Black Duck integration and CI/SonarQube updates (#303)

* Update sonar-project.properties

Signed-off-by: nikhil2611 <[email protected]>

* updating to common GitHub Action 1.0.5

Signed-off-by: nikhil2611 <[email protected]>

* added chef-cli-5 release branch

Signed-off-by: nikhil2611 <[email protected]>

* empty commit to run the scans again

Signed-off-by: nikhil2611 <[email protected]>

* updating blackduck config

Signed-off-by: nikhil2611 <[email protected]>

---------

Signed-off-by: nikhil2611 <[email protected]>

Author: nikhil2611

.github/workflows/sonarqube.yml .github/workflows/archived/sonarqube.yml.github/workflows/sonarqube.yml renamed to .github/workflows/archived/sonarqube.yml

@@ -0,0 +1,107 @@
+# stub to call common GitHub Action (GA) as part of Continuous Integration (CI) Pull Request process checks for main branch
+# inputs are described in the chef/common-github-actions/<GA.yml> with same name as this stub
+#
+# secrets are inherited from the calling workflow, typically SONAR_TOKEN, SONAR_HOST_URL, GH_TOKEN, AKEYLESS_JWT_ID, POLARIS_SERVER_URL and POLARIS_ACCESS_TOKEN
+
+name: CI Pull Request on Main Branch
+
+on: 
+  pull_request:
+    branches: [ main, release/** ]
+  push:
+    branches: [ main, release/** ]
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  
+env:
+  STUB_VERSION: "1.0.5" 
+
+jobs: 
+  echo_version:
+    name: 'Echo stub version'
+    runs-on: ubuntu-latest
+    steps:
+      - name: echo version of stub and inputs
+        run: |
+          echo "CI main pull request stub version $STUB_VERSION"
+
+  call-ci-main-pr-check-pipeline:
+    uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main
+    secrets: inherit
+    permissions: 
+      id-token: write
+      contents: read
+
+    with:   
+      visibility: ${{ github.event.repository.visibility }}   #  private, public, or internal
+      # go-private-modules: GOPRIVATE for Go private modules, default is 'github.com/progress-platform-services/*
+
+      # if version specified, it takes precedence; can be a semver like 1.0.2-xyz or a tag like "latest"
+      version: '6.1.13' # ${{ github.event.repository.version }}
+      detect-version-source-type: 'none' # options include "none" (do not detect), "file", "github-tag" or "github-release"
+      detect-version-source-parameter: '' # use for file name
+      language: 'ruby'  # Go, Ruby, Rust, JavaScript, TypeScript, Python, Java, C#, PHP, other - used for build and SonarQube language setting
+
+      # complexity-checks
+      perform-complexity-checks: true
+      # scc-output-filename: 'scc-output.txt'
+      perform-language-linting: false    # Perform language-specific linting and pre-compilation checks
+
+      # trufflehog secret scanning
+      perform-trufflehog-scan: true
+      
+      # trivy dependency and container scanning
+      perform-trivy-scan: true
+      
+      # BlackDuck SAST (Polaris) and SCA scans (requires a build or download to do SAST)
+      # requires these secrets: POLARIS_SERVER_URL, POLARIS_ACCESS_TOKEN
+      perform-blackduck-polaris: true
+      polaris-application-name: "Chef-Agents"  # one of these: Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Other, Chef-Non-Product
+      polaris-project-name: ${{ github.event.repository.name }}
+      polaris-blackduck-executable: 'path/to/blackduck/binary'
+      polaris-executable-detect-path: 'path/to/detect'
+ 
+      # perform application build and unit testing, will use custom repository properties when implemented for chef-primary-application, chef-build-profile, and chef-build-language
+      build: false
+      # ga-build-profile: $chef-ga-build-profile   
+      # language: $chef-ga-build-language   # this will be removed from stub as autodetected in central GA
+      unit-tests: false
+ 
+      # perform SonarQube scan, with or wihout unit test coverage data
+      # requires secrets SONAR_TOKEN and SONAR_HOST_URL (progress.sonar.com)
+      perform-sonarqube-scan: false
+      # perform-sonar-build: true
+      # build-profile: 'default' 
+      # report-unit-test-coverage: true
+
+      # report to central developer dashboard
+      report-to-atlassian-dashboard: false
+      quality-product-name: 'Chef-Agents'   # product name for quality reporting, like Chef360, Courier, Inspec
+      # quality-product-name: ${{ github.event.repository.name }}   # like 'Chef-360' - the product name for quality reporting, like Chef360, Courier, Inspec
+      # quality-sonar-app-name: 'YourSonarAppName'
+      # quality-testing-type: 'Integration' like Unit, Integration, e2e, api, Performance, Security
+      # quality-service-name: 'YourServiceOrRepoName'
+      # quality-junit-report: 'path/to/junit/report''
+
+      # perform native and Habitat packaging, publish to package repositories
+      package-binaries: false     # Package binaries (e.g., RPM, DEB, MSI, dpkg + signing + SHA)
+      habitat-build: false        # Create Habitat packages
+      publish-packages: false     # Publish packages (e.g., container from Dockerfile to ECR, go-releaser binary to releases page, omnibus to artifactory, gems, choco, homebrew, other app stores)
+
+      # generate and export Software Bill of Materials (SBOM) in various formats
+      generate-sbom: true
+      export-github-sbom: true      # SPDX JSON artifact on job instance  
+      perform-blackduck-sca-scan: true # combined with generate sbom & generate github-sbom, also needs version above
+      blackduck-project-group-name: 'Chef-Agents' # typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Non-Product'
+      blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name
+      generate-blackduck-sbom: true # obsolete, use perform-blackduck-sca-scan instead
+        
+      generate-msft-sbom: false
+      license_scout: false      # Run license scout for license compliance (uses .license_scout.yml)
+
+      # udf1: 'default' # user defined flag 1
+      # udf2: 'default' # user defined flag 2 
+      # udf3: 'default' # user defined flag 3

