-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(security): check for licenses with Trivy
- Loading branch information
1 parent
b66b48d
commit 9aeb954
Showing
3 changed files
with
229 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,152 @@ | ||
| license: | ||
| forbidden: | ||
| - AGPL-1.0 | ||
| - AGPL-3.0 | ||
| - CC-BY-NC-1.0 | ||
| - CC-BY-NC-2.0 | ||
| - CC-BY-NC-2.5 | ||
| - CC-BY-NC-3.0 | ||
| - CC-BY-NC-4.0 | ||
| - CC-BY-NC-ND-1.0 | ||
| - CC-BY-NC-ND-2.0 | ||
| - CC-BY-NC-ND-2.5 | ||
| - CC-BY-NC-ND-3.0 | ||
| - CC-BY-NC-ND-4.0 | ||
| - CC-BY-NC-SA-1.0 | ||
| - CC-BY-NC-SA-2.0 | ||
| - CC-BY-NC-SA-2.5 | ||
| - CC-BY-NC-SA-3.0 | ||
| - CC-BY-NC-SA-4.0 | ||
| - Commons-Clause | ||
| - Facebook-2-Clause | ||
| - Facebook-3-Clause | ||
| - Facebook-Examples | ||
| - WTFPL | ||
| ignored: [] | ||
| notice: | ||
| - AFL-1.1 | ||
| - AFL-1.2 | ||
| - AFL-2.0 | ||
| - AFL-2.1 | ||
| - AFL-3.0 | ||
| - Apache-1.0 | ||
| - Apache-1.1 | ||
| - Apache-2.0 | ||
| - Apache 2 License | ||
| - Artistic-1.0-cl8 | ||
| - Artistic-1.0-Perl | ||
| - Artistic-1.0 | ||
| - Artistic-2.0 | ||
| - Bouncy Castle Licence | ||
| - BSL-1.0 | ||
| - BSD-2-Clause-FreeBSD | ||
| - BSD-2-Clause-NetBSD | ||
| - BSD-2-Clause | ||
| - BSD-3-Clause-Attribution | ||
| - BSD-3-Clause-Clear | ||
| - BSD-3-Clause-LBNL | ||
| - BSD-3-Clause | ||
| - BSD-4-Clause | ||
| - BSD-4-Clause-UC | ||
| - BSD-Protection | ||
| - CC-BY-1.0 | ||
| - CC-BY-2.0 | ||
| - CC-BY-2.5 | ||
| - CC-BY-3.0 | ||
| - CC-BY-4.0 | ||
| # - Eclipse Public License (EPL) 2.0 | ||
| - FTL | ||
| - GNU General Public License, version 2 with the GNU Classpath Exception | ||
| # - GNU Lesser General Public License | ||
| - LGPL-2.1-or-later | ||
| - LGPL-2.1-only | ||
| - ISC | ||
| - ImageMagick | ||
| - Libpng | ||
| - Lil-1.0 | ||
| - Linux-OpenIB | ||
| - LPL-1.02 | ||
| - LPL-1.0 | ||
| - MS-PL | ||
| - MIT | ||
| - NCSA | ||
| - OpenSSL | ||
| - PHP-3.01 | ||
| - PHP-3.0 | ||
| - PIL | ||
| - Python-2.0 | ||
| - Python-2.0-complete | ||
| - PostgreSQL | ||
| - SGI-B-1.0 | ||
| - SGI-B-1.1 | ||
| - SGI-B-2.0 | ||
| - Unicode-DFS-2015 | ||
| - Unicode-DFS-2016 | ||
| - Unicode-TOU | ||
| - UPL-1.0 | ||
| - W3C-19980720 | ||
| - W3C-20150513 | ||
| - W3C | ||
| - X11 | ||
| - Xnet | ||
| - Zend-2.0 | ||
| - zlib-acknowledgement | ||
| - Zlib | ||
| - ZPL-1.1 | ||
| - ZPL-2.0 | ||
| - ZPL-2.1 | ||
| permissive: [] | ||
| reciprocal: | ||
| - APSL-1.0 | ||
| - APSL-1.1 | ||
| - APSL-1.2 | ||
| - APSL-2.0 | ||
| - CDDL-1.0 | ||
| - CDDL-1.1 | ||
| - CPL-1.0 | ||
| - EPL-1.0 | ||
| - EPL-2.0 | ||
| - FreeImage | ||
| - IPL-1.0 | ||
| - MPL-1.0 | ||
| - MPL-1.1 | ||
| - MPL-2.0 | ||
| - Ruby | ||
| restricted: | ||
| - BCL | ||
| - CC-BY-ND-1.0 | ||
| - CC-BY-ND-2.0 | ||
| - CC-BY-ND-2.5 | ||
| - CC-BY-ND-3.0 | ||
| - CC-BY-ND-4.0 | ||
| - CC-BY-SA-1.0 | ||
| - CC-BY-SA-2.0 | ||
| - CC-BY-SA-2.5 | ||
| - CC-BY-SA-3.0 | ||
| - CC-BY-SA-4.0 | ||
| - GPL-1.0 | ||
| - GPL-2.0 | ||
| - GPL-2.0-with-autoconf-exception | ||
| - GPL-2.0-with-bison-exception | ||
| - GPL-2.0-with-classpath-exception | ||
| - GPL-2.0-with-font-exception | ||
| - GPL-2.0-with-GCC-exception | ||
