support for FINOS license scanning

Author: dschwartz-ftadvisory

.github/workflows/cve-scanning.yml

@@ -1,44 +1,40 @@
-name: CVE Scanning for Maven
+name: CVE Scanning for Python
 
 on:
-  workflow_dispatch:
+  schedule:
+    - cron: '0 8,18 * * 1-5'
   push:
-    branches:
-      - master
     paths:
-      - 'pom.xml'
-      - 'allow-list.xml'
-      - '.github/workflows/cve-scanning.yml'
-  pull_request:
-    paths:
-      - 'pom.xml'
-      - 'allow-list.xml'
-      - '.github/workflows/cve-scanning.yml'
+      - 'pyproject.toml'
+      - 'safety-policy.yml'
+      - '.github/workflows/cve-scanning-python.yml'
 
-jobs:
-  depcheck:
+env:
+  PYTHON_KEYRING_BACKEND: keyring.backends.null.Keyring
 
+jobs:
+  scan:
+    name: Build and test App
     runs-on: ubuntu-latest
-
     steps:
-    - uses: actions/checkout@v3
-    - uses: ./.github/actions/maven-build
-      with:
-        run-tests: false
-    - name: CVE scanning
-      uses: dependency-check/[email protected]
-      env:
-        JAVA_HOME: /opt/jdk
-      with:
-        project: 'Rune Python Runtime'
-        path: '.'
-        format: 'HTML'
-        out: 'reports'
-        args: >
-          --suppression allow-list.xml
-          --failOnCVSS 7
-    - name: Upload results
-      uses: actions/upload-artifact@v4
-      with:
-        name: CVE Scan Report ${{ strategy.job-index }}
-        path: ${{github.workspace}}/reports
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.11"
+      - uses: abatilo/actions-poetry@437d4fa27baf74d89b789ba2d8cae97dd2365feb
+        with:
+          poetry-version: "1.2.2"
+      - name: Install safety
+        run: pip3 install safety
+      - name: Build app
+        run: poetry build
+        working-directory: python
+      - name: Rune Python Runtime
+        run: |
+          poetry install
+        working-directory: python
+      - name: Scan CVEs
+        run: poetry export --without-hashes -f requirements.txt | safety check --full-report --stdin --policy-file safety-policy.yml
+        # Without poetry, use this command instead
+        # run: safety check -r requirements.txt --full-report --policy-file safety-policy.yml
+        working-directory: python

.github/workflows/license-scanning.yml

@@ -1,51 +1,29 @@
-name: License Scanning for Maven
+name: License Scanning for Python
 
 on:
-  workflow_dispatch:
+  schedule:
+    - cron: '0 8,18 * * 1-5'
   push:
-    branches:
-      - master
     paths:
-      - 'pom.xml'
-      - '.github/workflows/license-scanning.yml'
-  pull_request:
-    paths:
-      - 'pom.xml'
-      - '.github/workflows/license-scanning.yml'
+      - requirements.txt
+      - 'pyproject.toml'
+      - '.github/workflows/license-scanning-python.yml'
 
 env:
-  ALLOW_LICENSES: "'The Apache Software License, Version 2.0' and licenses/license/name!='BSD' and licenses/license/name!='BSD-style license' and licenses/license/name!='Apache License, Version 2.0'"
-  REPORT_PATH: "target/generated-resources/licenses.xml"
+  ALLOW_LICENSES: "MIT License;Apache Software License;BSD License"
+  # IGNORE_PACKAGES: ""
 
 jobs:
   scan:
+    name: Scan for licenses
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        module-folder: ["./", "./examples", "./rosetta-source"]
     steps:
-    - uses: actions/checkout@v3
-    - name: Install XQ
-      run: pip install xq
-    - uses: ./.github/actions/maven-build
-      with:
-        run-tests: false
-    - name: License XML report
-      run: mvn org.codehaus.mojo:license-maven-plugin:2.0.0:download-licenses
-    - name: Validate XML report
-      run: |
-        LICENSE_REPORT=`xq "//dependency[licenses/license/name!=${{ env.ALLOW_LICENSES }}]" ./${{ env.REPORT_PATH }}`
-        LINES_FOUND=`echo $LICENSE_REPORT | wc -l`
-        echo "License issues found ..."
-        if [ $LINES_FOUND -gt 1 ]; then echo $LICENSE_REPORT ; exit -1; fi
-      working-directory: ${{ matrix.module-folder }}
-    - name: Upload license reports
-      uses: actions/upload-artifact@v4
-      with:
-        name: license-reports-${{ strategy.job-index }}
-        path: '**/dependencies.html'
-    - name: Upload license XML reports
-      uses: actions/upload-artifact@v4
-      with:
-        name: license-xml-report-${{ strategy.job-index }}
-        path: '**/${{ env.REPORT_PATH }}'
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.11"
+      - name: Install pip-licenses
+        run: pip3 install pip-licenses
+      - name: Scan for licenses
+        run: pip-licenses --allow-only="${{ env.ALLOW_LICENSES }}" # --ignore-packages="${{ env.IGNORE_PACKAGES }}"
+        working-directory: python

requirements.txt

@@ -0,0 +1,5 @@
+build
+setuptools
+setuptools_scm 
+wheel 
+pytest-runner

safety-policy.yml

@@ -0,0 +1,11 @@
+security:
+    ignore-cvss-severity-below: 6
+    ignore-cvss-unknown-severity: False
+    ignore-vulnerabilities:
+        25853: # Example vulnerability ID
+            reason: Testing CVE suppression
+            # expires: '2023-12-31'
+        52365:
+            reason: Testing CVE suppression
+        58758:
+            reason: Testing CVE suppression