From d615a65d4bc637ccae56c6b8dcda58332be84184 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 20 Jan 2025 11:52:49 +0530 Subject: [PATCH 01/19] sca-scan.yml --- .github/workflows/sca-scan.yml | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/.github/workflows/sca-scan.yml b/.github/workflows/sca-scan.yml index 1f9aa651..6cde2588 100644 --- a/.github/workflows/sca-scan.yml +++ b/.github/workflows/sca-scan.yml @@ -7,18 +7,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@master - - name: Setup local.properties - run: | - cat << EOF >> local.properties - sdk.dir=$ANDROID_HOME - host="${{ secrets.HOST }}" - APIKey="${{ secrets.API_KEY }}" - deliveryToken="${{ secrets.DELIVERY_TOKEN }}" - environment="${{ secrets.ENVIRONMENT }}" - contentType="${{ secrets.CONTENT_TYPE }}" - assetUid="${{ secrets.ASSET_UID }}" - EOF - - uses: snyk/actions/setup@master - - run: snyk test --fail-on=all + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/gradle@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --fail-on=all --all-sub-projects \ No newline at end of file From 42d317f4e65f30c49cd8a5480b167c8ff387a67f Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 20 Jan 2025 11:53:01 +0530 Subject: [PATCH 02/19] jira.yml --- .github/workflows/jira.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/jira.yml b/.github/workflows/jira.yml index caa4bbdf..250abc76 100644 --- a/.github/workflows/jira.yml +++ b/.github/workflows/jira.yml @@ -21,7 +21,7 @@ jobs: project: ${{ secrets.JIRA_PROJECT }} issuetype: ${{ secrets.JIRA_ISSUE_TYPE }} summary: | - ${{ github.event.pull_request.title }} + Snyk | Vulnerability | ${{ github.event.repository.name }} | ${{ github.event.pull_request.title }} description: | PR: ${{ github.event.pull_request.html_url }} From 9804fac9f8f9c26d6eba9c9b788e3c6cc1943b91 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 20 Jan 2025 11:53:02 +0530 Subject: [PATCH 03/19] sast-scan.yml From 1addc7555325e60adb83479d17f8a332cca8b2f1 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 20 Jan 2025 11:53:04 +0530 Subject: [PATCH 04/19] codeql-analysis.yml From 16028c67c50bb1555cb91135c8c71d415562ac3a Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 20 Jan 2025 11:53:09 +0530 Subject: [PATCH 05/19] Updated codeowners --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index 07739234..1be7e0dc 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1 @@ -* @contentstack/security-admin \ No newline at end of file +* @contentstack/security-admin From b418bd48f1d5fbe03233a625a194619eac503306 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Wed, 16 Apr 2025 10:22:02 +0530 Subject: [PATCH 06/19] policy-scan.yml --- .github/workflows/policy-scan.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/policy-scan.yml diff --git a/.github/workflows/policy-scan.yml b/.github/workflows/policy-scan.yml new file mode 100644 index 00000000..13bd3623 --- /dev/null +++ b/.github/workflows/policy-scan.yml @@ -0,0 +1,27 @@ +name: Checks the security policy and configurations +on: + pull_request: + types: [opened, synchronize, reopened] +jobs: + security-policy: + if: github.event.repository.visibility == 'public' + runs-on: ubuntu-latest + defaults: + run: + shell: bash + steps: + - uses: actions/checkout@master + - name: Checks for SECURITY.md policy file + run: | + if ! [[ -f "SECURITY.md" || -f ".github/SECURITY.md" ]]; then exit 1; fi + security-license: + if: github.event.repository.visibility == 'public' + runs-on: ubuntu-latest + defaults: + run: + shell: bash + steps: + - uses: actions/checkout@master + - name: Checks for License file + run: | + if ! [[ -f "LICENSE" || -f "License.txt" || -f "LICENSE.md" ]]; then exit 1; fi \ No newline at end of file From 22acc2d111b57ddc109acce4f248455358308279 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Wed, 16 Apr 2025 10:22:12 +0530 Subject: [PATCH 07/19] issues-jira.yml --- .github/workflows/issues-jira.