diff --git a/.github/workflows/blackduck_scan_scheduled.yaml b/.github/workflows/blackduck_scan_scheduled.yaml deleted file mode 100644 index 28f141f..0000000 --- a/.github/workflows/blackduck_scan_scheduled.yaml +++ /dev/null @@ -1,34 +0,0 @@ -name: Blackduck Scan Cronjob -on: - schedule: - - cron: '15 1 * * 0' - -permissions: - checks: write - -jobs: - build: - runs-on: [ ubuntu-latest ] - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Set up Java 17 - uses: actions/setup-java@v4 - with: - java-version: '17' - distribution: 'temurin' - - - name: Blackduck Full Scan - uses: mercedesbenzio/detect-action@v2 - env: - DETECT_PROJECT_USER_GROUPS: opencomponentmodel - DETECT_PROJECT_VERSION_DISTRIBUTION: SAAS - DETECT_SOURCE_PATH: ./ - NODE_TLS_REJECT_UNAUTHORIZED: true - with: - scan-mode: INTELLIGENT - github-token: ${{ secrets.GITHUB_TOKEN }} - blackduck-url: ${{ secrets.BLACKDUCK_URL }} - blackduck-api-token: ${{ secrets.BLACKDUCK_API_TOKEN }} - detect-version: 8.8.0 diff --git a/.github/workflows/mend.config b/.github/workflows/mend.config deleted file mode 100644 index 45f9f9e..0000000 --- a/.github/workflows/mend.config +++ /dev/null @@ -1,115 +0,0 @@ -#################################################################### -# WhiteSource Unified-Agent configuration file for GO -# GENERAL SCAN MODE: Package Managers only -#################################################################### -#Configuration Reference: https://docs.mend.io/bundle/unified_agent/page/unified_agent_configuration_parameters.html#General - -# !!! Important for WhiteSource "DIST - *" Products: -# Please set -# checkPolicies=false -# forceCheckAllDependencies=false -# since Policy checks are not applicable for Security scans and also -# not suitable for DIST category. CheckPolicies just cover IP scan -# related license checks for SAP hosted cloud products only ("SHC - *"). -checkPolicies=true -forceCheckAllDependencies=true - -# forceUpdate is important and need to be true -forceUpdate=true -# In some cases it could happen that Unified Agent is reporting SUCCESS but scan is incomplete or -# did not work at all. So parameter failErrorLevel=ALL needs to be set to break the scan if there are issues. -failErrorLevel=ALL -# failBuildOnPolicyViolation: -# If the flag is true, the Unified Agent exit code will be the result of the policy check. -# If the flag is false, the Unified Agent exit code will be the result of the scan. -forceUpdate.failBuildOnPolicyViolation=true -# offline parameter is important and need to be false -offline=false - -# ignoreSourceFiles parameter is important and need to be true -# IMPORTANT: This parameter is going to be deprecated in future -# and will be replaced by a new parameter, fileSystemScan. -# ignoreSourceFiles=true -# fileSystemScan parameter is important and need to be false as a -# replacement for ignoreSourceFiles=true and overrides the -# soon-to-be-deprecated ignoreSourceFiles. To scan source files, we need to enable it. -fileSystemScan=true -# resolveAllDependencies is important and need to be false -resolveAllDependencies=false - -#wss.connectionTimeoutMinutes=60 -# URL to your WhiteSource server. -# wss.url=https://sap.whitesourcesoftware.com/agent - -#################################################################### -# GO Configuration -#################################################################### - -# resolveDependencies parameter is important and need to be true -#if you are using 'modules' as a dependency manager, then the go.resolveDependencies is set to false. -#For any other dependency manager, this value is set to true. - -go.resolveDependencies=true -#defaut value for ignoreSourceFiles is set to false -# ignoreSourceFiles parameter is important and need to be true #To scan source files, we need to disable it. -go.ignoreSourceFiles=false -go.collectDependenciesAtRuntime=false -# dependencyManager: Determines the Go dependency manager to use when scanning a Go project. -# Valid values are 'dep', 'godep', 'vndr', 'gogradle', 