Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WEBUI-1377: integrate veracode in github action #2215

Open
wants to merge 7 commits into
base: maintenance-3.0.x
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
145 changes: 81 additions & 64 deletions .github/workflows/veracode.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ on:
# The branches below must be a subset of the branches above
branches: [ "maintenance-3.0.x" ]
schedule:
# At 01:00 on Sunday
- cron: '0 1 * * SUN'
# At 20:00 every day
- cron: '0 20 * * *'
workflow_call:
inputs:
branch:
Expand Down Expand Up @@ -48,13 +48,13 @@ permissions:

jobs:
# This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter
sast-scan:
sast-scan-build:
# The type of runner that the job will run on
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
runs-on: [self-hosted, master]
steps:

# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps
Expand All @@ -65,7 +65,7 @@ jobs:
- uses: actions/setup-node@v1
with:
registry-url: ${{ env.NPM_REPOSITORY }}
node-version: 14
node-version: 18
scope: '@nuxeo'

- uses: actions/setup-java@v2
Expand Down Expand Up @@ -113,6 +113,19 @@ jobs:
echo "ELEMENTS_HELPERS=$(npm pack 2>&1 | tail -1)" >> $GITHUB_ENV
popd
popd
- name: add .npmrc
run: |
pushd /tmp/_temp/
rm .npmrc
touch .npmrc
popd
echo '
packages.nuxeo.com/repository/npm-public/:_auth=${NODE_AUTH_TOKEN}
@nuxeo:registry=https://packages.nuxeo.com/repository/npm-public/
always-auth=true
' >> /tmp/_temp/.npmrc
- name: Link elements to Web UI
run: |
npm install --no-package-lock --@nuxeo:registry="${{ env.NPM_REPOSITORY }}" nuxeo-elements/core/${ELEMENTS_CORE}
Expand All @@ -130,64 +143,68 @@ jobs:
</server>
</servers>
</settings>' > ~/.m2/settings.xml
- name: Nuxeo package build
run: mvn install -DskipInstall
- name: Archive packages
- name: Delete Node Modules
run: |
rm -rf node_modules
rm -rf packages/nuxeo-designer-catalog/node_modules
rm -rf packages/nuxeo-web-ui-ftest/node_modules
rm -rf plugin/a11y/node_modules
- name: Delete Test Folders
run: |
rm -rf nuxeo-elements/testing-helpers/
rm -rf nuxeo-elements/ui/test/
rm -rf nuxeo-elements/storybook/
rm -rf ftest/
rm -rf plugin/
rm -rf scripts/
rm -rf test/
rm -rf packages/nuxeo-web-ui-ftest/
- name: Install zip
run: apt-get install zip

- name: Zip nuxeo-web-ui
run: |
echo nuxeo-web-ui-${{ steps.get-tag.outputs.TAG }}.zip
zip -r nuxeo-web-ui.zip *
- name: Upload ZIP as artifact
uses: actions/upload-artifact@v2
with:
name: packages
path: |
plugin/web-ui/marketplace/target/nuxeo-web-ui-marketplace-*.zip
# download the Veracode Static Analysis Pipeline scan jar
- run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- run: unzip -o pipeline-scan-LATEST.zip
- name: Code Scanning
id: code_scanning
run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --summary_output=true --file plugin/web-ui/marketplace/target/nuxeo-web-ui-marketplace-*.zip
continue-on-error: true
- name: Convert pipeline scan output to SARIF format
id: convert
uses: Veracode/veracode-pipeline-scan-results-to-sarif@v1.0.5
with:
pipeline-results-json: results.json
output-results-sarif: veracode-results.sarif
finding-rule-level: "4:3:0"
- name: Upload SARIF file to repository
uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: veracode-results.sarif
- name: Slack notification
if: (github.event_name == 'pull_request' || github.event_name == 'schedule')
uses: slackapi/slack-github-action@v1.23.0
env:
REPO_URL: ${{ github.server_url }}/${{ github.repository }}
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }}
with:
channel-id: ${{ env.SLACK_CHANNEL_ID }}
payload: |
{
"text": "<${{ env.REPO_URL }}/actions/runs/${{ github.run_id }}|Code scanning> ${{ steps.code_scanning.outcome }} in nuxeo/nuxeo-web-ui <${{ env.REPO_URL }}/commit/${{ github.sha }}|${{ github.ref_name }}>",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "<${{ env.REPO_URL }}/actions/runs/${{ github.run_id }}|Code scanning> ${{ job.status }} in nuxeo/nuxeo-WEB-UI <${{ env.REPO_URL }}/commit/${{ github.sha }}|${{ github.ref_name }}>"
}
}
]
}
- name: Send scan result summary to slack
uses: crederauk/slack-workflow-summary@v1.2.2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
- name: Send scan result file to slack
uses: adrey/slack-file-upload-action@master
with:
token: ${{ secrets.SLACK_BOT_TOKEN }}
path: results.txt
channel: ${{ secrets.SLACK_CHANNEL_ID }}
name: nuxeo-web-ui
path: nuxeo-web-ui.zip

sast-scan:
needs: sast-scan-build
permissions:
contents: read
security-events: write
actions: read
runs-on: ubuntu-latest
steps:
- name: Download artifact
uses: actions/download-artifact@v2
with:
name: nuxeo-web-ui
path: .

- name: List downloaded artifact
run: |
ls -l
pwd
- name: Veracode Upload And Scan
uses: veracode/veracode-uploadandscan-action@0.2.6
with:
appname: 'Nuxeo Web UI'
createprofile: false
filepath: 'nuxeo-web-ui.zip'
vid: '${{ secrets.VERACODE_SECRET_API_ID }}'
vkey: '${{ secrets.VERACODE_SECRET_KEY }}'
sandboxname: 'master'
scantimeout: 600
include: '*.war, *.zip, *.js, *.html, *.css, *.json'
criticality: 'High'
includenewmodules: 'true'
1 change: 1 addition & 0 deletions index.html
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,7 @@
</script>

<!-- <script>
//disable scripts
window.addEventListener('load', () => navigator.serviceWorker.register('sw.js?ts=<%= Date.now() %>'));
</script> -->
</body>
Expand Down
Loading