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/issues-jira.yml diff --git a/.github/workflows/issues-jira.yml b/.github/workflows/issues-jira.yml new file mode 100644 index 00000000..7bf04694 --- /dev/null +++ b/.github/workflows/issues-jira.yml @@ -0,0 +1,31 @@ +name: Create Jira Ticket for Github Issue + +on: + issues: + types: [opened] + +jobs: + issue-jira: + runs-on: ubuntu-latest + steps: + + - name: Login to Jira + uses: atlassian/gajira-login@master + env: + JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }} + JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }} + JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }} + + - name: Create Jira Issue + id: create_jira + uses: atlassian/gajira-create@master + with: + project: ${{ secrets.JIRA_PROJECT }} + issuetype: ${{ secrets.JIRA_ISSUE_TYPE }} + summary: Github | Issue | ${{ github.event.repository.name }} | ${{ github.event.issue.title }} + description: | + *GitHub Issue:* ${{ github.event.issue.html_url }} + + *Description:* + ${{ github.event.issue.body }} + fields: "${{ secrets.ISSUES_JIRA_FIELDS }}" \ No newline at end of file From 95101854929f15159a30bfe29cb3b0d9100fe4b2 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Wed, 16 Apr 2025 10:22:13 +0530 Subject: [PATCH 08/19] Delete jira.yml --- .github/workflows/jira.yml | 33 --------------------------------- 1 file changed, 33 deletions(-) delete mode 100644 .github/workflows/jira.yml diff --git a/.github/workflows/jira.yml b/.github/workflows/jira.yml deleted file mode 100644 index 250abc76..00000000 --- a/.github/workflows/jira.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: Create JIRA ISSUE -on: - pull_request: - types: [opened] -jobs: - security-jira: - if: ${{ github.actor == 'dependabot[bot]' || github.actor == 'snyk-bot' || contains(github.event.pull_request.head.ref, 'snyk-fix-') || contains(github.event.pull_request.head.ref, 'snyk-upgrade-')}} - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Login into JIRA - uses: atlassian/gajira-login@master - env: - JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }} - JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }} - JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }} - - name: Create a JIRA Issue - id: create - uses: atlassian/gajira-create@master - with: - project: ${{ secrets.JIRA_PROJECT }} - issuetype: ${{ secrets.JIRA_ISSUE_TYPE }} - summary: | - Snyk | Vulnerability | ${{ github.event.repository.name }} | ${{ github.event.pull_request.title }} - description: | - PR: ${{ github.event.pull_request.html_url }} - - fields: "${{ secrets.JIRA_FIELDS }}" - - name: Transition issue - uses: atlassian/gajira-transition@v3 - with: - issue: ${{ steps.create.outputs.issue }} - transition: ${{ secrets.JIRA_TRANSITION }} From 3e309cea564abe49346f6a4d8ef01105b7ab43d5 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Wed, 16 Apr 2025 10:22:13 +0530 Subject: [PATCH 09/19] Delete sast-scan.yml --- .github/workflows/sast-scan.yml | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 .github/workflows/sast-scan.yml diff --git a/.github/workflows/sast-scan.yml b/.github/workflows/sast-scan.yml deleted file mode 100644 index 3b9521a5..00000000 --- a/.github/workflows/sast-scan.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: SAST Scan -on: - pull_request: - types: [opened, synchronize, reopened] -jobs: - security-sast: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Semgrep Scan - run: docker run -v /var/run/docker.sock:/var/run/docker.sock -v "${PWD}:/src" returntocorp/semgrep semgrep scan --config auto \ No newline at end of file From 3a053dda72d8f8b76d9563f049c49fde95082c9a Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Wed, 16 Apr 2025 10:22:15 +0530 Subject: [PATCH 10/19] codeql-analysis.yml From 3287e343c867dfe745aa80c4ed0b01218f021f80 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Wed, 16 Apr 2025 10:22:19 +0530 Subject: [PATCH 11/19] Updated codeowners From 6644fe2f75442da3adca9ecfedc15281a304fa34 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Wed, 23 Apr 2025 21:32:32 +0530 Subject: [PATCH 12/19] policy-scan.yml --- .github/workflows/policy-scan.yml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/policy-scan.yml b/.github/workflows/policy-scan.yml index 