'glide', 'govendor', 'gopm' and 'vgo' -# If empty, then the Unified Agent will try to resolve the dependencies using each one -# of the package managers above. -#go.dependencyManager= -#go.glide.ignoreTestPackages=false -#go.gogradle.enableTaskAlias=true - -#The below configuration is for the 'modules' dependency manager. -#Please comment these below 4 lines that has 'go.modules' prefix if you are not using the 'modules' dependency manager. -# Default value is true. If set to true, it resolves Go Modules dependencies. -go.modules.resolveDependencies=true -#default value is true. If set to true, this will ignore Go source files during the scan. -#To scan source files, we need to disable it. -go.modules.ignoreSourceFiles=false -#default value is true. If set to true, removes duplicate dependencies during Go Modules dependency resolution. -#go.modules.removeDuplicateDependencies=false -#default value is false. if set to true, scans Go Modules project test dependencies. -go.modules.includeTestDependencies=true -###################### - - -################################## -# Organization tokens: -################################## -# ! In case of PIPER, apiKey may not be used in this configuration, -# but set in configuration of piper. -# Please look at PIPER documentation for more information. -# ! For CoDePipes you may look at CoDePipes for more information. -# apiKey= - -# userKey is required if WhiteSource administrator has enabled "Enforce user level access" option. -# ! In case of PIPER, apiKey may not be used in this configuration, -# but set in configuration of piper. -# Please look at PIPER documentation for more information. -# ! For CoDePipes you may look at CoDePipes for more information. -# userKey= - -projectName=git-controller -# projectVersion= -# projectToken= - -productName=shc-open-component-model -# productVersion= -# productToken -#updateType=APPEND -#requesterEmail=user@provider.com - -######################################################################################### -# Includes/Excludes Glob patterns - PLEASE USE ONLY ONE EXCLUDE LINE AND ONE INCLUDE LINE -######################################################################################### - -includes=**/*.lock - -## Exclude file extensions or specific directories by adding **/*. or **/** -excludes=**/*sources.jar **/*javadoc.jar - -case.sensitive.glob=false -followSymbolicLinks=true diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml deleted file mode 100644 index 74387dc..0000000 --- a/.github/workflows/mend_scan.yaml +++ /dev/null @@ -1,200 +0,0 @@ -name: Mend Security Scan - -on: - schedule: - - cron: '10 0 * * 0' - push: - branches: - - main - pull_request_target: - branches: - - main - workflow_dispatch: - inputs: - logLevel: - description: 'Log level' - required: true - default: 'debug' - type: choice - options: - - info - - warning - - debug - -jobs: - mend-scan: - runs-on: ubuntu-latest - permissions: - pull-requests: write - steps: - - name: Checkout Code - uses: actions/checkout@v4 - - - name: Set up Java 17 - uses: actions/setup-java@v4 - with: - java-version: '17' - distribution: 'temurin' - - - name: Setup Go - uses: actions/setup-go@v5 - with: - go-version-file: '${{ github.workspace }}/go.mod' - - - name: 'Setup jq' - uses: dcarbone/install-jq-action@v3.0.1 - with: - version: '1.7' - - - name: Download Mend Universal Agent - run: curl https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o ./wss-unified-agent.jar - - - name: Run Mend Scan - run: java -jar ./wss-unified-agent.jar -c $CONFIG_FILE -wss.url $WSS_URL -apiKey $API_KEY -userKey $USER_KEY -productToken $PRODUCT_TOKEN - env: - USER_KEY: ${{ secrets.MEND_USER_KEY }} - PRODUCT_TOKEN: ${{ secrets.MEND_SHC_PRODUCT_TOKEN }} - WSS_URL: ${{ secrets.MEND_URL }} - API_KEY: ${{ secrets.MEND_API_TOKEN }} - CONFIG_FILE: './.github/workflows/mend.config' - - - name: Generate Report - env: - USER_KEY: ${{ secrets.MEND_API_USER_KEY }} - PROJECT_TOKEN: ${{ secrets.MEND_PROJECT_TOKEN_GIT_CONTR }} - API_KEY: ${{ secrets.MEND_API_ORG_TOKEN }} - EMAIL: ${{ secrets.MEND_API_EMAIL }} - id: report - run: | - data=$(cat < 52 | select(.