.with-frontend }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.sonar-token }}
SONAR_HOST_URL: ${{ secrets.sonar-host-url }}
run: mvn -B verify -DskipTests -Dsonar.nodejs.executable=./node_installation/node/node sonar:sonar -P '!full-build'
- name: Analyze and upload to SonarQube
if: ${{ !inputs.with-frontend }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.sonar-token }}
SONAR_HOST_URL: ${{ secrets.sonar-host-url }}
run: mvn -B verify -DskipTests sonar:sonar -P '!full-build'

- name: SonarQube Code coverage
if: ${{ inputs.code-coverage-enabled }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.sonar-token }}
SONAR_HOST_URL: ${{ secrets.sonar-host-url }}
run: |
# If secret env variables provided, source them for integration tests
if [[ ! -z "${{ secrets.test-environment-variables }}" ]]
then
set -a
source <(
# Can't indent this part because of heredoc
cat << 'EOF'
${{ secrets.test-environment-variables }}
EOF
)
set +a
fi
mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
- uses: actions/upload-artifact@v3
with:
name: report-task.txt
path: target/sonar/report-task.txt
if-no-files-found: error
retention-days: 1
quality-gate-check:
name: SonarQube Quality Gate check
needs: code-analysis-and-dependency-check
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v3
with:
name: report-task.txt
- uses: sonarsource/sonarqube-quality-gate-action@master
timeout-minutes: 5 # Force to fail step after specific time.
env:
SONAR_TOKEN: ${{ secrets.sonar-token }}
SONAR_HOST_URL: ${{ secrets.sonar-host-url }}
with:
scanMetadataReportFile: ./report-task.txt

0 comments on commit 2e70f69

Please sign in to comment.