From 45ab93e41a429573c78d3deb4a30306e3ba3b628 Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Mon, 24 Feb 2025 11:18:25 +0100 Subject: [PATCH 01/11] correct gosec annotation and remove gosec from codeql --- .github/workflows/code-scan.yml | 20 -------------------- api/v1alpha1/constants.go | 4 ++-- pkg/oci/repository.go | 2 +- 3 files changed, 3 insertions(+), 23 deletions(-) delete mode 100644 .github/workflows/code-scan.yml diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml deleted file mode 100644 index 5149e72a..00000000 --- a/.github/workflows/code-scan.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: "Code scanning" - -on: - push: - branches: ["main"] - pull_request: - branches: ["main"] - schedule: - - cron: "26 14 * * 2" - -jobs: - gosec: - permissions: - # Required to upload SARIF files - security-events: write - # for actions/checkout to fetch code - contents: read - # call reusable workflow from central '.github' repo - uses: open-component-model/.github/.github/workflows/code-scan.yml@main - secrets: inherit diff --git a/api/v1alpha1/constants.go b/api/v1alpha1/constants.go index e0e39442..6f0844ed 100644 --- a/api/v1alpha1/constants.go +++ b/api/v1alpha1/constants.go @@ -2,7 +2,7 @@ package v1alpha1 const ( // DefaultRegistryCertificateSecretName is the name of the of certificate secret for client and registry. - DefaultRegistryCertificateSecretName = "ocm-registry-tls-certs" // #nosec G101 -- not a credential + DefaultRegistryCertificateSecretName = "ocm-registry-tls-certs" // nolint:gosec // not a credential ) // Internal ExtraIdentity keys. @@ -35,5 +35,5 @@ const ( // Ocm credential config key for secrets. const ( // OCMCredentialConfigKey defines the secret key to look for in case a user provides an ocm credential config. - OCMCredentialConfigKey = ".ocmcredentialconfig" // #nosec G101 -- not a credential + OCMCredentialConfigKey = ".ocmcredentialconfig" // nolint:gosec // not a credential ) diff --git a/pkg/oci/repository.go b/pkg/oci/repository.go index 0ace4c99..07e366ff 100644 --- a/pkg/oci/repository.go +++ b/pkg/oci/repository.go @@ -143,7 +143,7 @@ func (c *Client) setupCertificates(ctx context.Context) error { } func (c *Client) constructTLSRoundTripper() http.RoundTripper { - tlsConfig := &tls.Config{} // #nosec G402 -- must provide lower version for quay.io + tlsConfig := &tls.Config{} // nolint:gosec // must provide lower version for quay.io caCertPool := x509.NewCertPool() caCertPool.AppendCertsFromPEM(c.ca) From 33e51b7e4ac7d99e5a0fb4230e8641c452cfd265 Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Mon, 24 Feb 2025 11:34:47 +0100 Subject: [PATCH 02/11] move template to .github repo --- .github/PULL_REQUEST_TEMPLATE.md | 65 -------------------------------- 1 file changed, 65 deletions(-) delete mode 100644 .github/PULL_REQUEST_TEMPLATE.md diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md deleted file mode 100644 index b9d61c3e..00000000 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ /dev/null @@ -1,65 +0,0 @@ -## Description - - - -Please include a summary of the changes and the related issue. Please also include relevant motivation and context. List any dependencies that are required for this change. - - -## What type of PR is this? (check all applicable) - -- [ ] 🍕 Feature -- [ ] 🐛 Bug Fix -- [ ] 📝 Documentation Update -- [ ] 🎨 Style -- [ ] 🧑‍💻 Code Refactor -- [ ] 🔥 Performance Improvements -- [ ] ✅ Test -- [ ] 🤖 Build -- [ ] 🔁 CI -- [ ] 📦 Chore (Release) -- [ ] ⏩ Revert - -## Related Tickets & Documents - - -- Related Issue # (issue) -- Closes # (issue) -- Fixes # (issue) -> Remove if not applicable - -## Screenshots - - - - -## Added tests? - -- [ ] 👍 yes -- [ ] 🙅 no, because they aren't needed -- [ ] 🙋 no, because I need help -- [ ] Separate ticket for tests # (issue/pr) - -Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration - - -## Added to documentation? - -- [ ] 📜 README.md -- [ ] 🙅 no documentation needed - -## Checklist: - -- [ ] My