| - GPL-3.0 | ||
| - GPL-3.0-with-autoconf-exception | ||
| - GPL-3.0-with-GCC-exception | ||
| - LGPL-2.0 | ||
| - LGPL-2.1 | ||
| - LGPL-3.0 | ||
| - NPL-1.0 | ||
| - NPL-1.1 | ||
| - OSL-1.0 | ||
| - OSL-1.1 | ||
| - OSL-2.0 | ||
| - OSL-2.1 | ||
| - OSL-3.0 | ||
| - QPL-1.0 | ||
| - Sleepycat | ||
| unencumbered: | ||
| - CC0-1.0 | ||
| - Unlicense | ||
| - 0BSD |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| name: License Check | ||
|
|
||
| # This check can be executed locally as follows: | ||
| # | ||
| # Install Trivy, see https://aquasecurity.github.io/trivy/v0.18.3/installation/ | ||
| # $ brew install aquasecurity/trivy/trivy | ||
| # | ||
| # Lock dependencies | ||
| # $ ./gradlew clean cyclonedxBom | ||
| # | ||
| # Check for licenses | ||
| # $ trivy sbom --scanners license --severity UNKNOWN,HIGH,CRITICAL --format table --config .github/trivy-license-config.yaml build/reports/bom.json | ||
|
|
||
| on: | ||
| pull_request: {} | ||
| # TODO release published and attach full report | ||
|
|
||
| jobs: | ||
| trivy-license-check: | ||
| timeout-minutes: 30 | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
|
|
||
| - name: Checkout code | ||
| uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | ||
|
|
||
| - name: Set up JDK 17 | ||
| uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 | ||
| with: | ||
| distribution: 'temurin' | ||
| java-version: 21 | ||
| cache: 'gradle' | ||
|
|
||
| - name: Create SBOM | ||
| run: ./gradlew clean cyclonedxBom | ||
|
|
||
| # TODO on release: all severities + exit-code 0 | ||
| - name: Check for forbidden licenses | ||
| run: > | ||
| docker run --rm | ||
| -v "$PWD:/project" | ||
| aquasec/trivy:0.51.1 | ||
| sbom --scanners license --severity UNKNOWN,HIGH,CRITICAL | ||
| --format json | ||
| --config /project/.github/trivy-license-config.yaml | ||
| --exit-code 1 | ||
| /project/build/reports/bom.json | ||
| >> trivy-licenses.json | ||
| - name: Markdown table | ||
| if: always() | ||
| run: | | ||
| echo "| Dependency | License | Category | Severity |" > trivy-licenses.md | ||
| echo "|------------|---------|----------|----------|" >> trivy-licenses.md | ||
| cat trivy-licenses.json | jq --raw-output '.Results[] | select(.Licenses) | .Licenses[] | "| \(.PkgName) | \(.Name) | \(.Category) | \(.Severity) |"' >> trivy-licenses.md | ||
| - name: Add failure Job summary | ||
| if: failure() && github.event.pull_request | ||
| run: | | ||
| echo '**License violations or unknown licenses found in dependencies:**' >> $GITHUB_STEP_SUMMARY | ||
| echo '' >> $GITHUB_STEP_SUMMARY | ||
| cat trivy-licenses.md >> $GITHUB_STEP_SUMMARY | ||
| - name: Add success Job summary | ||
| if: success() && github.event.pull_request | ||
| run: | | ||
| echo 'All dependencies have allowed licenses.' >> $GITHUB_STEP_SUMMARY | ||
| # - name: Read to env | ||
| # id: licenses | ||
| # if: always() && github.event. TODO release | ||
| # uses: guibranco/github-file-reader-action-v2@a19627ed0e64d536a7db4b936799e66383557c01 # v2.0.486 | ||
| # with: | ||
| # path: trivy-licenses.md | ||
|
|
||
| # TODO always() add file to release |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters