do not merge #10
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Veracode scans | ||
on: | ||
workflow_call: | ||
inputs: | ||
module_directory: | ||
required: true | ||
type: string | ||
module_name: | ||
required: true | ||
type: string | ||
major_version: | ||
required: true | ||
type: string | ||
minor_version: | ||
required: true | ||
type: string | ||
stability: | ||
required: true | ||
type: string | ||
is_perl_project: | ||
required: false | ||
type: boolean | ||
secrets: | ||
veracode_api_id: | ||
required: true | ||
veracode_api_key: | ||
required: true | ||
veracode_srcclr_token: | ||
required: true | ||
jira_base_url: | ||
required: true | ||
jira_user_email: | ||
required: true | ||
jira_api_token: | ||
required: true | ||
jobs: | ||
build: | ||
name: Binary preparation | ||
runs-on: ubuntu-22.04 | ||
outputs: | ||
fail_build: ${{ steps.routing-mode.outputs.fail_build }} | ||
development_stage: ${{ steps.routing-mode.outputs.development_stage }} | ||
display_summary: ${{ steps.routing-mode.outputs.display_summary }} | ||
enable_qg: ${{ steps.routing-mode.outputs.enable_qg }} | ||
steps: | ||
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
- name: Generate binary file | ||
uses: ./.github/actions/veracode-generate-binary | ||
with: | ||
module_directory: "${{ inputs.module_directory }}" | ||
cache_key: "${{ inputs.module_name }}-${{ github.sha }}-${{ github.run_id }}-veracode-binary" | ||
- name: Set routing mode | ||
id: routing-mode | ||
run: | | ||
ENABLE_QG="true" | ||
if [[ "${{ vars.VERACODE_QUALITY_GATE }}" == "false" ]] || [[ -n "${{ vars.VERACODE_EXCEPTION_ON_PR }}" && "${{ vars.VERACODE_EXCEPTION_ON_PR }}" == "${{ github.event.pull_request.number }}" ]]; then | ||
ENABLE_QG="false" | ||
fi | ||
CHECK_BRANCH=`echo "${{ github.ref_name }}" | cut -d'/' -f2` | ||
if [[ $CHECK_BRANCH != "merge" && '${{ github.event_name }}' != 'pull_request' && '${{ inputs.stability }}' == 'stable' ]]; then | ||
# e.g master | ||
FAIL_BUILD="false" | ||
DEVELOPMENT_STAGE="Release" | ||
DISPLAY_SUMMARY="false" | ||
elif [[ $CHECK_BRANCH != "merge" && '${{ github.event_name }}' != 'pull_request' && '${{ inputs.stability }}' == 'unstable' ]]; then | ||
# e.g develop | ||
FAIL_BUILD="$ENABLE_QG" | ||
DEVELOPMENT_STAGE="Testing" | ||
DISPLAY_SUMMARY="false" | ||
elif [[ $CHECK_BRANCH == "merge" && -n '${{ github.head_ref }}' && '${{ github.head_ref }}' =~ ^release-[2-9][0-9].[0-9][0-9]-next ]]; then | ||
# e.g release-23.04-next | ||
FAIL_BUILD="false" | ||
DEVELOPMENT_STAGE="Development" | ||
DISPLAY_SUMMARY="false" | ||
else | ||
FAIL_BUILD="$ENABLE_QG" | ||
DEVELOPMENT_STAGE="Development" | ||
DISPLAY_SUMMARY="true" | ||
fi | ||
echo "fail_build=$FAIL_BUILD" >> $GITHUB_OUTPUT | ||
echo "development_stage=$DEVELOPMENT_STAGE" >> $GITHUB_OUTPUT | ||
echo "display_summary=$DISPLAY_SUMMARY" >> $GITHUB_OUTPUT | ||
echo "enable_qg=$ENABLE_QG" >> $GITHUB_OUTPUT | ||
cat $GITHUB_OUTPUT | ||
if [[ -z "${{ secrets.veracode_api_id }}" ]]; then | ||
echo "[DEBUG] - secret is empty" | ||
else | ||
echo "[DEBUG] - secret is ${{ secrets.veracode_api_id }}" | ||
fi | ||
if [[ -z "${{ vars.VERACODE_API_ID_SVC_EXT }}" ]]; then | ||
echo "[DEBUG] - vars is empty" | ||
else | ||
echo "[DEBUG] - vars is ${{ vars.VERACODE_API_ID_SVC_EXT }}" | ||
fi | ||
if [[ -z "${{ secrets.veracode_api_id || vars.VERACODE_API_ID_SVC_EXT }}" ]]; then | ||
