[#185355611] added github actions to run dependency check (#21)

.github/workflows/build-test-analyse.yml

@@ -9,19 +9,19 @@ on:
 jobs:
   build-and-test-java-app:
     name: Build & Test Java App
-    uses: DNAstack/dnastack-development-tools/.github/workflows/build-test-java-app.yml@4e75ec231d7c954329f7e47bacd5b02928c5f28e
+    uses: ./.github/workflows/build-and-test-java-app.yml
     with:
       java-version: 21
     secrets:
       pat-with-read-packages-permission: ${{ secrets.AUTH_TOKEN }}
   code-analysis-and-dependency-check:
     name: Code Analysis and OWASP Dependency Check
-    uses: DNAstack/dnastack-development-tools/.github/workflows/code-analysis-and-dependency-check.yml@4e75ec231d7c954329f7e47bacd5b02928c5f28e
+    uses: ./.github/workflows/code-analysis-and-dependency-check.yml
     with:
       with-frontend: false
       java-version: 21
+      code-coverage-enabled: true
     secrets:
       pat-with-read-packages-permission: ${{ secrets.AUTH_TOKEN }}
       sonar-token: ${{ secrets.SONAR_TOKEN }}
-      sonar-host-url: ${{ secrets.SONAR_HOST_URL }}
-      nvd-api-key: ${{ secrets.NVD_API_KEY }}
+      sonar-host-url: ${{ secrets.SONAR_HOST_URL }}

.github/workflows/build-test-java-app.yml

@@ -0,0 +1,83 @@
+name: Build & Test Java App
+
+on:
+  workflow_call:
+    inputs:
+      java-version:
+        required: false
+        type: string
+        default: 17
+      java-distribution:
+        required: false
+        type: string
+        default: corretto
+      additional-tools:
+        required: false
+        type: string
+        default: ""
+    secrets:
+      pat-with-read-packages-permission:
+        required: true
+      test-environment-variables:
+        required: false
+
+jobs:
+  build-and-test:
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres
+        env:
+          POSTGRES_PASSWORD: postgres
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          # Maps tcp port 5432 on service container to the host
+          - 5432:5432
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up JDK ${{ inputs.java-version }}
+        uses: actions/setup-java@v3
+        with:
+          java-version: ${{ inputs.java-version }}
+          distribution: ${{ inputs.java-distribution }}
+          cache: maven
+      - name: Install additional tools
+        if: ${{ inputs.additional-tools != '' }}
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y ${{ inputs.additional-tools }}
+      - name: Set up Maven's settings.xml
+        uses: s4u/[email protected]
+        with:
+          servers: |
+            [{
+              "id": "github",
+              "username": "$GITHUB_ACTOR",
+              "password": "${{ secrets.pat-with-read-packages-permission }}"
+            }]
+          githubServer: false # we are overriding it
+      - name: Build with Maven (without Angular build)
+        env:
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: postgres
+        run: |
+          # If secret env variables provided, source them for integration tests
+          if [[ ! -z "${{ secrets.test-environment-variables }}" ]]
+          then
+
+            set -a
+            source <(
+          # Can't indent this part because of heredoc
+          cat << 'EOF'
+          ${{ secrets.test-environment-variables }}
+          EOF
+            )
+            set +a
+
+          fi
+
+          mvn -B --update-snapshots verify -P '!install-npm-and-node,!resolve-dependencies,!full-build'

