Replace OWASP workflow (#882)

thpierce · web-flow · commit 9679b70f770f · 2024-08-29T20:37:26.000-07:00
Align with Python: * https://github.com/aws-observability/aws-otel-python-instrumentation/blob/main/.github/actions/image_scan/action.yml * https://github.com/aws-observability/aws-otel-python-instrumentation/blob/main/.github/workflows/daily_scan.yml By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
diff --git a/.github/actions/image_scan/action.yml b/.github/actions/image_scan/action.yml
@@ -0,0 +1,33 @@
+## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: Apache-2.0
+name: image-scan
+description: |
+  This action performs a scan of a provided (local or public ECR remote) image, using Trivy.
+
+inputs:
+  image-ref:
+    required: true
+    description: "Reference for the image to be scanned"
+  severity:
+    required: true
+    description: "List of severities that will cause a failure"
+
+runs:
+  using: "composite"
+  steps:
+
+    # Per https://docs.aws.amazon.com/AmazonECR/latest/public/docker-pull-ecr-image.html, it is possible to
+    # make unauthorized calls to get public ECR images (needed to build the ADOT Java docker image), but
+    # it can fail if you previously authenticated to a public repo. Adding this step to log out, so we
+    # ensure we can make unauthenticated call. This is important for making the pr_build workflow run on
+    # PRs created from forked repos.
+    - name: Logout of public AWS ECR
+      shell: bash
+      run: docker logout public.ecr.aws
+
+    - name: Run Trivy vulnerability scanner on image
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ inputs.image-ref }}
+        severity: ${{ inputs.severity }}
+        exit-code: '1'
diff --git a/.github/workflows/owasp.yml b/.github/workflows/owasp.yml
@@ -1,70 +1,114 @@
+## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: Apache-2.0
+# Performs a daily scan of:
+# * The latest released ADOT Java image, using Trivy
+# * Project dependencies, using DependencyCheck
+#
+#  Publishes results to CloudWatch Metrics.
+name: Daily scan
 
-name: Daily scan for dependencies
 on:
   schedule:
-    - cron: "22 3 * * *"
-  workflow_dispatch:
+    - cron: '0 18 * * *' # scheduled to run at 18:00 UTC every day
+  workflow_dispatch: # be able to run the workflow on demand
+
+env:
+  AWS_DEFAULT_REGION: us-east-1
 
 permissions:
   id-token: write
   contents: read
 
 jobs:
-  check-dependencies-adot-java:
+  scan_and_report:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repo for dependency scan
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: actions/setup-java@v4
+
+      - name: Set up Java for dependency scan
+        uses: actions/setup-java@v4
         with:
           java-version: 17
           distribution: 'temurin'
-      - name: Build snapshot with Gradle
-        uses: gradle/gradle-build-action@v3
+
+      - name: Configure AWS credentials for dependency scan
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          arguments: ":otelagent:dependencyCheckAnalyze"
-      - name: Upload report
-        if: ${{ always() }}
-        uses: actions/upload-artifact@v3
+          role-to-assume: ${{ secrets.SECRET_MANAGER_ROLE_ARN }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
+      - name: Get NVD API key for dependency scan
+        uses: aws-actions/aws-secretsmanager-get-secrets@v1
+        id: nvd_api_key
         with:
-          name: adot-dependencies
-          path: otelagent/build/reports
+          secret-ids: ${{ secrets.NVD_API_KEY_SECRET_ARN }}
+          parse-json-secrets: true
 