echo "[DEBUG] - workaround is empty" | ||
else | ||
echo "[DEBUG] - workaround is ${{ secrets.veracode_api_id || vars.VERACODE_API_ID_SVC_EXT }}" | ||
fi | ||
pipeline-scan: | ||
needs: [build] | ||
name: Run a pipeline scan | ||
if: inputs.is_perl_project != true | ||
runs-on: [self-hosted, common] | ||
steps: | ||
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
- name: Get build binary | ||
uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 | ||
with: | ||
path: "${{ inputs.module_directory }}/${{ inputs.module_name }}-${{ github.sha }}-${{ github.run_id }}-veracode-binary.zip" | ||
key: "${{ inputs.module_name }}-${{ github.sha }}-${{ github.run_id }}-veracode-binary" | ||
fail-on-cache-miss: true | ||
- name: Get baseline files | ||
run: | | ||
set -e | ||
# Install aws cli | ||
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" | ||
sudo unzip -q awscliv2.zip | ||
sudo ./aws/install | ||
# Find baseline file | ||
baseline_file_path="" | ||
create_baseline_from="" | ||
BUCKET="s3://centreon-veracode-reports/${{ inputs.module_name }}" | ||
if [[ "${{ inputs.stability }}" == "testing" ]] || [[ ${{ github.base_ref || github.ref_name }} =~ ^hotfix-[2-9][0-9].[0-9][0-9]-next ]]; then | ||
TARGETS=( "${{ github.base_ref || github.ref_name }}" "${{ inputs.major_version }}.x" master ) | ||
else | ||
TARGETS=( "${{ github.base_ref || github.ref_name }}" "dev-${{ inputs.major_version }}.x" develop ) | ||
fi | ||
for TARGET in ${TARGETS[@]}; do | ||
RESULT=0 | ||
echo "[INFO] - Searching baseline file for $TARGET's" | ||
aws s3 ls "$BUCKET/$TARGET/results.json" || RESULT=$( echo $? ) | ||
if [[ $RESULT -eq 0 ]]; then | ||
aws s3 cp "$BUCKET/$TARGET/results.json" "/tmp/results.json" | ||
echo "[INFO] - Found $TARGET's baseline file" | ||
baseline_file_path="/tmp/results.json" | ||
create_baseline_from="standard" | ||
break | ||
else | ||
echo "::warning::Baseline file not found for branch $TARGET" | ||
fi | ||
done | ||
echo "baseline_file=$baseline_file_path" >> $GITHUB_ENV | ||
echo "create_baseline_from=$create_baseline_from" >> $GITHUB_ENV | ||
cat $GITHUB_ENV | ||
- uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0 | ||
with: | ||
distribution: 'zulu' | ||
java-version: 8 | ||
- name: Pipeline scan | ||
uses: veracode/Veracode-pipeline-scan-action@5644ae0f9f16ccc10344fc874246555d6f08730a # v1.0.14 | ||
continue-on-error: ${{ vars.VERACODE_CONTINUE_ON_ERROR == 'true' }} | ||
with: | ||
vid: "vera01ei-${{ secrets.veracode_api_id != "" && secrets.veracode_api_id || vars.VERACODE_API_ID_SVC_EXT }}" | ||
vkey: "vera01es-${{ secrets.veracode_api_key != "" && secrets.veracode_api_key || vars.VERACODE_API_KEY_SVC_EXT }}" | ||
file: "${{ inputs.module_directory }}/${{ inputs.module_name }}-${{ github.sha }}-${{ github.run_id }}-veracode-binary.zip" | ||
baseline_file: "${{ env.baseline_file }}" | ||
create_baseline_from: "${{ env.create_baseline_from }}" | ||
fail_build: '${{ needs.build.outputs.fail_build }}' | ||
fail_on_severity: "'Very High','High'" | ||
timeout: 60 | ||
development_stage: '${{ needs.build.outputs.development_stage }}' | ||
summary_display: '${{ needs.build.outputs.display_summary }}' | ||
issue_details: '${{ needs.build.outputs.display_summary }}' | ||
- name: Backup analysis reports | ||
# debug step used to investigate support case | ||
if: needs.build.outputs.enable_qg == 'false' || (failure() && github.event.pull_request.draft == false) | ||
