From 461792f7b412b6b0f741cb7dea229145a61ab902 Mon Sep 17 00:00:00 2001 From: Jim Anderson Date: Mon, 25 Sep 2023 14:18:46 -0500 Subject: [PATCH 1/9] Add Semgrep, Dependabot, and Snyk workflows --- .github/workflows/dependabot.yml | 14 ++++++++++ .github/workflows/semgrep.yml | 41 ++++++++++++++++++++++------ .github/workflows/snyk.yml | 47 ++++++++++++++++++++++++++++++++ 3 files changed, 94 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/dependabot.yml create mode 100644 .github/workflows/snyk.yml diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml new file mode 100644 index 000000000..8cc9d6684 --- /dev/null +++ b/.github/workflows/dependabot.yml @@ -0,0 +1,14 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + + - package-ecosystem: "gradle" + directory: "lib" + schedule: + interval: "daily" + ignore: + - dependency-name: "*" + update-types: ["version-update:semver-major"] diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index e0227e37c..fc7d2eeb7 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -1,23 +1,48 @@ name: Semgrep on: - pull_request: {} - + merge_group: + pull_request_target: + types: + - opened + - synchronize push: - branches: ["master", "main"] - + branches: + - master schedule: - cron: '30 0 1,15 * *' +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} + jobs: - semgrep: - name: Scan + authorize: + name: Authorize + environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }} runs-on: ubuntu-latest + steps: + - run: true + + run: + needs: authorize # Require approval before running on forked pull requests + + name: Check for Vulnerabilities + runs-on: ubuntu-latest + container: image: returntocorp/semgrep - if: (github.actor != 'dependabot[bot]') + steps: - - uses: actions/checkout@v3 + - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group' + run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection. + + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha || github.ref }} - run: semgrep ci env: diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml new file mode 100644 index 000000000..4b27ea3d4 --- /dev/null +++ b/.github/workflows/snyk.yml @@ -0,0 +1,47 @@ +name: Snyk + +on: + merge_group: + workflow_dispatch: + pull_request_target: + types: + - opened + - synchronize + push: + branches: + - master + schedule: + - cron: '30 0 1,15 * *' + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} + +jobs: + authorize: + name: Authorize + environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }} + runs-on: ubuntu-latest + steps: + - run: true + + check: + needs: authorize + + name: Check for Vulnerabilities + runs-on: ubuntu-latest + + steps: + - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group' + run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection. + + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha || github.ref }} + + - uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # pin@0.4.0 + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} From badf5e4eef7632d179246f8125e549fd452369a5 Mon Sep 17 00:00:00 2001 From: Jim Anderson Date: Mon, 25 Sep 2023 14:38:50 -0500 Subject: [PATCH 2/9] move dependabot.yml --- .github/{workflows => }/dependabot.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/{workflows => }/dependabot.yml (100%) diff --git a/.github/workflows/dependabot.yml b/.github/dependabot.yml similarity index 100% rename from .github/workflows/dependabot.yml rename to .github/dependabot.yml From 89d220d97ec542507546867bf0a5f3ad466b74fe Mon Sep 17 00:00:00 2001 From: Jim Anderson Date: Wed, 27 Sep 2023 08:15:33 -0500 Subject: [PATCH 3/9] use pull_request for testing --- .github/workflows/snyk.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index 4b27ea3d4..5f0d1043d 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -3,7 +3,7 @@ name: Snyk on: merge_group: workflow_dispatch: - pull_request_target: + pull_request: types: - opened - synchronize @@ -23,7 +23,7 @@ concurrency: jobs: authorize: name: Authorize - environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }} + environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }} runs-on: ubuntu-latest steps: - run: true From 6c270df6c9582faeed35585f0b18cf038de332c3 Mon Sep 17 00:00:00 2001 From: Jim Anderson Date: Wed, 27 Sep 2023 08:18:58 -0500 Subject: [PATCH 4/9] use gradle runner --- .github/workflows/snyk.