-  check-dependencies-otel-java:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
+      - name: Publish patched dependencies to maven local
+        uses: ./.github/actions/patch-dependencies
+
+      - name: Build JAR
+        uses: gradle/gradle-build-action@v3
         with:
-          repository: "open-telemetry/opentelemetry-java-instrumentation"
-          fetch-depth: 0
-      - uses: actions/setup-java@v4
+          arguments: assemble -PlocalDocker=true
+
+      # See http://jeremylong.github.io/DependencyCheck/dependency-check-cli/ for installation explanation
+      - name: Install and run dependency scan
+        id: dep_scan
+        if: always()
+        run: |
+          gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 259A55407DD6C00299E6607EFFDE55BE73A2D1ED
+          VERSION=$(curl -s https://jeremylong.github.io/DependencyCheck/current.txt)
+          curl -Ls "https://github.com/jeremylong/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip" --output dependency-check.zip
+          curl -Ls "https://github.com/jeremylong/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip.asc" --output dependency-check.zip.asc
+          gpg --verify dependency-check.zip.asc
+          unzip dependency-check.zip
+          ./dependency-check/bin/dependency-check.sh --failOnCVSS 0 --nvdApiKey ${{ env.NVD_API_KEY_NVD_API_KEY }} -s 'otelagent/build/libs/aws-opentelemetry-agent-*-SNAPSHOT.jar'
+
+      - name: Print dependency scan results on failure
+        if: ${{ steps.dep_scan.outcome != 'success' }}
+        run: less dependency-check-report.html
+
+      - name: Perform high image scan
+        if: always()
+        id: high_scan
+        uses: ./.github/actions/image_scan
         with:
-          java-version: 17
-          distribution: 'temurin'
-      - name: Build snapshot with Gradle
-        uses: gradle/gradle-build-action@v3
+          image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v1.32.3"
+          severity: 'CRITICAL,HIGH'
+
+      - name: Perform low image scan
+        if: always()
+        id: low_scan
+        uses: ./.github/actions/image_scan
         with:
-          arguments: ":javaagent:dependencyCheckAnalyze"
-      - name: Upload report
-        if: ${{ always() }}
-        uses: actions/upload-artifact@v3
+          image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v1.32.3"
+          severity: 'MEDIUM,LOW,UNKNOWN'
+
+      - name: Configure AWS Credentials for emitting metrics
+        if: always()
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          name: otel-dependencies
-          path: javaagent/build/reports
-
-  publish-status:
-    needs: ["check-dependencies-adot-java", "check-dependencies-otel-java"]
-    if: ${{ always() }}
-    uses: ./.github/workflows/publish-status.yml
-    with:
-      namespace: 'ADOT/GitHubActions'
-      repository: ${{ github.repository }}
-      branch: ${{ github.ref_name }}
-      workflow: owasp
-      success: ${{ needs.check-dependencies-adot-java.result == 'success' &&
-                   needs.check-dependencies-otel-java.result == 'success'}}
-      region: us-east-1
-    secrets:
-      roleArn: ${{ secrets.METRICS_ROLE_ARN }}
+          role-to-assume: ${{ secrets.METRICS_ROLE_ARN }}
+          aws-region:  ${{ env.AWS_DEFAULT_REGION }}
+
+      - name: Publish high scan status
+        if: always()
+        run: |
+          value="${{ steps.high_scan.outcome == 'success' && '1.0' || '0.0' }}"
+          aws cloudwatch put-metric-data --namespace 'ADOT/GitHubActions' \
+            --metric-name Success \
+            --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_high \
+            --value $value
 
+      - name: Publish low scan status
+        if: always()
+        run: |
+          value="${{ steps.low_scan.outcome == 'success' && steps.dep_scan.outcome == 'success' && '1.0' || '0.0'}}"
+          aws cloudwatch put-metric-data --namespace 'ADOT/GitHubActions' \
+            --metric-name Success \
+            --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_low \
+            --value $value
diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml
@@ -116,6 +116,13 @@ jobs:
           tags: ${{ env.TEST_TAG }}
           load: true
 
+      - name: Perform image scan
+        uses: ./.github/actions/image_scan
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        with:
+          image-ref: ${{ env.TEST_TAG }}
+          severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
+
       - name: Test docker image
         if: ${{ matrix.os == 'ubuntu-latest' }}
         shell: bash
@@ -127,3 +134,4 @@ jobs:
         with:
           arguments: build --stacktrace -PenableCoverage=true
       - uses: codecov/codecov-action@v3
+