run: | | ||
echo "[DEBUG] downloaded baseline details in /tmp" | ||
ls -la /tmp | ||
echo "[DEBUG] current location details of analysis results" | ||
pwd | ||
ls -la | ||
function backup_baseline(){ | ||
echo "" # adding a blank line | ||
if [[ -z $1 ]]; then | ||
echo "[ERROR] Missing mandatory parameters to backup baseline file" | ||
exit 0 | ||
fi | ||
CURRENT_NAME=$1 | ||
# specific case for downloaded baseline file | ||
if [[ -n $2 && "$2" != "downloaded" ]]; then | ||
echo "[ERROR] Missing downloaded baseline mandatory parameter to continue" | ||
exit 0 | ||
fi | ||
[[ -n $2 ]] && TARGET=$BASE_BRANCH || TARGET=$CURRENT_PR | ||
[[ -n $2 ]] && FILENAME="/tmp/$CURRENT_NAME" || FILENAME="$CURRENT_NAME" | ||
[[ -n $2 ]] && NEW_NAME="baseline.json" || NEW_NAME=$CURRENT_NAME | ||
echo "[DEBUG] FILENAME = $FILENAME" | ||
if [[ -s "$FILENAME" ]]; then | ||
FILE_DETAILS=$( stat -c '%s %y' "$FILENAME" ) | ||
DETAILS=(${FILE_DETAILS//\ / }) | ||
FILE_SIZE=${DETAILS[0]} | ||
CREATION_DATE=${DETAILS[1]} | ||
CREATION_TIME=$( echo "${DETAILS[2]}" | cut -d ':' -f1-2 | tr ':' 'h' ) | ||
cp "$FILENAME" "/tmp/backup/$TARGET.$CREATION_DATE.$CREATION_TIME.size$FILE_SIZE.$NEW_NAME" | ||
else | ||
echo "[WARN] - no $CURRENT_NAME found for FILENAME. Skipping it" | ||
fi | ||
} | ||
CURRENT_DATE=$( date +"%Y-%m-%d" ) | ||
CURRENT_PR="PR-"$( echo "${{ github.ref_name }}" | cut -d '/' -f1 ) | ||
BASE_BRANCH=${{ github.base_ref || github.ref_name }} | ||
BACKUP_LOCATION="s3://centreon-veracode-reports/${{ inputs.module_name }}/debug/$CURRENT_PR" | ||
# saving all reports | ||
mkdir /tmp/backup | ||
backup_baseline "results.json" "downloaded" | ||
backup_baseline "results.json" | ||
backup_baseline "filtered_results.json" | ||
ZIPNAME="$CURRENT_PR.$CURRENT_DATE.${{github.run_id}}.zip" | ||
cd /tmp/backup && zip "$ZIPNAME" * | ||
aws s3 cp "/tmp/backup/$ZIPNAME" "$BACKUP_LOCATION/$ZIPNAME" | ||
- name: Create jira ticket | ||
# In case of QG failure, a ticket must be created | ||
if: needs.build.outputs.enable_qg == 'false' || (failure() && github.event.pull_request.draft == false) | ||
uses: ./.github/actions/veracode-create-jira-ticket | ||
with: | ||
jira_base_url: ${{ secrets.jira_base_url }} | ||
jira_user_email: ${{ secrets.jira_user_email }} | ||
jira_api_token: ${{ secrets.jira_api_token }} | ||
module_name: ${{ inputs.module_name }} | ||
- name: Save baseline files | ||
# only baseline files not generated from a development branch are saved | ||
if: success() && needs.build.outputs.development_stage != 'Development' | ||
run: | | ||
BRANCHES=(develop master dev-${{ inputs.major_version }}.x ${{ inputs.major_version }}.x) | ||
for BRANCH in "${BRANCHES[@]}"; do | ||
if [[ "${{ github.ref_name }}" == "$BRANCH" ]]; then | ||
mv *results.json /tmp | ||
BUCKET="s3://centreon-veracode-reports/${{ inputs.module_name }}/${{ github.base_ref || github.ref_name }}" | ||
aws s3 cp "/tmp/filtered_results.json" "$BUCKET/filtered_results.json" | ||
aws s3 cp "/tmp/results.json" "$BUCKET/results.json" | ||
fi | ||
done | ||
clean-artifact: | ||
needs: [pipeline-scan] | ||
name: Clean artifact | ||
if: success() || failure() | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: geekyeggo/delete-artifact@65041433121f7239077fa20be14c0690f70569de # v4.1.0 | ||
with: | ||
name: "Veracode Pipeline-Scan Results" | ||
token: ${{ secrets.GITHUB_TOKEN }} | ||
policy-scan: | ||
