diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 39cac0cda..d205a1d36 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -47,7 +47,7 @@ jobs: uses: graalvm/setup-graalvm@v1 with: java-version: '21' - distribution: 'graalvm-community' + distribution: 'graalvm' github-token: ${{ secrets.GITHUB_TOKEN }} set-java-home: true cache: 'maven' @@ -56,7 +56,7 @@ jobs: run: mvn -P build-drifty-cli-for-${{ matrix.os }} package - name: Set Up Maven version 3.8.8 # For GUI build issues, maven version 3.8.8 needs to be used if: ${{ matrix.mode == 'GUI' }} - uses: stCarolas/setup-maven@v4.5 + uses: stCarolas/setup-maven@v5 with: maven-version: 3.8.8 - name: Build platform-specific C object for missing jdk libraries diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index e44a91cfc..9a91a724f 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -1,10 +1,5 @@ name: Build and publish Docker images -# This workflow uses actions that GitHub does not certify. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - on: push: branches: [ "**" ] @@ -13,7 +8,7 @@ on: paths-ignore: - "Website/**" - "*.md" - pull_request: + pull_request_target: paths-ignore: - "Website/**" - "*.md" @@ -25,6 +20,7 @@ env: jobs: build: runs-on: "ubuntu-latest" + if: github.repository == 'SaptarshiSarkar12/Drifty' strategy: matrix: filename: [ CLI/Dockerfile, GUI/Dockerfile ] @@ -53,12 +49,12 @@ jobs: permissions: contents: read packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside PRs. - id-token: write + security-events: write steps: - name: Checkout repository uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} - name: Update system packages if: matrix.filename == 'GUI/Dockerfile' run: sudo apt-get update @@ -71,7 +67,7 @@ jobs: uses: graalvm/setup-graalvm@v1 with: java-version: '21' - distribution: 'graalvm-community' + distribution: 'graalvm' github-token: ${{ secrets.GITHUB_TOKEN }} set-java-home: true cache: 'maven' @@ -80,7 +76,7 @@ jobs: run: mvn -P build-drifty-cli-for-ubuntu-latest package - name: Set Up Maven version 3.8.8 # For GUI build issues, maven version 3.8.8 needs to be used if: matrix.filename == 'GUI/Dockerfile' - uses: stCarolas/setup-maven@v4.5 + uses: stCarolas/setup-maven@v5 with: maven-version: 3.8.8 - name: Build platform-specific C object for missing jdk libraries @@ -116,14 +112,14 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3.0.0 - # Login against a Docker registry except on PR + # Login to GitHub Container Registry # https://github.com/docker/login-action - name: Log into registry - if: github.event_name != 'pull_request' && github.repository == 'SaptarshiSarkar12/Drifty' uses: docker/login-action@v3.0.0 + if: github.event_name != 'pull_request_target' with: registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} + username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} # Extract metadata (tags, labels) for Docker @@ -149,10 +145,34 @@ jobs: uses: docker/build-push-action@v5.1.0 with: context: build/${{ matrix.docker_context }} - push: ${{ github.event_name != 'pull_request' && github.repository == 'SaptarshiSarkar12/Drifty' }} + push: ${{ github.event_name != 'pull_request_target' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max file: Docker/prod/${{ matrix.filename }} platforms: linux/amd64,linux/arm64,linux/arm/v7 + + - name: Generate short commit SHA + if: github.event_name != 'pull_request_target' + run: echo "SHORT_SHA=$(git rev-parse --short ${{ github.sha }})" >> $GITHUB_ENV + + - name: Run Trivy security scan + uses: aquasecurity/trivy-action@0.17.0 + if: github.event_name != 'pull_request_target' + continue-on-error: true + with: + image-ref: ${{ env.REGISTRY }}/saptarshisarkar12/${{ matrix.image_name }}:sha-${{ env.SHORT_SHA }} + format: 'sarif' + exit-code: 1 + vuln-type: os,library + ignore-unfixed: true + output: 'trivy-report.sarif' + hide-progress: false + scanners: vuln,secret,misconfig + + - name: Upload Trivy security scan results + if: github.event_name != 'pull_request_target' + uses: