From 7b3deb1733a094afe5a1c77d674e426ef0f3cd90 Mon Sep 17 00:00:00 2001 From: Tunahan Cicek Date: Thu, 6 Apr 2023 14:56:05 +0200 Subject: [PATCH 1/2] add github actions --- .../generate-dependencies-notice/action.yml | 37 +++ .../generate-dependencies-notice/index.js | 253 ++++++++++++++++++ .../package-lock.json | 84 ++++++ .../generate-dependencies-notice/package.json | 15 ++ .github/workflows/build-snapshot.yml | 48 ++++ .github/workflows/gitleaks.yml | 60 +++++ .github/workflows/helm-release.yml | 54 ++++ .github/workflows/kics.yml | 71 +++++ .github/workflows/release.yml | 62 +++++ .github/workflows/trivy.yml | 100 +++++++ 10 files changed, 784 insertions(+) create mode 100644 .github/actions/generate-dependencies-notice/action.yml create mode 100644 .github/actions/generate-dependencies-notice/index.js create mode 100644 .github/actions/generate-dependencies-notice/package-lock.json create mode 100644 .github/actions/generate-dependencies-notice/package.json create mode 100644 .github/workflows/build-snapshot.yml create mode 100644 .github/workflows/gitleaks.yml create mode 100644 .github/workflows/helm-release.yml create mode 100644 .github/workflows/kics.yml create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/trivy.yml diff --git a/.github/actions/generate-dependencies-notice/action.yml b/.github/actions/generate-dependencies-notice/action.yml new file mode 100644 index 0000000..ee40452 --- /dev/null +++ b/.github/actions/generate-dependencies-notice/action.yml @@ -0,0 +1,37 @@ +# Copyright (c) 2023 Copyright (c) 2023 Robert Bosch Manufacturing Solutions GmbH +# Copyright (c) 2023 Contributors to the Eclipse Foundation + +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. + +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# SPDX-License-Identifier: Apache-2.0 +--- + +name: Generate Dependencies Notice +description: Generates dpendencies notices and integrates license texts +inputs: + version: + description: Version of the image to publish + required: true + base-path: + description: Base path of the repository + required: true + maven-deps-path: + description: Location where to find the maven deps file + required: true + base-image-layers-path: + description: Location where to find the package info about the base image layers + required: true +runs: + using: node16 + main: index.js \ No newline at end of file diff --git a/.github/actions/generate-dependencies-notice/index.js b/.github/actions/generate-dependencies-notice/index.js new file mode 100644 index 0000000..8590d42 --- /dev/null +++ b/.github/actions/generate-dependencies-notice/index.js @@ -0,0 +1,253 @@ +/* +Copyright (c) 2023 Copyright (c) 2023 Robert Bosch Manufacturing Solutions GmbH +Copyright (c) 2023 Contributors to the Eclipse Foundation + +See the NOTICE file(s) distributed with this work for additional +information regarding copyright ownership. + +This program and the accompanying materials are made available under the +terms of the Apache License, Version 2.0 which is available at +https://www.apache.org/licenses/LICENSE-2.0. + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations +under the License. + +SPDX-License-Identifier: Apache-2.0 +*/ + +const https = require('https') +const fs = require('fs') +const path = require('path') +const { exec } = require("child_process") +const { parse } = require('csv-parse/sync') +const core = require('@actions/core'); + + +const basePath = core.getInput('base-path'); +const relativeMavenDepsPath = core.getInput('maven-deps-path'); +const relativeBaseImageLayersPath = core.getInput('base-image-layers-path'); + +var dashToolPath = `${basePath}/dash-tool.jar` +var legalDirectory = `${basePath}/legal` +var mavenDepPath = path.join(basePath, relativeMavenDepsPath) +var baseImageLayersPath = path.join(basePath, relativeBaseImageLayersPath) +var summaryOutputPath = `${legalDirectory}/dependencies.txt` +var baseImageLayerMappingPath = `${legalDirectory}/baseImageLayers.txt` +var licenseDirectory = `${legalDirectory}/licenses` + +main() + +async function main() { + await asyncDashToolDownload("https://repo.eclipse.org/service/local/artifact/maven/redirect?r=dash-licenses&g=org.eclipse.dash&a=org.eclipse.dash.licenses&v=LATEST") + + createDirectories() + + var [baseLayerPackageList, baseLayerLicenses] = parseBaseImageLayers() + + writeBaseImageLayerMappingToFile(baseLayerPackageList) + + var dashToolResponse = await runDashTool() + + console.log(dashToolResponse) + + var depLicenses = parseDependencies() + + var spdxMapping = await fetchSPDXMapping() + + var mergedLicenseList = [...new Set(baseLayerLicenses.concat(depLicenses))] + + await downloadLicenses(mergedLicenseList, spdxMapping) +} + +async function downloadLicenses(depLicenses, spdxMapping) { + return Promise.all(depLicenses.map((license) => { + var result = spdxMapping.licenses.find(mapping => mapping.licenseId === license) + + if(result != undefined) { + return new Promise((resolve, reject) => { + https.get(result.detailsUrl, (response) => { + let body = ""; + + response.on("data", (part) => { + body += part; + }); + + response.on("end", () => { + let licenseDetailsJson = JSON.parse(body); + + fs.writeFileSync(`${licenseDirectory}/${licenseDetailsJson.licenseId}.txt`, licenseDetailsJson.licenseText, err => { + if(err) { + console.log(err) + + reject() + } + }) + + console.log(`Successfully downloaded ${license}`) + + resolve() + }); + }) + }) + } else { + console.log(`WARNING: Unable to find ${license}`) + } + })) +} + +function writeBaseImageLayerMappingToFile(data) { + fs.writeFileSync(baseImageLayerMappingPath, JSON.stringify(data), (err) => { + if(err) { + console.log(err) + } + }) +} + +function parseBaseImageLayers() { + var baseImageLayersFile = fs.readFileSync(baseImageLayersPath, (err, data) => { + if(err) { + console.log(error) + + return; + } + }) + + var baseImageLayerJson = JSON.parse(baseImageLayersFile) + + var packages = [] + var licenses = [] + + for(layer of baseImageLayerJson.images[0].image.layers) { + for(package of layer.packages) { + packages.push({ + name: package.name, + version: package.version, + proj_url: package.proj_url, + license: package.pkg_license + }) + + licenses = licenses.concat(extractLicensesFromLicenseStatement(package.pkg_license)) + } + } + + licenses = [...new Set(licenses)] + + licenses = licenses.filter(l => l !== "") + + return [packages, licenses] +} + +function parseDependencies(licenses) { + var dependenciesList = fs.readFileSync(summaryOutputPath, (err, data) => { + if(err) { + console.log(error) + + return; + } + }) + var records = parse(dependenciesList, { + skip_empty_lines: true, + delimiter: ',', + }) + + var licenses = [] + + for(record of records) { + licenses = licenses.concat(extractLicensesFromLicenseStatement(record[1])) + } + + licenses = [...new Set(licenses)] + + licenses = licenses.filter(l => l !== "") + + return licenses +} + +function extractLicensesFromLicenseStatement(licenseString) { + var licenses = [] + + license = licenseString.replace(/[ \(\)]/g, "") + var splitLicense = license.split(/AND|OR|with|WITH/g) + for(l of splitLicense) { + licenses.push(l) + } + + return licenses +} + +async function fetchSPDXMapping() { + return new Promise((resolve, reject) => { + https.get("https://raw.githubusercontent.com/spdx/license-list-data/main/json/licenses.json", (response) => { + let body = ""; + + response.on("data", (part) => { + body += part; + }); + + response.on("end", () => { + try { + let spdxMappingJson = JSON.parse(body); + resolve(spdxMappingJson) + } catch (error) { + console.error(error.message); + }; + }); + }) + }) +} + +async function runDashTool() { + return new Promise((resolve, reject) => { + console.log(`Executing Dash Tool`) + + exec(`java -jar ${dashToolPath} ${mavenDepPath} -summary ${summaryOutputPath}`, (error, stdout, stderr) => { + if (stderr) { + resolve(stderr) + } + + resolve(stdout) + }) + }) +} + +async function asyncDashToolDownload(url) { + return new Promise((resolve, reject) => { + downloadDashTool(url, resolve, reject) + }) +} + +async function downloadDashTool(url, resolve, reject) { + https.get(url, (response) => { + if (response.statusCode >= 400) { + reject("Could not download Dash Tool") + } + + if (response.statusCode > 300 && response.statusCode < 400 && !!response.headers.location) { + downloadDashTool(response.headers.location, resolve, reject) + } else { + console.log(`Starting download of Dash Tool`) + + const filePath = fs.createWriteStream(dashToolPath); + + response.pipe(filePath) + filePath.on('finish', () => { + filePath.close() + console.log(`Downloaded Dash Tool`) + resolve(`Downloaded Dash Tool`) + }) + } + }) +} + +function createDirectories() { + if(!fs.existsSync(legalDirectory)) { + fs.mkdirSync(legalDirectory) + } + + if(!fs.existsSync(licenseDirectory)) { + fs.mkdirSync(licenseDirectory) + } +} \ No newline at end of file diff --git a/.github/actions/generate-dependencies-notice/package-lock.json b/.github/actions/generate-dependencies-notice/package-lock.json new file mode 100644 index 0000000..da187b7 --- /dev/null +++ b/.github/actions/generate-dependencies-notice/package-lock.json @@ -0,0 +1,84 @@ +{ + "name": "generate-dependencies-notice", + "version": "1.0.0", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "generate-dependencies-notice", + "version": "1.0.0", + "license": "ISC", + "dependencies": { + "@actions/core": "^1.10.0", + "csv": "^6.2.7" + } + }, + "node_modules/@actions/core": { + "version": "1.10.0", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.0.tgz", + "integrity": "sha512-2aZDDa3zrrZbP5ZYg159sNoLRb61nQ7awl5pSvIq5Qpj81vwDzdMRKzkWJGJuwVvWpvZKx7vspJALyvaaIQyug==", + "dependencies": { + "@actions/http-client": "^2.0.1", + "uuid": "^8.3.2" + } + }, + "node_modules/@actions/http-client": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz", + "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==", + "dependencies": { + "tunnel": "^0.0.6" + } + }, + "node_modules/csv": { + "version": "6.2.7", + "resolved": "https://registry.npmjs.org/csv/-/csv-6.2.7.tgz", + "integrity": "sha512-W9rB5/QWqXg2rQcAOT7lDHfxhDavg1BEmy+WaxKRYowzK9Dq+7WHIJo/8Xvry7rtaWQTMgl0wkS/cfd1k9cQUg==", + "dependencies": { + "csv-generate": "^4.2.2", + "csv-parse": "^5.3.5", + "csv-stringify": "^6.2.4", + "stream-transform": "^3.2.2" + }, + "engines": { + "node": ">= 0.1.90" + } + }, + "node_modules/csv-generate": { + "version": "4.2.2", + "resolved": "https://registry.npmjs.org/csv-generate/-/csv-generate-4.2.2.tgz", + "integrity": "sha512-Ah/NcMxHMqwQsuL173yp8EOzHrbLh8iyScqTy990b+TJZNjHhy7gs5FfSmyQ2arLC2QVrueO3DYJVQnibJB3WQ==" + }, + "node_modules/csv-parse": { + "version": "5.3.5", + "resolved": "https://registry.npmjs.org/csv-parse/-/csv-parse-5.3.5.tgz", + "integrity": "sha512-8O5KTIRtwmtD3+EVfW6BCgbwZqJbhTYsQZry12F1TP5RUp0sD9tp1UnCWic3n0mLOhzeocYaCZNYxOGSg3dmmQ==" + }, + "node_modules/csv-stringify": { + "version": "6.2.4", + "resolved": "https://registry.npmjs.org/csv-stringify/-/csv-stringify-6.2.4.tgz", + "integrity": "sha512-RVzGaBeHl0IspzOSiNr1e7XDM7ajuESlqetQbxH2pBPplIWycx0gAVclxNEa4lc91brK6LIE0PrdEoHtZYIHIQ==" + }, + "node_modules/stream-transform": { + "version": "3.2.2", + "resolved": "https://registry.npmjs.org/stream-transform/-/stream-transform-3.2.2.tgz", + "integrity": "sha512-DHZQPNxvjU2qdQlGcpitn8pkJHQVTqdshtgXaLz6Vc5VCAognbGuuwGS5ugeqGVnyw8j4h89QcV8cwm0D1+V0A==" + }, + "node_modules/tunnel": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==", + "engines": { + "node": ">=0.6.11 <=0.7.0 || >=0.7.3" + } + }, + "node_modules/uuid": { + "version": "8.3.2", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", + "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==", + "bin": { + "uuid": "dist/bin/uuid" + } + } + } +} diff --git a/.github/actions/generate-dependencies-notice/package.json b/.github/actions/generate-dependencies-notice/package.json new file mode 100644 index 0000000..6b51d73 --- /dev/null +++ b/.github/actions/generate-dependencies-notice/package.json @@ -0,0 +1,15 @@ +{ + "name": "generate-dependencies-notice", + "version": "1.0.0", + "description": "", + "main": "index.js", + "scripts": { + "test": "echo \"Error: no test specified\" && exit 1" + }, + "author": "", + "license": "ISC", + "dependencies": { + "@actions/core": "^1.10.0", + "csv": "^6.2.7" + } +} diff --git a/.github/workflows/build-snapshot.yml b/.github/workflows/build-snapshot.yml new file mode 100644 index 0000000..1f52b8f --- /dev/null +++ b/.github/workflows/build-snapshot.yml @@ -0,0 +1,48 @@ +# Copyright (c) 2023 Copyright (c) 2023 Robert Bosch Manufacturing Solutions GmbH +# Copyright (c) 2023 Contributors to the Eclipse Foundation + +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. + +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# SPDX-License-Identifier: Apache-2.0 + +name: "Build" + +on: + push: + branches: + - main + pull_request: + types: + - opened + - reopened + - synchronize + +jobs: + build: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@v3 + - name: Set up JDK 17 + uses: actions/setup-java@v3 + with: + java-version: '17' + distribution: 'adopt' + cache: maven + - name: Build and Deploy with Maven + run: mvn clean -X install + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml new file mode 100644 index 0000000..4a5aef0 --- /dev/null +++ b/.github/workflows/gitleaks.yml @@ -0,0 +1,60 @@ +# Copyright (c) 2023 Copyright (c) 2023 Robert Bosch Manufacturing Solutions GmbH +# Copyright (c) 2023 Contributors to the Eclipse Foundation + +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. + +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# SPDX-License-Identifier: Apache-2.0 + +name: gitleaks +on: [push, pull_request, workflow_dispatch] +jobs: + gitleaks-run: + runs-on: ubuntu-latest + container: + image: zricethezav/gitleaks:latest + options: --user root + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: '0' + + - name: Run Gitleaks + id: gitleaks + + run: | + git config --global --add safe.directory $PWD + gitleaks detect -f sarif -r ./gitleaks-report-bpn-discovery.sarif --exit-code 0 + + - name: Upload artifact + uses: actions/upload-artifact@v3 + with: + name: gitleaks-report + path: ./gitleaks-report-bpn-discovery.sarif + + gitleaks-upload: + runs-on: ubuntu-latest + needs: gitleaks-run + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: Download artifact + uses: actions/download-artifact@v3 + with: + name: gitleaks-report + - name: Upload SARIF report + if: always() + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ./gitleaks-report-bpn-discovery.sarif diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml new file mode 100644 index 0000000..0bc8a90 --- /dev/null +++ b/.github/workflows/helm-release.yml @@ -0,0 +1,54 @@ +# Copyright (c) 2023 Copyright (c) 2023 Robert Bosch Manufacturing Solutions GmbH +# Copyright (c) 2023 Contributors to the Eclipse Foundation + +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. + +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# SPDX-License-Identifier: Apache-2.0 + +name: Release - Helm Charts + +on: + push: + paths: + - 'charts/**' + branches: + - main + workflow_dispatch: + +jobs: + release: + permissions: + contents: write + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + - name: Install Helm + uses: azure/setup-helm@v3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Run chart-releaser + uses: helm/chart-releaser-action@v1.4.1 + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" \ No newline at end of file diff --git a/.github/workflows/kics.yml b/.github/workflows/kics.yml new file mode 100644 index 0000000..cfd6fa2 --- /dev/null +++ b/.github/workflows/kics.yml @@ -0,0 +1,71 @@ +# Copyright (c) 2023 Copyright (c) 2023 Robert Bosch Manufacturing Solutions GmbH +# Copyright (c) 2023 Contributors to the Eclipse Foundation + +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. + +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# SPDX-License-Identifier: Apache-2.0 + +name: "KICS" + +on: + push: + branches: [main, master] + # pull_request: + # The branches below must be a subset of the branches above + # branches: [main, master] + # paths-ignore: + # - "**/*.md" + # - "**/*.txt" + schedule: + - cron: "0 0 * * *" + workflow_dispatch: + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - uses: actions/checkout@v3 + + - name: KICS scan + uses: checkmarx/kics-github-action@master + with: + # Scanning directory . + path: "." + # Exclude paths from scan by providing the paths as comma separated list + # exclude_paths: "postgres-init.yaml,templates/sharedidp.yaml" + # Exclude queries by providing the query / rule ID as comma separated list + # exclude_queries: "b9c83569-459b-4110-8f79-6305aa33cb37" + # Fail on HIGH severity results + fail_on: high + # Disable secrets detection - we use GitGuardian + disable_secrets: true + # When provided with a directory on output_path + # it will generate the specified reports file named 'results.