code follows the style guidelines of this project -- [ ] I have performed a self-review of my code -- [ ] I have commented my code, particularly in hard-to-understand areas -- [ ] I have made corresponding changes to the documentation -- [ ] My changes generate no new warnings -- [ ] I have added tests that prove my fix is effective or that my feature works -- [ ] New and existing unit tests pass locally with my changes -- [ ] Any dependent changes have been merged and published in downstream modules From 95dfabcb831d665923ac31efc7ef7b3c4eae3525 Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Mon, 24 Feb 2025 14:33:29 +0100 Subject: [PATCH 03/11] remove mend --- .github/workflows/blackduck_scan.yaml | 8 +- .github/workflows/mend.config | 115 --------------- .github/workflows/mend_scan.yaml | 196 -------------------------- 3 files changed, 4 insertions(+), 315 deletions(-) delete mode 100644 .github/workflows/mend.config delete mode 100644 .github/workflows/mend_scan.yaml diff --git a/.github/workflows/blackduck_scan.yaml b/.github/workflows/blackduck_scan.yaml index ba55dcaf..82816794 100644 --- a/.github/workflows/blackduck_scan.yaml +++ b/.github/workflows/blackduck_scan.yaml @@ -1,9 +1,9 @@ name: Blackduck SCA Scan on: - #push: - # branches: [ "main" ] - #pull_request: - # branches: [ "main" ] + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] schedule: - cron: '8 0 * * 0' workflow_dispatch: diff --git a/.github/workflows/mend.config b/.github/workflows/mend.config deleted file mode 100644 index db733b81..00000000 --- a/.github/workflows/mend.config +++ /dev/null @@ -1,115 +0,0 @@ -#################################################################### -# WhiteSource Unified-Agent configuration file for GO -# GENERAL SCAN MODE: Package Managers only -#################################################################### -#Configuration Reference: https://docs.mend.io/bundle/unified_agent/page/unified_agent_configuration_parameters.html#General - -# !!! Important for WhiteSource "DIST - *" Products: -# Please set -# checkPolicies=false -# forceCheckAllDependencies=false -# since Policy checks are not applicable for Security scans and also -# not suitable for DIST category. CheckPolicies just cover IP scan -# related license checks for SAP hosted cloud products only ("SHC - *"). -checkPolicies=true -forceCheckAllDependencies=true - -# forceUpdate is important and need to be true -forceUpdate=true -# In some cases it could happen that Unified Agent is reporting SUCCESS but scan is incomplete or -# did not work at all. So parameter failErrorLevel=ALL needs to be set to break the scan if there are issues. -failErrorLevel=ALL -# failBuildOnPolicyViolation: -# If the flag is true, the Unified Agent exit code will be the result of the policy check. -# If the flag is false, the Unified Agent exit code will be the result of the scan. -forceUpdate.failBuildOnPolicyViolation=true -# offline parameter is important and need to be false -offline=false - -# ignoreSourceFiles parameter is important and need to be true -# IMPORTANT: This parameter is going to be deprecated in future -# and will be replaced by a new parameter, fileSystemScan. -# ignoreSourceFiles=true -# fileSystemScan parameter is important and need to be false as a -# replacement for ignoreSourceFiles=true and overrides the -# soon-to-be-deprecated ignoreSourceFiles. To scan source files, we need to enable it. -fileSystemScan=true -# resolveAllDependencies is important and need to be false -resolveAllDependencies=false - -#wss.connectionTimeoutMinutes=60 -# URL to your WhiteSource server. -# wss.url=https://sap.whitesourcesoftware.com/agent - -#################################################################### -# GO Configuration -#################################################################### - -# resolveDependencies parameter is important and need to be true -#if you are using 'modules' as a dependency manager, then the go.resolveDependencies is set to