ci: vulnerability scan tweaks (#126)

* ci: vulnerability scan tweaks

I don't see a need to use a custom path for the nvd database, so turfed
that complexity. Let it go to its default spot under ~/.m2/repository...

Don't base github action cache on date, base it instead on deps and
bb.edn.

Use action/cache/restore and actions/cache/save to control caching.
This should allow us to save nvd database for subsequent runs.

Seems to work, but we'll see.

Closes #125

Author: lread

.github/workflows/nvd_scanner.yml

@@ -17,24 +17,65 @@ jobs:
     steps:
     - uses: actions/checkout@v4
 
-    - name: Setup
-      uses: ./.github/workflows/shared-setup
+    - name: Setup Java
+      uses: actions/setup-java@v4
       with:
-        jdk: '11'
+        distribution: 'temurin'
+        java-version: 21
 
-    - name: Get Date
-      id: get-date
+    - name: Install Clojure Tools
+      uses: DeLaGuardo/[email protected]
+      with:
+        cli: 'latest'
+        bb: 'latest'
+
+    - name: Generate Cache Key
       run: |
-        echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
-      shell: bash
+        bb --version
+        bb latest-release nvd-clojure | tee nvd_check_helper_project/nvd-clojure-version.txt
 
-    - name: Cache NVD Database
-      uses: actions/cache@v4
+    - name: Restore NVD DB & Clojure Deps Cache
+      # nvd caches its db under ~/.m2/repository/org/owasp so that it can
+      # conveniently be cached with deps
+      uses: actions/cache/restore@v4
       with:
-        path: /home/runner/.nvd-cache/
-        key: nvd-cache-we-are-happy-to-share-across-branches-${{ steps.get-date.outputs.date }}
+        path: |
+          ~/.m2/repository
+          ~/.deps.clj
+          ~/.gitlibs
+        # because we are using a RELEASE version of nvd-clojure
+        # we also include its version
+        key: |
+          nvd-${{ hashFiles(
+            'nvd_check_helper_project/nvd-clojure-version.txt',
+            'nvd_check_helper_project/deps.edn',
+            'nvd_check_helper_project/bb.edn',
+            'bb.edn') }}
+        restore-keys: |
+          nvd-
+
+    - name: Download Clojure deps
+      run: clojure -X:deps prep
+      working-directory: nvd_check_helper_project
 
     - name: Run NVD Scanner
       env:
         NVD_API_TOKEN: ${{ secrets.NVD_API_TOKEN }}
       run: bb nvd-scan
+
+    - name: Save NVD DB & Clojure Deps Cache
+      if: always() # always cache regardless of outcome of nvd scan
+      uses: actions/cache/save@v4
+      with:
+        path: |
+          ~/.m2/repository
+          ~/.deps.clj
+          ~/.gitlibs
+        # we tack on github.run_id to uniquely identify the cache
+        # the next cache restore will find the best (and most current) match
+        key: |
+          nvd-${{ hashFiles(
+            'nvd_check_helper_project/nvd-clojure-version.txt',
+            'nvd_check_helper_project/deps.edn',
+            'nvd_check_helper_project/bb.edn',
+            'bb.edn') }}-${{ github.run_id }}

bb.edn

@@ -5,10 +5,17 @@
         version-clj/version-clj {:mvn/version "2.0.2"}}
  :tasks {;; setup
          :requires ([babashka.fs :as fs]
+                    [babashka.http-client :as http]
+                    [clojure.edn :as edn]
                     [clojure.string :as string]
                     [lread.status-line :as status])
-         :enter (let [{:keys [name]} (current-task)] (status/line :head "TASK %s %s" name (string/join " " *command-line-args*)))
-         :leave (let [{:keys [name]} (current-task)] (status/line :detail "\nTASK %s done." name))
+
+         :enter (let [{:keys [name task-decoration] :as f} (current-task)]
+                  (when-not (= :none task-decoration)
+                    (status/line :head "TASK %s" name)))
+         :leave (let [{:keys [name task-decoration] :as f} (current-task)]
+                  (when-not (= :none task-decoration)
+                    (status/line :detail "\nTASK %s done." name)))
 
          ;; tasks
          clean
@@ -47,16 +54,24 @@
          lint
          {:doc "Run all lints"
           :depends [lint-kondo lint-eastwood]}
+         latest-release
+         {:doc "Return latest clojars release of given artifact"
+          :task-decoration :none
+          ;; we use RELEASE for nvd-clojure, so use its version as our cache key
+          :task (let [artifact (first *command-line-args*)]
+                  (-> (http/get (str "https://clojars.org/api/artifacts/" artifact)
+                                {:headers {"Accept" "application/edn"}})
+                      :body
+                      edn/read-string
+                      :latest_release
+                      println))}
          nvd-scan
          {:doc "Check for security vulnerabilities in dependencies"
-          :task (let [config (if (System/getenv "CI")
-                               "./github_actions_config.json" ;; to support CI caching
-                               "./local_config.json")]
-                  (status/line :detail "Using config: %s" config)
+          :task (let [cp (with-out-str (clojure "-Spath"))]
                   (clojure {:dir "./nvd_check_helper_project"}
                            "-J-Dclojure.main.report=stderr -M -m nvd.task.check"
-                           config
-                           (with-out-str (clojure "-Spath"))))}
+                           "./config.json"
+                           cp))}
          pubcheck
          {:doc "run only publish checks (without publishing)"
           :task publish/pubcheck}

nvd_check_helper_project/local_config.json renamed to nvd_check_helper_project/config.json

@@ -2,4 +2,6 @@
         ;; it is generally considered bad practice to use RELEASE, but we always want the latest
         ;; security tooling
         #_:clj-kondo/ignore
-        {:mvn/version "RELEASE"}}}
+        {:mvn/version "RELEASE"}
+        ;; temporarily try bumping transitive dep to current release
+        org.owasp/dependency-check-maven {:mvn/version "10.0.0"}}}