-
Notifications
You must be signed in to change notification settings - Fork 0
243 lines (213 loc) · 8.38 KB
/
dependency-analysis.yml
File metadata and controls
243 lines (213 loc) · 8.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
name: dependency-checks
on:
pull_request:
workflow_call:
inputs:
module_directory:
description: 'Component path'
required: false
default: ""
type: string
permissions:
pull-requests: write
contents: read
env:
minimum_package_age_hours: 1 # 168 # 7 days
jobs:
dependency-scan:
name: Run PNPM usage analysis
runs-on: ${{ github.repository_visibility != 'public' && 'centreon-security' || 'ubuntu-24.04' }}
steps:
- name: Checkout Repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
fetch-depth: 0
- name: Check dependencies type and managers version
run: |
# Check override
if [ "${{ vars.OVERRIDE_ALL_DEPENDENCY_SCAN }}" == "true" ]; then
echo "[DEBUG] - Global scan override enabled"
return 0
elif [[ "${{ vars.OVERRIDE_PNPM_COMPLIANCE }}" == "true" ]]; then
echo "[DEBUG] - PNPM scan override enabled"
return 0
fi
# Check date
current_timestamp=$(date +%s)
DUE_DATE="${{ vars.OVERRIDE_DEPENDENCY_ENFORCEMENT_DATE }}"
input_timestamp=$(date -d "$DUE_DATE" +%s)
# Setup vars
ERROR_LOG="error_log.txt"
touch "$ERROR_LOG"
FORCE_FAIL="false"
ENFORCEMENT="false"
SKIP="false"
if [ "$current_timestamp" -ge "$input_timestamp" ]; then
echo "[DEBUG]: Deadline passed."
ENFORCEMENT="true"
fi
function message_type() {
MSG="$1"
if [ $ENFORCEMENT == "true" ]; then
echo "[ERROR] : $MSG"
FORCE_FAIL="true"
else
echo "[WARNING] : $MSG"
fi
echo "$MSG" >> "$ERROR_LOG"
}
# Compare pnpm version used in lockfile
function compare_version() {
SKIP="false"
MIN_LOCKFILE_VERSION="8.9.9"
LOCKFILE_VERSION=$(grep -E '^lockfileVersion:' "$LOC_TYPE" \
| awk '{print $2}' \
| tr -d "'\"")
# Compare versions
version_ge() {
[ "$(printf '%s\n' "$1" "$2" | sort -V | head -n1)" = "$2" ]
}
echo "[DEBUG] - 0 - before condition LOCKFILE_VERSION = $LOCKFILE_VERSION / MIN_LOCKFILE_VERSION = $MIN_LOCKFILE_VERSION"
if version_ge "$MIN_LOCKFILE_VERSION" "$LOCKFILE_VERSION"; then
echo "[DEBUG] - 1 - LOCKFILE_VERSION is lower than $MIN_LOCKFILE_VERSION"
message_type "lockfileVersion $LOCKFILE_VERSION < $MIN_LOCKFILE_VERSION found in $LOC_FILE. Lockfile update required"
else
echo "[DEBUG] - 1 - LOCKFILE_VERSION is greater or equal to $MIN_LOCKFILE_VERSION"
SKIP="true"
fi
echo "[DEBUG] - SKIP in compare = $SKIP"
}
# Move to module folder and find manifests
MODULE_FOLDER="${{ inputs.module_directory }}" || ""
if [[ -n "$MODULE_FOLDER" ]]; then
cd $MODULE_FOLDER
fi
echo "[INFO] - Find manifest files"
DEP_FILES=($(find ./ -type f -name "package.json"))
# Scan node manifests
for DEP_FILE in ${DEP_FILES[@]}; do
DEP_DIR=$(dirname $DEP_FILE)
echo "[INFO] - Scanning $DEP_FILE"
echo "[DEBUG] - DEP_FILE = $DEP_FILE"
LOC_FILES=($(find $DEP_DIR -type f -name "package-lock.json" -o -name "pnpm-lock.yaml" -o -name "yarn.lock"))
COUNT=0
for LOC_FILE in ${LOC_FILES[@]}; do
LOC_TYPE=$(basename $LOC_FILE)
LOC_DIR=$(dirname $LOC_FILE)
#cd $LOC_DIR
case $LOC_TYPE in
"yarn.lock")
COUNT=$((COUNT+1))
message_type "Yarn is no longer allowed. Kindly replace the lockfile using PNPM. Found in $LOC_FILE"
;;
"package-lock.json")
COUNT=$((COUNT+1))
message_type "NPM is no longer allowed. Kindly replace the lockfile using PNPM. Found in $LOC_FILE"
;;
"pnpm-lock.yaml")
echo "[DEBUG] - compare version start"
SKIP=$(compare_version)
echo "[DEBUG] - SKIP = $SKIP"
if [ "$SKIP" == "true" ] ; then continue; fi
COUNT=$((COUNT+1))
;;
"*")
message_type "No lockfile found in $LOC_DIR. A lockfile is required."