false. -#For any other dependency manager, this value is set to true. #To scan source files, we need to disable it. -go.resolveDependencies=false - -#defaut value for ignoreSourceFiles is set to false -# ignoreSourceFiles parameter is important and need to be true -go.ignoreSourceFiles=false -go.collectDependenciesAtRuntime=false -# dependencyManager: Determines the Go dependency manager to use when scanning a Go project. -# Valid values are 'dep', 'godep', 'vndr', 'gogradle', 'glide', 'govendor', 'gopm' and 'vgo' -# If empty, then the Unified Agent will try to resolve the dependencies using each one -# of the package managers above. -#go.dependencyManager= -#go.glide.ignoreTestPackages=false -#go.gogradle.enableTaskAlias=true - -#The below configuration is for the 'modules' dependency manager. -#Please comment these below 4 lines that has 'go.modules' prefix if you are not using the 'modules' dependency manager. -# Default value is true. If set to true, it resolves Go Modules dependencies. -go.modules.resolveDependencies=true -#default value is true. If set to true, this will ignore Go source files during the scan. -#To scan source files, we need to disable it. -go.modules.ignoreSourceFiles=false -#default value is true. If set to true, removes duplicate dependencies during Go Modules dependency resolution. -#go.modules.removeDuplicateDependencies=false -#default value is false. if set to true, scans Go Modules project test dependencies. -go.modules.includeTestDependencies=true -################################## - - -################################## -# Organization tokens: -################################## -# ! In case of PIPER, apiKey may not be used in this configuration, -# but set in configuration of piper. -# Please look at PIPER documentation for more information. -# ! For CoDePipes you may look at CoDePipes for more information. -# apiKey= - -# userKey is required if WhiteSource administrator has enabled "Enforce user level access" option. -# ! In case of PIPER, apiKey may not be used in this configuration, -# but set in configuration of piper. -# Please look at PIPER documentation for more information. -# ! For CoDePipes you may look at CoDePipes for more information. -# userKey= - -projectName=ocm-controller -# projectVersion= -# projectToken= - -productName=shc-open-component-model -# productVersion= -# productToken -#updateType=APPEND -#requesterEmail=user@provider.com - -######################################################################################### -# Includes/Excludes Glob patterns - PLEASE USE ONLY ONE EXCLUDE LINE AND ONE INCLUDE LINE -######################################################################################### - -includes=**/*.lock - -## Exclude file extensions or specific directories by adding **/*. or **/** -excludes=**/*sources.jar **/*javadoc.jar - -case.sensitive.glob=false -followSymbolicLinks=true diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml deleted file mode 100644 index cbad8049..00000000 --- a/.github/workflows/mend_scan.yaml +++ /dev/null @@ -1,196 +0,0 @@ -name: Mend Security Scan - -on: - schedule: - - cron: '5 0 * * 0' - push: - branches: - - main - pull_request_target: - branches: - - main - workflow_dispatch: - inputs: - logLevel: - description: 'Log level' - required: true - default: 'debug' - type: choice - options: - - info - - warning - - debug -jobs: - mend-scan: - permissions: - pull-requests: write - runs-on: ubuntu-latest - - steps: - - name: Checkout Code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - - - name: Set up Java 17 - uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 - with: - java-version: '17' - distribution: 'temurin' - - - name: Setup Go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 - with: - go-version-file: '${{ github.workspace }}/go.mod' - - - name: 'Setup jq' - uses: dcarbone/install-jq-action@e397bd87438d72198f81efd21f876461183d383a - with: - version: '1.7' - - - name: Download Mend Universal Agent - run: curl https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o ./wss-unified-agent.jar - - - name: Run Mend Scan - run: java -jar ./wss-unified-agent.jar -c $CONFIG_FILE -wss.url $WSS_URL -apiKey $API_KEY -userKey $USER_KEY -productToken $PRODUCT_TOKEN - env: - USER_KEY: ${{ secrets.MEND_USER_KEY }} - PRODUCT_TOKEN: ${{ secrets.MEND_SHC_PRODUCT_TOKEN }} - WSS_URL: ${{ secrets.MEND_URL }} - API_KEY: ${{ secrets.MEND_API_TOKEN }} - CONFIG_FILE: './.github/workflows/mend.config' - - - name: Generate Report - id: report - env: - USER_KEY: ${{ secrets.MEND_API_USER_KEY }} - PROJECT_TOKEN: ${{ secrets.MEND_PROJECT_TOKEN_OCM_CONTR }} - API_KEY: ${{ secrets.MEND_API_ORG_TOKEN }} - EMAIL: ${{ secrets.MEND_API_EMAIL }} - run: | - data=$(cat < 52 | select(.==true)'| wc -l ) - - function print { - printf "############################################\n$1\n############################################\nMend Scan Tool: https://sap.whitesourcesoftware.com/Wss/WSS.html#!login \n" - } - - function restricted_license { - declare -a sap_restricted_licenses=("LGPL" "GPL" "Affero%20GPL" "MPL" "CDDL" "EPL") - ret_val="" - issue_count=0 - for key in "${!sap_restricted_licenses[@]}"; do - api_resp=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?search=license%3Aequals%3A${sap_restricted_licenses[$key]}" \ - --header 'Content-Type: application/json' --silent \ - --header "Authorization: Bearer ${login_token}") - - api_resp_no=$(echo "${api_resp}" | jq .additionalData.totalItems ) - issue_count=$((issue_count+api_resp_no)) - - if [[ $api_resp_no -gt 0 ]] - then - val=$(echo "${api_resp}" | jq -r .retVal[] ) - ret_val="$ret_val$val" - fi - done - export VIOLATIONS_VERBOSE="${ret_val}" - export VIOLATIONS="${issue_count}" - } - - print "HIGH/CRITICAL SECURITY VULNERABILITIES: ${security_vulnerability_no}" - if [[ $security_vulnerability_no -gt 0 ]] - then - echo "${security_vulnerability}" | jq -r .retVal[] - fi - - print "MAJOR UPDATES AVAILABLE: ${major_updates_pending_no}" - if [[ $major_updates_pending_no -gt 0 ]] - then - echo "${major_updates_pending}" | jq -r .retVal[] - fi - - print "LICENSE REQUIRES REVIEW: ${requires_review_no}" "Visit the Mend UI and add correct license" - if [[ $requires_review_no -gt 0 ]] - then - echo "${requires_review}" | jq -r .retVal[] - fi - - print "LICENSE RISK HIGH: ${high_license_risk_no}" - if [[ high_license_risk_no -gt 0 ]] - then - echo "Visit the Mend UI and check High Risk Licenses. Understand Risk Score: https://docs.mend.io/bundle/sca_user_guide/page/understanding_risk_score_attribution_and_license_analysis.html" - fi - - restricted_license - - print "RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY: ${VIOLATIONS}" - if [[ $VIOLATIONS -gt 0 ]] - then - echo "${VIOLATIONS_VERBOSE}" | jq . - fi - - echo "security_vulnerability_no=$security_vulnerability_no" >> $GITHUB_OUTPUT - echo "major_updates_pending_no=$major_updates_pending_no" >> $GITHUB_OUTPUT - echo "requires_review_no=$requires_review_no" >> $GITHUB_OUTPUT - echo "high_license_risk_no=$high_license_risk_no" >> $GITHUB_OUTPUT - echo "violations=$VIOLATIONS" >> $GITHUB_OUTPUT - - if [[ $security_vulnerability_no -gt 0 ]] || [[ $major_updates_pending_no -gt 0 ]] || [[ $requires_review_no -gt 0 ]] || [[ high_license_risk_no -gt 0 ]] || [[ violations -gt 0 ]] - then - echo "status=x" >> $GITHUB_OUTPUT - else - echo "status=white_check_mark" >> $GITHUB_OUTPUT - fi - - name: Check if PR exists - uses: 8BitJonny/gh-get-current-pr@08e737c57a3a4eb24cec6487664b243b77eb5e36 - id: pr_exists - with: - filterOutClosed: true - sha: ${{ github.event.pull_request.head.sha }} - - name: Comment Mend Status on PR - if: ${{ github.event_name != 'schedule' && steps.pr_exists.outputs.pr_found == 'true' }} - uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b - with: - message: | - ## Mend Scan Summary: :${{ steps.report.outputs.status }}: - ### Repository: ${{ github.repository }} - | VIOLATION DESCRIPTION | NUMBER OF VIOLATIONS | - | -------------------------------------------- | --------------------------- | - | HIGH/CRITICAL SECURITY VULNERABILITIES | ${{ steps.report.outputs.security_vulnerability_no }} | - | MAJOR UPDATES AVAILABLE | ${{ steps.report.outputs.major_updates_pending_no }} | - | LICENSE REQUIRES REVIEW | ${{ steps.report.outputs.requires_review_no }} | - | LICENSE RISK HIGH | ${{ steps.report.outputs.high_license_risk_no }} | - | RESTRICTED LICENSE FOR ON-PREMISE DELIVERY | ${{ steps.report.outputs.VIOLATIONS }} | - - [Detailed Logs: mend-scan-> Generate Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) - [Mend UI](https://sap.whitesourcesoftware.com/Wss/WSS.html#!login) - comment_tag: tag_mend_scan From f9e26ecca5399c856f6e0a387d1ac8967c3226d5 Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Tue, 25 Feb 2025 14:00:42 +0100 Subject: [PATCH 04/11] only on schedule --- .github/workflows/blackduck_scan.yaml | 36 ++------------------------- 1 file changed, 2 insertions(+), 34 deletions(-) diff --git a/.github/workflows/blackduck_scan.yaml b/.github/workflows/blackduck_scan.yaml index 82816794..6ca122f3 100644 --- a/.github/workflows/blackduck_scan.yaml +++ b/.github/workflows/blackduck_scan.yaml @@ -1,11 +1,7 @@ name: Blackduck SCA Scan on: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] schedule: - - cron: '8 0 * * 0' + - cron: '15 1 * * 0' workflow_dispatch: permissions: @@ -18,35 +14,7 @@ jobs: steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - - - name: Setup Go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 - with: - go-version-file: '${{ github.workspace }}/go.mod' - cache: false - - - name: Get go environment for use with cache - run: | - echo "go_cache=$(go env GOCACHE)" >> $GITHUB_ENV - echo "go_modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV - # This step will only reuse the go mod and build cache from main made during the Build, - # see push_ocm.yaml => "ocm-cli-latest" Job - # This means it never caches by itself and PRs cannot cause cache pollution / thrashing - # This is because we have huge storage requirements for our cache because of the mass of dependencies - - - name: Restore / Reuse Cache from central build - id: cache-golang-restore - uses: actions/cache/restore@0c907a75c2c80ebcb7f088228285e798b750cf8f # Only Restore, not build another cache (too big) - with: - path: | - ${{ env.go_cache }} - ${{ env.go_modcache }} - key: ${{ env.cache_name }}-${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ hashFiles('**/go.mod') }} - restore-keys: | - ${{ env.cache_name }}-${{ runner.os }}-go- - env: - cache_name: ocm-cli-latest-go-cache # needs to be the same key in the end as in the build step - + - name: Run Black Duck Full SCA Scan (Manual Trigger and Scheduled) if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 From 95bd0e810b36c5c7519ccc91a07cc3f5a445a940 Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Tue, 25 Feb 2025 14:30:40 +0100 Subject: [PATCH 05/11] bring back pr and push --- .github/workflows/blackduck_scan.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/blackduck_scan.yaml b/.github/workflows/blackduck_scan.yaml index 6ca122f3..86a15e89 100644 --- a/.github/workflows/blackduck_scan.yaml +++ b/.github/workflows/blackduck_scan.yaml @@ -1,7 +1,11 @@ name: Blackduck SCA Scan on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] schedule: - - cron: '15 1 * * 0' + - cron: '8 0 * * 0' workflow_dispatch: permissions: From b0c049cf05407d85613eeee453f0aac32edc98e7 Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Tue, 25 Feb 2025 14:39:29 +0100 Subject: [PATCH 06/11] correct nolint --- api/v1alpha1/constants.go | 4 ++-- pkg/oci/repository.go | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/api/v1alpha1/constants.go b/api/v1alpha1/constants.go index 6f0844ed..ceded1fa 100644 --- a/api/v1alpha1/constants.go +++ b/api/v1alpha1/constants.go @@ -2,7 +2,7 @@ package v1alpha1 const ( // DefaultRegistryCertificateSecretName is the name of the of certificate secret for client and