SSP onboarding pass 1

Author: alexander-komarov-ibm

.cra/cra-scan-custom-script.sh

@@ -12,17 +12,7 @@ export BUILD_ARM_TOKEN=$(get_env jfrog_func_is_token)
 export BUILD_ARM_PASSWORD=$(get_env jfrog_func_is_token)
 export BUILD_ARM_USERNAME=Ibm-webmethods-integration-server@ibm.com
 
-
-which java 
-java -version
-cat /etc/*elease*
-id
-
-# Install JDK 17
-dnf install -y java-17-openjdk-devel
-export JAVA_HOME=/usr/lib/jvm/java-17
-$JAVA_HOME/bin/java -version
-
+source "$(dirname "${BASH_SOURCE[0]}")/install-jdk.sh"
 
 # debug: dump all scripts
 find /opt/commons/compliance-checks | while read filename ; do

.cra/install-jdk.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+# This script is broken out because it's used from both SSP and PR scans
+
+which java 
+java -version
+cat /etc/*elease*
+id
+
+# create a gradle environment on the build agent
+mkdir -p ~/.gradle/
+
+echo "Using pre-installed Java $JAVA_VERSION in $JAVA_HOME and creating toolchains.xml"
+
+cat > ~/.gradle/gradle.properties << EOF
+sonatypeUser = $BUILD_ARM_USERNAME
+sonatypePwd = $BUILD_ARM_TOKEN
+java${JAVA_VERSION}Home = $JAVA_HOME
+EOF
+
+# Install JDK 17
+dnf install -y java-17-openjdk-devel
+export JAVA_HOME=/usr/lib/jvm/java-17
+$JAVA_HOME/bin/java -version
+echo "java17Home = $JAVA_HOME" >> ~/.gradle/gradle.properties
+
+cat ~/.gradle/gradle.properties

.github/workflows/fedramp-ssp.yml

@@ -0,0 +1,26 @@
+name: Trigger remote SPS scans job for FedRAMP compliance
+
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+    inputs:
+        
+      repo-branch:
+        description: Specify the repo branch to scan if scan-type is "repo-scan"
+        type: string
+        default: master
+        
+jobs:
+  fedramp-scan:
+    uses: ibm-webmethods/bic-images-build-pipeline/.github/workflows/fedramp-ssp-scans.yml@main
+    with:
+      scan-type: repo-scan
+      repo-name: ehcache3
+      repo-branch: ${{ inputs.repo-branch || 'master' }}
+      runner-label: self-hosted
+    secrets:
+      GH_PAT: ${{ secrets.TC_GH_PAT }}
+      SPS_TRIGGER_API: ${{ secrets.SPS_TRIGGER_API }}
+      # WEBMETHODS_APIKEY: ${{ secrets.SPS_ICR_API_KEY }}

.cra/.secrets.baseline .secrets.baseline.cra/.secrets.baseline renamed to .secrets.baseline

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+env
+
+export BUILD_ARM_USERNAME=$(get_env BUILD_ARM_USERNAME)
+export BUILD_ARM_TOKEN=$(get_env BUILD_ARM_TOKEN)
+export BUILD_ARM_PASSWORD=$(get_env BUILD_ARM_TOKEN)
+
+echo "Begin Compliance custom script"
+
+source "$(dirname "${BASH_SOURCE[0]}")/.cra/install-jdk.sh"
+
+set -ex
+
+# perform the build so compliance checks can scan everything
+./gradlew assemble
+
+echo "End Compliance custom script"