;;
esac
#cd -
done
if [[ $COUNT -gt 1 ]]; then
message_type "$COUNT lockfiles were found. Kindly keep only lockfile generated with PNPM. Found in $LOC_DIR"
fi
echo "[DEBUG] - COUNT = $COUNT"
done
echo "[DEBUG] - FORCE_FAIL = $FORCE_FAIL"
if [ -s "$ERROR_LOG" ]; then
cat "$ERROR_LOG"
if [ "FORCE_FAIL" == "true" ]; then
echo "[FATAL]: Breaking the run."
exit 1
fi
else
echo "[INFO] - OK nothing found"
fi
echo -e "\n\n[DEBUG] - ERROR_LOG :"
cat $ERROR_LOG
shell: bash
- name: comment_PR
uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
with:
hide_and_recreate: true
hide_classify: "OUTDATED"
path: "error_log.txt"
dependency-blacklist:
name: Run blacklist analysis
runs-on: ${{ github.repository_visibility != 'public' && 'centreon-security' || 'ubuntu-24.04' }}
steps:
- name: Checkout Repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
fetch-depth: 0
- name: Check for blacklisted dependencies
run: |
# Check override
if [ "${{ vars.OVERRIDE_DEPENDENCY_SCAN }}" == "true" ]; then
echo "[DEBUG] - Global scan override enabled"
return 0
elif [[ "${{ vars.OVERRIDE_BLACKLIST_COMPLIANCE }}" == "true" ]]; then
echo "[DEBUG] - Blacklist scan override enabled"
return 0
fi
function checkPnpmLockfile() {
# Find dependency formated as
# "name@version:"
if grep -qF "$NAME@$VERSION" "$LOCKFILE"; then
echo "$NAME:$VERSION was found in $LOCKFILE"
echo "[ERROR] - $NAME:$VERSION was found in $LOCKFILE" >> "$ERROR_LOG"
else
echo -n "."
fi
}
function checkManifest() {
COUNT=0
echo "[INFO] - Testing manifest $LOCKFILE"
manifest_type=$(basename "$LOCKFILE")
while IFS=':' read -r NAME VERSION; do
# ignore empty and commented lines
[[ -z "${NAME// }" ]] && continue
[[ "$NAME" =~ ^# ]] && continue
case "$manifest_type" in
"pnpm-lock.yaml")
checkPnpmLockfile
;;
"yarn.lock")
echo "[ERROR] - dependency manager not allowed. Found in $LOCKFILE" >> "$ERROR_LOG"
;;
"package-lock.json")
echo "[ERROR] - dependency manager not allowed. Found in $LOCKFILE" >> "$ERROR_LOG"
;;
"*")
echo "[ERROR] - dependency manager not managed. Found in $LOCKFILE" >> "$ERROR_LOG"
esac
COUNT=$((COUNT+1))
done < "$DEP_LIST"
echo "[INFO] - Scanned $COUNT IOC"
}
DEP_LIST="compromised-packages.txt"
if [ -f "$DEP_LIST" ]; then rm -f "$DEP_LIST"; fi
wget https://raw.githubusercontent.com/centreon/security-tools/main/blacklist/"$DEP_LIST"
ERROR_LOG="error_log.txt"
touch "$ERROR_LOG"
LOCKFILES=($(find ./ -type f -name "pnpm-lock.yaml"))
for LOCKFILE in "${LOCKFILES[@]}"; do
checkManifest "$LOCKFILE"
done
if [ -s "$ERROR_LOG" ]; then
echo -e "[ERROR]: Breaking the run as following ERRORS were found:"
cat "$ERROR_LOG"
exit 1
else
echo "[INFO] - OK nothing found"
fi
shell: bash