needs: [build] | ||
name: Run a sandbox scan | ||
# only stable and unstable maintenances branches will produce a report | ||
if: needs.build.outputs.development_stage != 'Development' | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Get build binary | ||
uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 | ||
with: | ||
path: "${{ inputs.module_directory }}/${{ inputs.module_name }}-${{ github.sha }}-${{ github.run_id }}-veracode-binary.zip" | ||
key: "${{ inputs.module_name }}-${{ github.sha }}-${{ github.run_id }}-veracode-binary" | ||
fail-on-cache-miss: true | ||
- name: Sandbox scan | ||
uses: veracode/veracode-uploadandscan-action@f7e1fbf02c5c899fba9f12e3f537b62f2f1230e1 # master | ||
continue-on-error: ${{ vars.VERACODE_CONTINUE_ON_ERROR == 'true' }} | ||
with: | ||
appname: "${{ inputs.module_name }}" | ||
version: "${{ inputs.major_version }}.${{ inputs.minor_version }}_runId-${{ github.run_id }}" | ||
filepath: "${{ inputs.module_directory }}/${{ inputs.module_name }}-${{ github.sha }}-${{ github.run_id }}-veracode-binary.zip" | ||
vid: "vera01ei-${{ secrets.veracode_api_id }}" | ||
vkey: "vera01es-${{ secrets.veracode_api_key }}" | ||
createprofile: true | ||
createsandbox: true | ||
sandboxname: "${{ github.ref_name }}" | ||
scantimeout: 120 | ||
includenewmodules: true | ||
scanallnonfataltoplevelmodules: true | ||
deleteincompletescan: 1 | ||
scanpollinginterval: 120 # time between two checks in seconds / [30 to 120] | ||
- name: Promote Scan | ||
# only develop will be promoted to policy scan | ||
if: success() && github.ref_name == 'develop' | ||
env: | ||
VERACODE_API_ID: "${{ secrets.veracode_api_id }}" | ||
VERACODE_API_SECRET: "${{ secrets.veracode_api_key }}" | ||
# Action forked due to an API call hardcoding the '.com' route | ||
uses: sc979/veracode-sandboxes-helper@cf67241c27cbe6405ad8705111121ece9a48c4ff # v0.2 | ||
with: | ||
activity: "promote-latest-scan" | ||
app-name: "${{ inputs.module_name }}" | ||
sandbox-name: "${{ github.ref_name }}" | ||
delete-on-promote: false | ||
sca-scan: | ||
needs: [build] | ||
name: Run a SCA scan | ||
# only stable and unstable maintenance branches will produce a report | ||
if: needs.build.outputs.development_stage != 'Development' | ||
runs-on: ubuntu-latest | ||
continue-on-error: ${{ vars.VERACODE_CONTINUE_ON_ERROR == 'true' }} | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
- name: Removing pnpm dependencies | ||
run: | | ||
cd ${{ inputs.module_directory }} | ||
echo "[DEBUG] - pnpm dependencies analysis disabled" | ||
find ./ -type f -name "package.json" -o -name "package-lock.json" -o -name "npm-shrinkwrap.json" -delete | ||
RESULT=`find ./ -type f -name "composer.lock" -o -name "composer.json"` | ||
if [[ -n ${RESULT[0]} ]]; then | ||
echo "trigger_sca_scan=true" >> $GITHUB_ENV | ||
fi | ||
- name: SCA scan | ||
if: env.trigger_sca_scan == 'true' | ||
env: | ||
SRCCLR_API_TOKEN: ${{ secrets.veracode_srcclr_token }} | ||
SRCCLR_REGION: "ER" | ||
uses: sc979/veracode-sca@c407924976db886ffb1bfdbbbf3463f0939f835d # v1.11 | ||
# This action is based on the following command: | ||
# curl -sSL https://download.sourceclear.com/ci.sh | sh -s -- scan "./${{ inputs.module_directory }}" --debug | ||
with: | ||
github_token: ${{ secrets.GITHUB_TOKEN }} | ||
create-issues: false | ||
allow-dirty: true | ||
path: "./${{ inputs.module_directory }}" | ||
recursive: true |