==true)'| wc -l ) - - function print { - printf "############################################\n$1\n############################################\nMend Scan Tool: https://sap.whitesourcesoftware.com/Wss/WSS.html#!login \n" - } - - function restricted_license { - declare -a sap_restricted_licenses=("LGPL" "GPL" "Affero%20GPL" "MPL" "CDDL" "EPL") - ret_val="" - issue_count=0 - for key in "${!sap_restricted_licenses[@]}"; do - api_resp=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?search=license%3Aequals%3A${sap_restricted_licenses[$key]}" \ - --header 'Content-Type: application/json' --silent \ - --header "Authorization: Bearer ${login_token}") - - api_resp_no=$(echo "${api_resp}" | jq .additionalData.totalItems ) - issue_count=$((issue_count+api_resp_no)) - - if [[ $api_resp_no -gt 0 ]] - then - val=$(echo "${api_resp}" | jq -r .retVal[] ) - ret_val="$ret_val$val" - fi - done - export VIOLATIONS_VERBOSE="${ret_val}" - export VIOLATIONS="${issue_count}" - } - - print "HIGH/CRITICAL SECURITY VULNERABILITIES: ${security_vulnerability_no}" - if [[ $security_vulnerability_no -gt 0 ]] - then - echo "${security_vulnerability}" | jq -r .retVal[] - fi - - print "MAJOR UPDATES AVAILABLE: ${major_updates_pending_no}" - if [[ $major_updates_pending_no -gt 0 ]] - then - echo "${major_updates_pending}" | jq -r .retVal[] - fi - - print "LICENSE REQUIRES REVIEW: ${requires_review_no}" "Visit the Mend UI and add correct license" - if [[ $requires_review_no -gt 0 ]] - then - echo "${requires_review}" | jq -r .retVal[] - fi - - print "LICENSE RISK HIGH: ${high_license_risk_no}" - if [[ high_license_risk_no -gt 0 ]] - then - echo "Visit the Mend UI and check High Risk Licenses. Understand Risk Score: https://docs.mend.io/bundle/sca_user_guide/page/understanding_risk_score_attribution_and_license_analysis.html" - fi - - restricted_license - - print "RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY: ${VIOLATIONS}" - if [[ $VIOLATIONS -gt 0 ]] - then - echo "${VIOLATIONS_VERBOSE}" | jq . - fi - - echo "security_vulnerability_no=$security_vulnerability_no" >> $GITHUB_OUTPUT - echo "major_updates_pending_no=$major_updates_pending_no" >> $GITHUB_OUTPUT - echo "requires_review_no=$requires_review_no" >> $GITHUB_OUTPUT - echo "high_license_risk_no=$high_license_risk_no" >> $GITHUB_OUTPUT - echo "violations=$VIOLATIONS" >> $GITHUB_OUTPUT - - if [[ $security_vulnerability_no -gt 0 ]] || [[ $major_updates_pending_no -gt 0 ]] || [[ $requires_review_no -gt 0 ]] || [[ high_license_risk_no -gt 0 ]] || [[ violations -gt 0 ]] - then - echo "status=x" >> $GITHUB_OUTPUT - else - echo "status=white_check_mark" >> $GITHUB_OUTPUT - fi - - - name: Check if PR exists - uses: 8BitJonny/gh-get-current-pr@3.0.0 - id: pr_exists - with: - filterOutClosed: true - sha: ${{ github.event.pull_request.head.sha }} - - - name: Comment Mend Status on PR - if: ${{ github.event_name != 'schedule' && steps.pr_exists.outputs.pr_found == 'true' }} - uses: thollander/actions-comment-pull-request@v3.0.1 - with: - message: | - ## Mend Scan Summary: :${{ steps.report.outputs.status }}: - ### Repository: ${{ github.repository }} - | VIOLATION DESCRIPTION | NUMBER OF VIOLATIONS | - | -------------------------------------------- | --------------------------- | - | HIGH/CRITICAL SECURITY VULNERABILITIES | ${{ steps.report.outputs.security_vulnerability_no }} | - | MAJOR UPDATES AVAILABLE | ${{ steps.report.outputs.major_updates_pending_no }} | - | LICENSE REQUIRES REVIEW | ${{ steps.report.outputs.requires_review_no }} | - | LICENSE RISK HIGH | ${{ steps.report.outputs.high_license_risk_no }} | - | RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY | ${{ steps.report.outputs.VIOLATIONS }} | - - [Detailed Logs: mend-scan-> Generate Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) - [Mend UI](https://sap.whitesourcesoftware.com/Wss/WSS.html#!login) - comment_tag: tag_mend_scan - -