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index 5f0d1043d..62d7a441f 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -42,6 +42,6 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha || github.ref }} - - uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # pin@0.4.0 + - uses: snyk/actions/gradle@b98d498629f1c368650224d6d212bf7dfa89e4bf # pin@0.4.0 env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} From 87fdf25b51794bc3e719b3fa984e7871cba4295b Mon Sep 17 00:00:00 2001 From: Jim Anderson Date: Wed, 27 Sep 2023 08:23:55 -0500 Subject: [PATCH 5/9] update snyk.yml --- .github/workflows/snyk.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index 62d7a441f..42c0afbfb 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -42,6 +42,6 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha || github.ref }} - - uses: snyk/actions/gradle@b98d498629f1c368650224d6d212bf7dfa89e4bf # pin@0.4.0 + - uses: snyk/actions/gradle-jdk11@b98d498629f1c368650224d6d212bf7dfa89e4bf # pin@0.4.0 env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} From 718f21868d2fb43563411ac0093a0849481ea999 Mon Sep 17 00:00:00 2001 From: Jim Anderson Date: Wed, 27 Sep 2023 08:32:28 -0500 Subject: [PATCH 6/9] update bouncycastle test dep --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 4d9274c11..a4e6a0365 100644 --- a/build.gradle +++ b/build.gradle @@ -81,7 +81,7 @@ dependencies { implementation "com.auth0:java-jwt:4.4.0" implementation "net.jodah:failsafe:2.4.4" - testImplementation "org.bouncycastle:bcprov-jdk15on:1.68" + testImplementation "org.bouncycastle:bcprov-jdk15on:1.70" testImplementation "org.mockito:mockito-core:4.8.1" testImplementation "com.squareup.okhttp3:mockwebserver:${okhttpVersion}" testImplementation "org.hamcrest:hamcrest:${hamcrestVersion}" From 55fff2de1b93e511f3a01b28cce3c0e050aec87a Mon Sep 17 00:00:00 2001 From: Jim Anderson Date: Wed, 27 Sep 2023 13:15:59 -0500 Subject: [PATCH 7/9] bump test dependencies --- build.gradle | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index a4e6a0365..49d14e89a 100644 --- a/build.gradle +++ b/build.gradle @@ -81,12 +81,21 @@ dependencies { implementation "com.auth0:java-jwt:4.4.0" implementation "net.jodah:failsafe:2.4.4" - testImplementation "org.bouncycastle:bcprov-jdk15on:1.70" + testImplementation "org.bouncycastle:bcprov-jdk15on:1.76" testImplementation "org.mockito:mockito-core:4.8.1" testImplementation "com.squareup.okhttp3:mockwebserver:${okhttpVersion}" testImplementation "org.hamcrest:hamcrest:${hamcrestVersion}" testImplementation "org.junit.jupiter:junit-jupiter-api:${jupiterVersion}" testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:${jupiterVersion}" + + // Override MockWebServer's junit transitive dependency to latest v4 + constraints { + testImplementation( group: 'junit', name: 'junit'){ + version{ + strictly "[4.13.2]" + } + } + } } // Creates a version.txt file containing the current version of the SDK. From 6744e7a75b4fbc6ecf30b49d38a3bf831b4bf652 Mon Sep 17 00:00:00 2001 From: Jim Anderson Date: Wed, 27 Sep 2023 13:22:17 -0500 Subject: [PATCH 8/9] add snyk policy file --- .snyk | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 .snyk diff --git a/.snyk b/.snyk new file mode 100644 index 000000000..004c00ffb --- /dev/null +++ b/.snyk @@ -0,0 +1,9 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +# ignores vulnerabilities until expiry date; change duration by modifying expiry date +ignore: + SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744: + - '*': + reason: 'unaffected, only affects createTempFile and createTempDir kotlin function, which are not used' + expires: 2023-12-31T00:00:00.000Z +patch: {} From 67c9612d39c57fade50c8df6186a691780319976 Mon Sep 17 00:00:00 2001 From: Jim Anderson Date: Wed, 27 Sep 2023 13:27:56 -0500 Subject: [PATCH 9/9] fix test compile, add test dependency snyk ignore --- .snyk | 5 +++++ build.gradle | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.snyk b/.snyk index 004c00ffb..165b2db29 100644 --- a/.snyk +++ b/.snyk @@ -6,4 +6,9 @@ ignore: - '*': reason: 'unaffected, only affects createTempFile and createTempDir kotlin function, which are not used' expires: 2023-12-31T00:00:00.000Z + SNYK-JAVA-ORGBOUNCYCASTLE-5771339: + - '*': + reason: 'test-only dependency, no update available' + expires: 2023-12-31T00:00:00.000Z + patch: {} diff --git a/build.gradle b/build.gradle index 49d14e89a..33be7ab9e 100644 --- a/build.gradle +++ b/build.gradle @@ -81,7 +81,7 @@ dependencies { implementation "com.auth0:java-jwt:4.4.0" implementation "net.jodah:failsafe:2.4.4" - testImplementation "org.bouncycastle:bcprov-jdk15on:1.76" + testImplementation "org.bouncycastle:bcprov-jdk15on:1.70" testImplementation "org.mockito:mockito-core:4.8.1" testImplementation "com.squareup.okhttp3:mockwebserver:${okhttpVersion}" testImplementation "org.hamcrest:hamcrest:${hamcrestVersion}"