registry. - DefaultRegistryCertificateSecretName = "ocm-registry-tls-certs" // nolint:gosec // not a credential + DefaultRegistryCertificateSecretName = "ocm-registry-tls-certs" //nolint:gosec // not a credential ) // Internal ExtraIdentity keys. @@ -35,5 +35,5 @@ const ( // Ocm credential config key for secrets. const ( // OCMCredentialConfigKey defines the secret key to look for in case a user provides an ocm credential config. - OCMCredentialConfigKey = ".ocmcredentialconfig" // nolint:gosec // not a credential + OCMCredentialConfigKey = ".ocmcredentialconfig" //nolint:gosec // not a credential ) diff --git a/pkg/oci/repository.go b/pkg/oci/repository.go index 07e366ff..2ec7ae1e 100644 --- a/pkg/oci/repository.go +++ b/pkg/oci/repository.go @@ -143,7 +143,7 @@ func (c *Client) setupCertificates(ctx context.Context) error { } func (c *Client) constructTLSRoundTripper() http.RoundTripper { - tlsConfig := &tls.Config{} // nolint:gosec // must provide lower version for quay.io + tlsConfig := &tls.Config{} //nolint:gosec // must provide lower version for quay.io caCertPool := x509.NewCertPool() caCertPool.AppendCertsFromPEM(c.ca) From bfa900a0458e3e6625426344ea732f8e50618dc5 Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Wed, 26 Feb 2025 16:13:43 +0100 Subject: [PATCH 07/11] remove params --- .github/workflows/blackduck_scan.yaml | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/.github/workflows/blackduck_scan.yaml b/.github/workflows/blackduck_scan.yaml index 86a15e89..df6f1d39 100644 --- a/.github/workflows/blackduck_scan.yaml +++ b/.github/workflows/blackduck_scan.yaml @@ -17,11 +17,11 @@ jobs: runs-on: [ ubuntu-latest ] steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - - - name: Run Black Duck Full SCA Scan (Manual Trigger and Scheduled) - if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' - uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 + uses: actions/checkout@v4 + + - name: Run Black Duck Full SCA Scan (Push, Manual Trigger or Schedule) + if: ${{ github.event_name != 'pull_request' }} + uses: blackduck-inc/black-duck-security-scan@v2.0.0 env: DETECT_PROJECT_USER_GROUPS: opencomponentmodel DETECT_PROJECT_VERSION_DISTRIBUTION: opensource @@ -35,18 +35,20 @@ jobs: blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }} blackducksca_scan_full: true - - name: Run Black Duck SCA Scan (Pull Request or Push) - if: github.event_name != 'workflow_dispatch' - # The action sets blackducksca_scan_full internally: for pushes to true and PRs to false - uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 + - name: Run Black Duck SCA Scan (Pull Requests) + if: ${{ github.event_name == 'pull_request' }} + # The action sets blackducksca_scan_full internally: for pushes to true and PRs to false + uses: blackduck-inc/black-duck-security-scan@v2.0.0 env: DETECT_PROJECT_USER_GROUPS: opencomponentmodel DETECT_PROJECT_VERSION_DISTRIBUTION: opensource DETECT_SOURCE_PATH: ./ + DETECT_SCAN_MODE: RAPID DETECT_EXCLUDED_DIRECTORIES: .bridge NODE_TLS_REJECT_UNAUTHORIZED: true with: github_token: ${{ secrets.GITHUB_TOKEN }} blackducksca_url: ${{ secrets.BLACKDUCK_URL }} blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }} + blackducksca_scan_full: false blackducksca_prComment_enabled: true From eadbdd86a56e2f4ba7d9bcf61b7e2953f7a5d930 Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Thu, 27 Feb 2025 09:59:13 +0100 Subject: [PATCH 08/11] correct trigger --- .github/workflows/blackduck_scan.yaml | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/.github/workflows/blackduck_scan.yaml b/.github/workflows/blackduck_scan.yaml index df6f1d39..e19ee91f 100644 --- a/.github/workflows/blackduck_scan.yaml +++ b/.github/workflows/blackduck_scan.yaml @@ -2,10 +2,10 @@ name: Blackduck SCA Scan on: push: branches: [ "main" ] - pull_request: + pull_request_target: branches: [ "main" ] schedule: - - cron: '8 0 * * 0' + - cron: '6 0 * * 0' workflow_dispatch: permissions: @@ -20,7 +20,7 @@ jobs: uses: actions/checkout@v4 - name: Run Black Duck Full SCA Scan (Push, Manual Trigger or Schedule) - if: ${{ github.event_name != 'pull_request' }} + if: ${{ github.event_name != 'pull_request_target' }} uses: blackduck-inc/black-duck-security-scan@v2.0.0 env: DETECT_PROJECT_USER_GROUPS: opencomponentmodel @@ -36,7 +36,7 @@ jobs: blackducksca_scan_full: true - name: Run Black Duck SCA Scan (Pull Requests) - if: ${{ github.event_name == 'pull_request' }} + if: ${{ github.event_name == 'pull_request_target' }} # The action sets blackducksca_scan_full internally: for pushes to true and PRs to false uses: blackduck-inc/black-duck-security-scan@v2.0.0 env: @@ -52,3 +52,18 @@ jobs: blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }} blackducksca_scan_full: false blackducksca_prComment_enabled: true + + # Find and Upload Status.json as artifact to analyze potential issues during scan + - name: Find status.json + id: find-status + run: | + FILE=$(find /home/runner/work/ocm/ocm/.bridge/Blackduck\ SCA\ Detect\ Execution/detect/runs -type f -name 'status.json' -print0 | xargs -0 -n1 basename) + echo "status_file=${FILE}" >> $GITHUB_OUTPUT + + - name: Upload status.json + uses: actions/upload-artifact@v3 + with: + name: blackduck-status + path: ${{ steps.find-status.outputs.status_file }} + + \ No newline at end of file From 6b7353288b5bc90cae19521202c5a090d7eaaab3 Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Thu, 27 Feb 2025 10:14:13 +0100 Subject: [PATCH 09/11] adopt schedule --- .github/workflows/blackduck_scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/blackduck_scan.yaml b/.github/workflows/blackduck_scan.yaml index e19ee91f..6a7edd91 100644 --- a/.github/workflows/blackduck_scan.yaml +++ b/.github/workflows/blackduck_scan.yaml @@ -5,7 +5,7 @@ on: pull_request_target: branches: [ "main" ] schedule: - - cron: '6 0 * * 0' + - cron: '6 1 * * 0' workflow_dispatch: permissions: From d649f065f913f12556773ac8d3b28390111bcff3 Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Thu, 27 Feb 2025 10:28:40 +0100 Subject: [PATCH 10/11] remove upload --- .github/workflows/blackduck_scan.yaml | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/.github/workflows/blackduck_scan.yaml b/.github/workflows/blackduck_scan.yaml index 6a7edd91..9d309506 100644 --- a/.github/workflows/blackduck_scan.yaml +++ b/.github/workflows/blackduck_scan.yaml @@ -52,18 +52,4 @@ jobs: blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }} blackducksca_scan_full: false blackducksca_prComment_enabled: true - - # Find and Upload Status.json as artifact to analyze potential issues during scan - - name: Find status.json - id: find-status - run: | - FILE=$(find /home/runner/work/ocm/ocm/.bridge/Blackduck\ SCA\ Detect\ Execution/detect/runs -type f -name 'status.json' -print0 | xargs -0 -n1 basename) - echo "status_file=${FILE}" >> $GITHUB_OUTPUT - - - name: Upload status.json - uses: actions/upload-artifact@v3 - with: - name: blackduck-status - path: ${{ steps.find-status.outputs.status_file }} - - \ No newline at end of file + \ No newline at end of file From 5ce13340c72d3af1f4567b4813645895b07290fe Mon Sep 17 00:00:00 2001 From: Gerald Morrison <67469729+morri-son@users.noreply.github.com> Date: Thu, 27 Feb 2025 11:10:36 +0100 Subject: [PATCH 11/11] Update blackduck_scan.yaml --- .github/workflows/blackduck_scan.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/blackduck_scan.yaml b/.github/workflows/blackduck_scan.yaml index 9d309506..199f7fab 100644 --- a/.github/workflows/blackduck_scan.yaml +++ b/.github/workflows/blackduck_scan.yaml @@ -43,7 +43,6 @@ jobs: DETECT_PROJECT_USER_GROUPS: opencomponentmodel DETECT_PROJECT_VERSION_DISTRIBUTION: opensource DETECT_SOURCE_PATH: ./ - DETECT_SCAN_MODE: RAPID DETECT_EXCLUDED_DIRECTORIES: .bridge NODE_TLS_REJECT_UNAUTHORIZED: true with: @@ -52,4 +51,4 @@ jobs: blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }} blackducksca_scan_full: false blackducksca_prComment_enabled: true - \ No newline at end of file +