github/codeql-action/upload-sarif@main + with: + sarif_file: trivy-report.sarif \ No newline at end of file diff --git a/CLI/pom.xml b/CLI/pom.xml index 9b7895be4..6d784b9d1 100644 --- a/CLI/pom.xml +++ b/CLI/pom.xml @@ -45,7 +45,7 @@ org.graalvm.buildtools native-maven-plugin - 0.10.0 + 0.10.1 true Drifty CLI @@ -56,6 +56,7 @@ --enable-url-protocols=http -H:ResourceConfigurationFiles=${project.parent.basedir}/config/${resource-config-file} --no-fallback + -march=compatibility -H:+ReportExceptionStackTraces --verbose @@ -64,7 +65,7 @@ build - build + compile-no-fork package @@ -84,7 +85,7 @@ org.graalvm.buildtools native-maven-plugin - 0.10.0 + 0.10.1 true Drifty CLI @@ -104,7 +105,7 @@ build - build + compile-no-fork package @@ -124,7 +125,7 @@ org.graalvm.buildtools native-maven-plugin - 0.10.0 + 0.10.1 true Drifty CLI @@ -144,7 +145,7 @@ build - build + compile-no-fork package diff --git a/CLI/src/main/resources/META-INF/native-image/reflect-config.json b/CLI/src/main/resources/META-INF/native-image/reflect-config.json index d21c1bfd6..ceccdf0b1 100644 --- a/CLI/src/main/resources/META-INF/native-image/reflect-config.json +++ b/CLI/src/main/resources/META-INF/native-image/reflect-config.json @@ -40,10 +40,6 @@ "name":"com.sun.crypto.provider.GaloisCounterMode$AESGCM", "methods":[{"name":"","parameterTypes":[] }] }, -{ - "name":"com.sun.crypto.provider.HmacCore$HmacSHA256", - "methods":[{"name":"","parameterTypes":[] }] -}, { "name":"com.sun.crypto.provider.HmacCore$HmacSHA384", "methods":[{"name":"","parameterTypes":[] }] @@ -84,12 +80,6 @@ { "name":"java.security.SecureRandomParameters" }, -{ - "name":"java.security.interfaces.ECPrivateKey" -}, -{ - "name":"java.security.interfaces.ECPublicKey" -}, { "name":"java.security.interfaces.RSAPrivateKey" }, @@ -203,10 +193,6 @@ "name":"sun.security.rsa.RSASignature$SHA256withRSA", "methods":[{"name":"","parameterTypes":[] }] }, -{ - "name":"sun.security.rsa.RSASignature$SHA384withRSA", - "methods":[{"name":"","parameterTypes":[] }] -}, { "name":"sun.security.ssl.KeyManagerFactoryImpl$SunX509", "methods":[{"name":"","parameterTypes":[] }] diff --git a/GUI/pom.xml b/GUI/pom.xml index 13f7872b8..0470075ca 100644 --- a/GUI/pom.xml +++ b/GUI/pom.xml @@ -86,6 +86,7 @@ -Dsvm.platform=org.graalvm.nativeimage.Platform$MACOS_AMD64 ${pom.parent.basedir}/config/missing_symbols-macos-latest.o resource-config-mac.json + -march=compatibility true @@ -105,6 +106,7 @@ msi ${pom.parent.basedir}/config/missing_symbols-windows-latest.o resource-config-windows.json + -march=compatibility diff --git a/GUI/src/main/resources/META-INF/native-image/resource-config.json b/GUI/src/main/resources/META-INF/native-image/resource-config.json index 13617bc78..5e2a1392c 100644 --- a/GUI/src/main/resources/META-INF/native-image/resource-config.json +++ b/GUI/src/main/resources/META-INF/native-image/resource-config.json @@ -76,6 +76,8 @@ "pattern":"java.base:\\Qjdk/internal/icu/impl/data/icudt72b/uprops.icu\\E" }, { "pattern":"java.base:\\Qsun/net/idn/uidna.spp\\E" + }, { + "pattern":"java.base:\\Qsun/text/resources/WordBreakIteratorData\\E" }, { "pattern":"java.xml:\\Qcom/sun/org/apache/xml/internal/serializer/Encodings.properties\\E" }, { @@ -104,8 +106,6 @@ "pattern":"javafx.graphics:\\Qcom/sun/prism/es2/glsl/Texture_LinearGradient_PAD.frag\\E" }, { "pattern":"javafx.graphics:\\Qcom/sun/scenario/effect/impl/es2/glsl/Blend_SRC_IN.frag\\E" - }, { - "pattern":"javafx.graphics:\\Qcom/sun/scenario/effect/impl/es2/glsl/LinearConvolveShadow_20.frag\\E" }, { "pattern":"javafx.graphics:\\Qcom/sun/scenario/effect/impl/es2/glsl/LinearConvolveShadow_28.frag\\E" }, { diff --git a/pom.xml b/pom.xml index 2e974a25b..a7306d746 100644 --- a/pom.xml +++ b/pom.xml @@ -40,7 +40,7 @@ org.openrewrite.maven rewrite-maven-plugin - 5.22.0 + 5.23.1 org.openrewrite.staticanalysis.CommonStaticAnalysis @@ -57,12 +57,12 @@ org.openrewrite.recipe rewrite-static-analysis - 1.3.0 + 1.3.1 org.openrewrite.recipe rewrite-recommendations - 1.2.1 + 1.2.2