13bd3623..ff259231 100644 --- a/.github/workflows/policy-scan.yml +++ b/.github/workflows/policy-scan.yml @@ -24,4 +24,23 @@ jobs: - uses: actions/checkout@master - name: Checks for License file run: | - if ! [[ -f "LICENSE" || -f "License.txt" || -f "LICENSE.md" ]]; then exit 1; fi \ No newline at end of file + expected_license_files=("LICENSE" "LICENSE.txt" "LICENSE.md" "License.txt") + license_file_found=false + current_year=$(date +"%Y") + + for license_file in "${expected_license_files[@]}"; do + if [ -f "$license_file" ]; then + license_file_found=true + # check the license file for the current year, if not exists, exit with error + if ! grep -q "$current_year" "$license_file"; then + echo "License file $license_file does not contain the current year." + exit 2 + fi + break + fi + done + + if [ "$license_file_found" = false ]; then + echo "No license file found. Please add a license file to the repository." + exit 1 + fi \ No newline at end of file From a1331c057e768c7dae22d383044c4c0565715925 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 5 May 2025 21:52:23 +0530 Subject: [PATCH 13/19] policy-scan.yml From 685cec4a0bf77778b9b942c516530f20b09c925d Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 5 May 2025 21:52:30 +0530 Subject: [PATCH 14/19] issues-jira.yml From f2396cfe280992b656a5346868e6eeda02fc8311 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 5 May 2025 21:52:31 +0530 Subject: [PATCH 15/19] secrets-scan.yml --- .github/workflows/secrets-scan.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/secrets-scan.yml diff --git a/.github/workflows/secrets-scan.yml b/.github/workflows/secrets-scan.yml new file mode 100644 index 00000000..049c02f4 --- /dev/null +++ b/.github/workflows/secrets-scan.yml @@ -0,0 +1,29 @@ +name: Secrets Scan +on: + pull_request: + types: [opened, synchronize, reopened] +jobs: + security-secrets: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: '2' + ref: '${{ github.event.pull_request.head.ref }}' + - run: | + git reset --soft HEAD~1 + - name: Install Talisman + run: | + # Download Talisman + wget https://github.com/thoughtworks/talisman/releases/download/v1.37.0/talisman_linux_amd64 -O talisman + + # Checksum verification + checksum=$(sha256sum ./talisman | awk '{print $1}') + if [ "$checksum" != "8e0ae8bb7b160bf10c4fa1448beb04a32a35e63505b3dddff74a092bccaaa7e4" ]; then exit 1; fi + + # Make it executable + chmod +x talisman + - name: Run talisman + run: | + # Run Talisman with the pre-commit hook + ./talisman --githook pre-commit \ No newline at end of file From 484296493f45726a0d24d8da9b2db0e4e068f31f Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 5 May 2025 21:52:34 +0530 Subject: [PATCH 16/19] Updated codeowners From a13f72a3ac2653e18f49f832bfc22f3ed7be36a7 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 5 May 2025 23:29:10 +0530 Subject: [PATCH 17/19] talismanrc file updated --- .talismanrc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.talismanrc b/.talismanrc index 6acc6e78..e91afa6f 100644 --- a/.talismanrc +++ b/.talismanrc @@ -1,6 +1,9 @@ threshold: medium fileignoreconfig: +- filename: .github/workflows/secrets-scan.yml + ignore_detectors: + - filecontent - filename: contentstack/src/main/java/com/contentstack/okhttp/internal/spdy/Spdy3.java checksum: 5f6979f6336684787ff20dc5ccb0ea31665dcb4801845a34770d3bd30387f129 - filename: contentstack/src/main/java/com/contentstack/okhttp/internal/DiskLruCache.java From 90d708a47014d05fc0f1af50ab1906aa021d2c83 Mon Sep 17 00:00:00 2001 From: reeshika-h Date: Fri, 6 Jun 2025 18:03:36 +0530 Subject: [PATCH 18/19] Update branch restrictions in check-branch.yml and add contentType and assetUid to local.properties in sca-scan.yml; update copyright year in LICENSE --- .github/workflows/check-branch.yml | 8 ++++---- .github/workflows/sca-scan.yml | 13 ++++++++++++- LICENSE | 2 +- 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/.github/workflows/check-branch.yml b/.github/workflows/check-branch.yml index 1e2d24a5..8a3a32ab 100644 --- a/.github/workflows/check-branch.yml +++ b/.github/workflows/check-branch.yml @@ -8,13 +8,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Comment PR - if: github.base_ref == 'master' && github.head_ref != 'next' + if: github.base_ref == 'master' && github.head_ref != 'staging' uses: thollander/actions-comment-pull-request@v2 with: message: | - We regret to inform you that you are currently not able to merge your changes into the master branch due to restrictions applied by our SRE team. To proceed with merging your changes, we kindly request that you create a pull request from the next branch. Our team will then review the changes and work with you to ensure a successful merge into the master branch. + We regret to inform you that you are currently not able to merge your changes into the master branch due to restrictions applied by our SRE team. To proceed with merging your changes, we kindly request that you create a pull request from the staging branch. Our team will then review the changes and work with you to ensure a successful merge into the master branch. - name: Check branch - if: github.base_ref == 'master' && github.head_ref != 'next' + if: github.base_ref == 'master' && github.head_ref != 'staging' run: | - echo "ERROR: We regret to inform you that you are currently not able to merge your changes into the master branch due to restrictions applied by our SRE team. To proceed with merging your changes, we kindly request that you create a pull request from the next branch. Our team will then review the changes and work with you to ensure a successful merge into the master branch." + echo "ERROR: We regret to inform you that you are currently not able to merge your changes into the master branch due to restrictions applied by our SRE team. To proceed with merging your changes, we kindly request that you create a pull request from the staging branch. Our team will then review the changes and work with you to ensure a successful merge into the master branch." exit 1 \ No newline at end of file diff --git a/.github/workflows/sca-scan.yml b/.github/workflows/sca-scan.yml index 6cde2588..ed7912f3 100644 --- a/.github/workflows/sca-scan.yml +++ b/.github/workflows/sca-scan.yml @@ -7,8 +7,19 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@master + - name: Setup local.properties + run: | + cat << EOF >> local.properties + sdk.dir=$ANDROID_HOME + host="${{ secrets.HOST }}" + APIKey="${{ secrets.API_KEY }}" + deliveryToken="${{ secrets.DELIVERY_TOKEN }}" + environment="${{ secrets.ENVIRONMENT }}" + contentType="${{ secrets.CONTENT_TYPE }}" + assetUid="${{ secrets.ASSET_UID }}" + EOF - name: Run Snyk to check for vulnerabilities - uses: snyk/actions/gradle@master + uses: snyk/actions/setup@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: diff --git a/LICENSE b/LICENSE index 0eb1a11a..c7d34c7c 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2012 - 2024 Contentstack +Copyright (c) 2012 - 2025 Contentstack Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal From 53eb5cdbe14ee642b7740bd382dc7738189c3723 Mon Sep 17 00:00:00 2001 From: reeshika-h Date: Fri, 6 Jun 2025 18:14:53 +0530 Subject: [PATCH 19/19] Reformat fileignoreconfig entries in .talismanrc for consistency --- .talismanrc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.talismanrc b/.talismanrc index e91afa6f..cbad4b45 100644 --- a/.talismanrc +++ b/.talismanrc @@ -4,7 +4,7 @@ fileignoreconfig: - filename: .github/workflows/secrets-scan.yml ignore_detectors: - filecontent - - filename: contentstack/src/main/java/com/contentstack/okhttp/internal/spdy/Spdy3.java - checksum: 5f6979f6336684787ff20dc5ccb0ea31665dcb4801845a34770d3bd30387f129 - - filename: contentstack/src/main/java/com/contentstack/okhttp/internal/DiskLruCache.java - checksum: 54a52cc9b0d897e500087e7cce65bd1c7c2615a82dad8f5942d87964b3ec4ab2 +- filename: contentstack/src/main/java/com/contentstack/okhttp/internal/spdy/Spdy3.java + checksum: 5f6979f6336684787ff20dc5ccb0ea31665dcb4801845a34770d3bd30387f129 +- filename: contentstack/src/main/java/com/contentstack/okhttp/internal/DiskLruCache.java + checksum: 54a52cc9b0d897e500087e7cce65bd1c7c2615a82dad8f5942d87964b3ec4ab2