Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: [DevOps] Update OWASP Workflow #190

Merged
merged 8 commits into from
Nov 28, 2024
Merged

chore: [DevOps] Update OWASP Workflow #190

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
b703d6f
Update workflow
MatKuhr Nov 25, 2024
db35a0f
Updated CVE Check Process
MatKuhr Nov 26, 2024
8548be5
update schedule
MatKuhr Nov 26, 2024
8269988
Add missing API key
MatKuhr Nov 26, 2024
9fba96a
Update .github/workflows/fosstars-report.yml
MatKuhr Nov 27, 2024
fececde
Update .github/workflows/fosstars-report.yml
MatKuhr Nov 27, 2024
67b7002
Merge branch 'main' into chore/enable-owasp-cache
MatKuhr Nov 27, 2024
0f2004a
Exclude provided scope
MatKuhr Nov 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 29 additions & 8 deletions .github/workflows/fosstars-report.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,14 @@ name: "Fosstars (Security)"
on:
workflow_dispatch:
schedule:
- cron: "0 0 * * *" # every day at midnight
- cron: '42 03 * * MON-FRI' # 03:42 on weekdays, a somewhat random time to avoid producing load spikes on the GH actions infrastructure

env:
MVN_MULTI_THREADED_ARGS: --batch-mode --no-transfer-progress --fail-at-end --show-version --threads 1C
JAVA_VERSION: 17
CVE_CACHE_KEY: cve-db
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

moved from separate workflow to this workflow, because we only need the DB in this job, and unifying them is more reliable

CVE_CACHE_DIR: ~/.m2/repository/org/owasp/dependency-check-data
CVE_CACHE_REF: refs/heads/main

jobs:
create_fosstars_report:
Expand All @@ -22,29 +25,47 @@ jobs:
distribution: "temurin"
java-version: ${{ env.JAVA_VERSION }}
cache: 'maven'

- name: Restore CVE Database
uses: actions/cache/restore@v4
with:
path: ${{ env.CVE_CACHE_DIR }}
key: ${{ env.CVE_CACHE_KEY }}
fail-on-cache-miss: true
# fail-on-cache-miss: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure how to feel about this change.

Question:

  • Did the logic succeed once? I.e. have you tested it to be working?

Otherwise LGTM

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a temporary change, needed because the cache needs to be initially created on main branch first


- name: "Build SDK"
run: |
MVN_ARGS="${{ env.MVN_MULTI_THREADED_ARGS }} clean install -DskipTests -DskipFormatting"
mvn $MVN_ARGS

- name: "OWASP Dependency check"
run: mvn org.owasp:dependency-check-maven:10.0.4:check -DnvdApiKey=$NVD_API_KEY -DfailBuildOnCVSS=7 -DskipProvidedScope=true -DsuppressionFile=.pipeline/dependency-check-suppression.xml
env:
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}

- name: "Fosstars rating"
- name: "Fosstars Rating"
uses: SAP/fosstars-rating-core-action@v1.14.0
with:
report-branch: fosstars-report
token: ${{ secrets.GITHUB_TOKEN }}

- name: "CVE Scan"
env:
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
run: |
mvn -T1 --no-transfer-progress dependency-check:check

- name: Delete Old CVE Cache
run: |
CACHE_IDS=$(gh cache list --key "${{ env.CVE_CACHE_KEY }}" --ref "${{ env.CVE_CACHE_REF }}" --json id | jq -r '.[] | .id')
for CACHE_ID in $CACHE_IDS; do
echo "Deleting cache with ID: $CACHE_ID"
gh cache delete "${CACHE_ID}"
done
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Create Updated CVE Cache
uses: actions/cache/save@v4
with:
path: ${{ env.CVE_CACHE_DIR }}
key: ${{ env.CVE_CACHE_KEY }}

- name: "Slack Notification"
if: failure()
uses: slackapi/slack-github-action@v1.27.0
Expand Down
62 changes: 0 additions & 62 deletions .github/workflows/update-vulnerability-database.yaml
View file
Open in desktop

This file was deleted.

14 changes: 14 additions & 0 deletions pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -585,6 +585,20 @@ https://gitbox.apache.org/repos/asf?p=maven-pmd-plugin.git;a=blob_plain;f=src/ma
<artifactId>maven-resources-plugin</artifactId>
<version>3.3.1</version>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>11.1.0</version>
<configuration>
<connectionTimeout>60000</connectionTimeout>
<nvdMaxRetryCount>10</nvdMaxRetryCount>
<failBuildOnCVSS>7</failBuildOnCVSS>
<nvdApiKeyEnvironmentVariable>NVD_API_KEY</nvdApiKeyEnvironmentVariable>
<suppressionFile>${project.rootdir}/.pipeline/dependency-check-suppression.xml</suppressionFile>
<nvdValidForHours>46</nvdValidForHours>
MatKuhr marked this conversation as resolved.
Show resolved Hide resolved
<skipProvidedScope>true</skipProvidedScope>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>license-maven-plugin</artifactId>
Expand Down