.github/workflows/ci-main-pull-request-stub.yml

@@ -1,21 +1,44 @@
-# must be unique in a given SonarQube instance
-sonar.projectKey=chef_chef-cli_AYcNv4diJ4YHsO5MtJHg
+# SonarQube configuration file
+#
+# Sample Ruby Sonar file - https://docs.sonarsource.com/sonarqube-server/10.6/analyzing-source-code/languages/ruby/
+# properties defined in https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/
+#
+# view this repo in sonar: https://sonar.progress.com/dashboard?id=chef_chef-workstation_AYbLDTBoJ4YHsO5MtH07
 
-sonar.projectName=chef-cli
+# Required metadata
+sonar.projectKey=chef_chef-cli_AYcNv4diJ4YHsO5MtJHg
+# project name is 3 parts: "Chef" + "<area/product>" + "<repo>" with underscores between
+# <area/product> choices: Chef-Agents | Chef-Automate | Chef360 | Chef-Habitat | Chef-Infra-Server | Chef-Shared-Services
+# example project name: chef/chef-vault repo would be Chef_Chef-Infra-Client_chef-vault
+sonar.projectName=Chef_Chef-Agents_chef-cli
+# sonar.projectVersion=1.0
+# sonar.projectDescription=
 
-# defaults to 'not provided'
-#sonar.projectVersion=1.0
+# Language - https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/overview/ go, ruby, rust
+sonar.language=ruby
+sonar.sources=lib
+# sonar.sources=lib <-- for Ruby, match this with the /spec directory for tests & SARIF output directory for test results/rcov
+# sonar.exclusions=**/*_test.go, **/*.js, **/*.sql, **/*.yml, **/*.yaml; may exclude **/vendor/** for Ruby
 
-sonar.sources=.
-sonar.exclusions=**/*_test.go
+# Unit tests
+sonar.tests=spec
+# was spec/**/*.rb 
+# sonar.test.inclusions=**/*_test.go **/*Test.java
+# Coverage report
+# sonar.ruby.coverage.framework=RSpec
+# sonar.ruby.coverage.reportPaths=coverage/coverage.json 
+# ^^^ comma-delimited paths to Rubocop reports, SimpleCov, or RSpec plugin reports (coverage/coverage.json <-- default output for simpleCov)
 
-sonar.tests=.
-sonar.test.inclusions=**/*_test.go
+# sonar.ruby.rubocop.reportPaths=./rubocop-report.json -- import Ruby Rubocop
+# sonar.dependencyCheck.htmlReportPath=./dependency-check-report.html -- import OWASP dependency check report
+# sonar.externalIssuesReportPaths	Comma-delimited list of paths to generic issue reports. 
+# sonar.sarifReportPaths	Comma-delimited list of paths to SARIF issue reports.
 
-# Encoding of the source code. Default is default system encoding
-#sonar.sourceEncoding=UTF-8
+# Additional settings
+# sonar.qualitygate.wait=false
+# sonar.qualitygate.timeout=300
 
 # skip C-language processor
 sonar.c.file.suffixes=-
 sonar.cpp.file.suffixes=-
-sonar.objc.file.suffixes=-
+sonar.objc.file.suffixes=-