Run vulnerability scan on latest release version

Previously the scan ran on the current state of the codebase. This fails to identify vulnerabilities in dependencies for the latest release version if those dependencies have already been updated in the development codebase. The gating factor for whether a new release is required should be whether the previous release contains vulnerabilities. This change runs the scheduled vulnerability scan on the latest release tag. It also adds vulnerability scanning to pull request builds. This is purely informational. A scan failure does not fail the pull request build. Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
hyperledger · Oct 14, 2024 · 9612f6d · 9612f6d
1 parent bb8cd6b
commit 9612f6d
Show file tree

Hide file tree

Showing 5 changed files with 60 additions and 25 deletions.
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -17,6 +17,9 @@ jobs:
   test:
     uses: ./.github/workflows/test.yml
 
+  scan:
+    uses: ./.github/workflows/scan.yml
+
   pull-request:
     needs: test
     name: Pull request success

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -34,10 +34,7 @@ jobs:
         with:
           distribution: 'temurin'
           java-version: '11'
-          cache: 'gradle'
-      - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@v3
-      - uses: gradle/actions/setup-gradle@v3
+      - uses: gradle/actions/setup-gradle@v4
       - name: Push to registry ${{ matrix.publish_target }}
         run: |
           set -xev
@@ -69,10 +66,7 @@ jobs:
         with:
           distribution: 'temurin'
           java-version: '11'
-          cache: 'gradle'
-      - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@v3
-      - uses: gradle/actions/setup-gradle@v3
+      - uses: gradle/actions/setup-gradle@v4
       - name: Build the dependencies needed for the image
         run: ./gradlew :fabric-chaincode-docker:copyAllDeps
       - name: Set up QEMU

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
@@ -0,0 +1,32 @@
+name: "Scheduled vulnerability scan"
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        description: Branch, tag or SHA to scan.
+        type: string
+        required: false
+        default: ""
+
+permissions:
+  contents: read
+
+jobs:
+  osv-scanner:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
+      - uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: 11
+      - uses: gradle/actions/setup-gradle@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
+      - name: Scan
+        run: make scan
diff --git a/.github/workflows/scheduled-scan.yml b/.github/workflows/scheduled-scan.yml
@@ -1,6 +1,9 @@
 name: "Scheduled vulnerability scan"
 
 on:
+  pull_request:
+    branches:
+      - main
   schedule:
     - cron: "20 3 * * *"
   workflow_dispatch:
@@ -9,13 +12,18 @@ permissions:
   contents: read
 
 jobs:
-  osv-scanner:
+  latest-release-version:
+    name: Get latest release tag
     runs-on: ubuntu-latest
+    outputs:
+      tag_name: ${{ steps.tag-name.outputs.value }}
     steps:
-      - uses: actions/checkout@v4
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: stable
-      - name: Scan
-        run: make scan
+      - id: tag-name
+        run: echo "value=$(curl --location --silent --fail "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest" | jq --raw-output '.tag_name')" >> "${GITHUB_OUTPUT}"
+
+  scan:
+    name: Scan ${{ needs.latest-release-version.outputs.tag_name }}
+    needs: latest-release-version
+    uses: ./.github/workflows/scan.yml
+    with:
+      ref: ${{ needs.latest-release-version.outputs.tag_name }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -7,7 +7,7 @@ name: Test
 on:
   workflow_call:
     inputs:
-      checkout-ref:
+      ref:
         default: ''
         required: false
         type: string
@@ -18,14 +18,12 @@ jobs:
     steps:
     - uses: actions/checkout@v4
       with:
-        ref: ${{ inputs.checkout-ref }}
+        ref: ${{ inputs.ref }}
     - uses: actions/setup-java@v4
       with:
         distribution: temurin
         java-version: 11
-    - name: Validate Gradle wrapper
-      uses: gradle/actions/wrapper-validation@v3
-    - uses: gradle/actions/setup-gradle@v3
+    - uses: gradle/actions/setup-gradle@v4
     - name: Build and Unit test
       run: ./gradlew :fabric-chaincode-shim:build 
 
@@ -34,11 +32,12 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          ref: ${{ inputs.checkout-ref }}
+          ref: ${{ inputs.ref }}
       - uses: actions/setup-java@v4
         with:
           distribution: temurin
           java-version: 11
+      - uses: gradle/actions/setup-gradle@v4
       - name: Populate chaincode with latest java-version
         run: |
           ./gradlew -I $GITHUB_WORKSPACE/fabric-chaincode-integration-test/chaincodebootstrap.gradle -PchaincodeRepoDir=$GITHUB_WORKSPACE/fabric-chaincode-integration-test/src/contracts/fabric-shim-api/repository publishShimPublicationToFabricRepository
@@ -58,7 +57,6 @@ jobs:
         run: |
           peer version
           weft --version
-      - uses: gradle/actions/setup-gradle@v3
       - name: Integration Tests
         run: ./gradlew :fabric-chaincode-integration-test:build
 
@@ -67,11 +65,11 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          ref: ${{ inputs.checkout-ref }}
+          ref: ${{ inputs.ref }}
       - uses: actions/setup-java@v4
         with:
           distribution: temurin
           java-version: 11
-      - uses: gradle/actions/setup-gradle@v3
+      - uses: gradle/actions/setup-gradle@v4
       - name: Build Docker image
         run: ./gradlew :fabric-chaincode-docker:buildImage