{extension}' + # in this example it will generate: + # - results-dir/results.json and results-dir/results.sarif + output_path: kicsResults/ + output_formats: "json,sarif" + + # Upload findings to GitHub Advanced Security Dashboard + - name: Upload SARIF file for GitHub Advanced Security Dashboard + if: always() + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: kicsResults/results.sarif diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..906d785 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,62 @@ +# Copyright (c) 2023 Copyright (c) 2023 Robert Bosch Manufacturing Solutions GmbH +# Copyright (c) 2023 Contributors to the Eclipse Foundation + +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. + +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# SPDX-License-Identifier: Apache-2.0 + +name: "Create new version tag" + +on: + workflow_dispatch: + inputs: + version: + description: 'Version' + required: true + +jobs: + build: + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + ref: release + - name: Set up JDK 17 + uses: actions/setup-java@v3 + with: + java-version: '17' + distribution: 'adopt' + cache: maven + - name: setup git config + run: | + git config user.name "GitHub Actions Bot" + git config user.email "<>" + - name: Merge changes from main + run: | + git merge origin/main + - name: Run tests and adjust version + run: | + mvn clean package + mvn versions:set -DnewVersion=${{ inputs.version }} + mvn versions:commit + - name: Create tag, commit and push + run: | + git add . + git commit -m "Create version v${{ inputs.version }}" + git tag v${{ inputs.version }} + git push origin release + git push origin v${{ inputs.version }} \ No newline at end of file diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000..09ec818 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,100 @@ +# Copyright (c) 2023 Copyright (c) 2023 Robert Bosch Manufacturing Solutions GmbH +# Copyright (c) 2023 Contributors to the Eclipse Foundation + +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. + +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# SPDX-License-Identifier: Apache-2.0 + +name: Trivy + +on: + push: + branches: [main, master] + # pull_request: + # The branches below must be a subset of the branches above + # branches: [main, master] + # paths-ignore: + # - "**/*.md" + # - "**/*.txt" + schedule: + - cron: "0 0 * * *" + workflow_dispatch: + +jobs: + analyze-config: + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master + with: + scan-type: "config" + # ignore-unfixed: true + exit-code: "1" + hide-progress: false + format: "sarif" + output: "trivy-results1.sarif" + severity: "CRITICAL,HIGH" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: "trivy-results1.sarif" + + analyze-registry: + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - uses: actions/setup-java@v3 + with: + distribution: 'temurin' + java-version: '17' + + - name: Build JAR + run: mvn clean package + + - name: Build Image + run: docker build -t bpn-discovery -f ./backend/Dockerfile . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: bpn-discovery + # ignore-unfixed: true + exit-code: "1" + hide-progress: false + format: "sarif" + output: "trivy-results-registry.sarif" + severity: "CRITICAL,HIGH" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: "trivy-results-registry.sarif" From b1780f5cc8aebfc524fe96d4766ba62f5dde3b60 Mon Sep 17 00:00:00 2001 From: Tunahan Cicek Date: Wed, 12 Apr 2023 15:26:42 +0200 Subject: [PATCH 2/2] rename name in trivy to bpn-discovery --- .github/workflows/trivy.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 09ec818..d9d17bb 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -60,7 +60,7 @@ jobs: with: sarif_file: "trivy-results1.sarif" - analyze-registry: + analyze-bpn-discovery: runs-on: ubuntu-latest permissions: actions: read @@ -90,11 +90,11 @@ jobs: exit-code: "1" hide-progress: false format: "sarif" - output: "trivy-results-registry.sarif" + output: "trivy-results-bpn-discovery.sarif" severity: "CRITICAL,HIGH" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 if: always() with: - sarif_file: "trivy-results-registry.sarif" + sarif_file: "trivy-results-bpn-discovery.sarif"