.github/workflows/code-analysis-and-dependency-check.yml

@@ -0,0 +1,164 @@
+name: Code Analysis and OWASP Dependency Check
+
+on:
+  workflow_call:
+    inputs:
+      with-frontend:
+        required: true
+        type: boolean
+      java-version:
+        required: false
+        type: string
+        default: 17
+      java-distribution:
+        required: false
+        type: string
+        default: corretto
+      additional-tools:
+        required: false
+        type: string
+        default: ""
+      frontend-directory:
+        required: false
+        type: string
+        default: ./angular
+      node-version:
+        required: false
+        type: string
+        default: 16.x
+      code-coverage-enabled:
+        required: false
+        type: string
+        default: false
+      nvd-data-feed-url:
+        required: false
+        type: string
+        default: https://storage.googleapis.com/dnastack-nvd-cve-cache/nvdcve-{0}.json.gz
+    secrets:
+      sonar-host-url:
+        required: true
+      sonar-token:
+        required: true
+      pat-with-read-packages-permission:
+        required: false
+      test-environment-variables:
+        required: false
+
+permissions:
+  contents: write
+
+jobs:
+  code-analysis-and-dependency-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+      - name: Set up JDK ${{ inputs.java-version }}
+        uses: actions/setup-java@v3
+        with:
+          java-version: ${{ inputs.java-version }}
+          distribution: ${{ inputs.java-distribution }}
+          cache: maven
+      - name: Install additional tools
+        if: ${{ inputs.additional-tools != '' }}
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y ${{ inputs.additional-tools }}
+      # Sets the m2 settings.xml with the permissions for GitHub server (uses GITHUB_TOKEN under hood)
+      - uses: s4u/[email protected]
+        with:
+          servers: |
+            [{
+              "id": "github",
+              "username": "$GITHUB_ACTOR",
+              "password": "${{ secrets.pat-with-read-packages-permission }}"
+            }]
+          githubServer: false # we are overriding it
+      # Sets the npmrc with the permissions for private GitHub packages
+      - name: Use Node.js ${{ inputs.node-version }}
+        if: ${{ inputs.with-frontend }}
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ inputs.node-version }}
+          cache: 'npm'
+          cache-dependency-path: "${{ inputs.frontend-directory }}/package-lock.json"
+          registry-url: 'https://npm.pkg.github.com'
+          scope: '@dnastack'
+      - name: Cache SonarQube packages
+        uses: actions/cache@v3
+        with:
+          path: ~/.sonar/cache
+          key: ${{ runner.os }}-sonar
+          restore-keys: ${{ runner.os }}-sonar
+      - name: Initialize build (with frontend) # Install Node, and NPM dependencies - so they can be analyzed
+        if: ${{ inputs.with-frontend }}
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.pat-with-read-packages-permission }}
+        run: mvn -B initialize -P 'install-npm-and-node,resolve-dependencies,!full-build'
+      - name: Initialize build
+        if: ${{ !inputs.with-frontend }}
+        run: mvn -B initialize -P 'install-npm-and-node,!resolve-dependencies,!full-build'
+      - name: Maven Dependency Tree Dependency Submission
+        uses: advanced-security/[email protected]
+      - name: OWASP Dependency check
+        run: mvn -B verify -DskipTests -DnvdDatafeedUrl=${{ inputs.nvd-data-feed-url }} dependency-check:aggregate -P '!install-npm-and-node,!resolve-dependencies,!full-build'
+      - name: Analyze and upload to SonarQube (with frontend)
+        if: ${{ inputs.with-frontend }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.sonar-token }}
+          SONAR_HOST_URL: ${{ secrets.sonar-host-url }}
+        run: mvn -B verify -DskipTests -Dsonar.nodejs.executable=./node_installation/node/node sonar:sonar -P '!full-build'
+      - name: Analyze and upload to SonarQube
+        if: ${{ !inputs.with-frontend }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.sonar-token }}
+          SONAR_HOST_URL: ${{ secrets.sonar-host-url }}
+        run: mvn -B verify -DskipTests sonar:sonar -P '!full-build'
+
+      - name: SonarQube Code coverage
+        if: ${{ inputs.code-coverage-enabled }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.sonar-token }}
+          SONAR_HOST_URL: ${{ secrets.sonar-host-url }}
+        run: |
+          # If secret env variables provided, source them for integration tests
+          if [[ ! -z "${{ secrets.test-environment-variables }}" ]]
+          then     
+          
+            set -a
+            source <(
+          # Can't indent this part because of heredoc
+          cat << 'EOF'
+          ${{ secrets.test-environment-variables }}
+          EOF
+            )
+            set +a
+          
+          fi
+        
+          mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
+      - uses: actions/upload-artifact@v3
+        with:
+          name: report-task.txt
+          path: target/sonar/report-task.txt
+          if-no-files-found: error
+          retention-days: 1
+  quality-gate-check:
+    name: SonarQube Quality Gate check
+    needs: code-analysis-and-dependency-check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          name: report-task.txt
+      - uses: sonarsource/sonarqube-quality-gate-action@master
+        timeout-minutes: 5 # Force to fail step after specific time.
+        env:
+          SONAR_TOKEN: ${{ secrets.sonar-token }}
+          SONAR_HOST_URL: ${{ secrets.sonar-host-url }}
+        with:
+          scanMetadataReportFile: ./report-task.txt