-
Notifications
You must be signed in to change notification settings - Fork 34
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added mao's scanning actions from FINOS security scanning
- Loading branch information
Showing
5 changed files
with
161 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
<name>3-Clause BSD License</name> | ||
<name>Apache 2.0</name> | ||
<name>Apache 2</name> | ||
<name>Apache License 2.0</name> | ||
<name>Apache License, 2.0</name> | ||
<name>Apache License, Version 2.0</name> | ||
<name>Apache License, version 2.0</name> | ||
<name>Apache-2.0</name> | ||
<name>Apple License</name> | ||
<name>BSD 2-Clause</name> | ||
<name>BSD License 3</name> | ||
<name>BSD-2-Clause</name> | ||
<name>BSD-3-Clause</name> | ||
<name>Bouncy Castle Licence</name> | ||
<name>CC0</name> | ||
<name>CDDL + GPLv2 with classpath exception</name> | ||
<name>CDDL 1.1</name> | ||
<name>CDDL+GPL License</name> | ||
<name>CDDL/GPLv2+CE</name> | ||
<name>COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0</name> | ||
<name>Dual license consisting of the CDDL v1.1 and GPL v2</name> | ||
<name>EDL 1.0</name> | ||
<name>EPL 2.0</name> | ||
<name>Eclipse Distribution License - v 1.0</name> | ||
<name>Eclipse Public License - v 1.0</name> | ||
<name>Eclipse Public License - v 2.0</name> | ||
<name>Eclipse Public License v2.0</name> | ||
<name>GNU Lesser General Public License</name> | ||
<name>GPL2 w/ CPE</name> | ||
<name>LGPL 2.1</name> | ||
<name>MIT License</name> | ||
<name>MIT license</name> | ||
<name>MPL 1.1</name> | ||
<name>Modified BSD</name> | ||
<name>Prior BSD License</name> | ||
<name>Public Domain, per Creative Commons CC0</name> | ||
<name>Public Domain</name> | ||
<name>Similar to Apache License but with the acknowledgment clause removed</name> | ||
<name>The Apache License, Version 2.0</name> | ||
<name>The Apache Software License, Version 2.0</name> | ||
<name>The BSD License</name> | ||
<name>The GNU General Public License (GPL), Version 2, With Classpath Exception</name> | ||
<name>The GNU Lesser General Public License, Version 2.1</name> | ||
<name>The MIT License (MIT)</name> | ||
<name>The MIT License</name> | ||
<name>Unicode/ICU License</name> | ||
<name>Universal Permissive License, Version 1.0</name> | ||
<name>W3C license</name> | ||
<name>jQuery license</name> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> | ||
<suppress> | ||
<notes><![CDATA[ | ||
Testing false positives by suppressing a CVE | ||
]]></notes> | ||
<gav>org.apache.struts:struts2-core:2.3.8</gav> | ||
<cve>CVE-2017-5638</cve> | ||
</suppress> | ||
</suppressions> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
name: Maven CVE Scanning | ||
|
||
on: | ||
pull_request: | ||
paths: | ||
- 'pom.xml' | ||
- '.github/workflows/cve-scanning.yml' | ||
push: | ||
paths: | ||
- 'pom.xml' | ||
- '.github/workflows/cve-scanning.yml' | ||
schedule: | ||
# Run every day at 5am and 5pm | ||
- cron: '0 5,17 * * *' | ||
|
||
jobs: | ||
build: | ||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- uses: actions/checkout@v3 | ||
- name: Set up JDK 11 | ||
uses: actions/setup-java@v3 | ||
with: | ||
java-version: '11' | ||
distribution: 'adopt' | ||
- name: Build with Maven | ||
run: mvn org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=7 -DsuppressionFile=".github/workflows/allow-list.xml" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
name: License Scanning for Maven | ||
|
||
on: | ||
schedule: | ||
- cron: '0 8,18 * * 1-5' | ||
push: | ||
paths: | ||
- 'maven/pom.xml' | ||
- '.github/workflows/license-check.yml' | ||
- '.github/workflows/acceptable-licenses.txt' | ||
|
||
jobs: | ||
scan: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
- name: Cache Maven dependencies | ||
uses: actions/cache@v2 | ||
env: | ||
cache-name: cache-mvn-modules | ||
with: | ||
path: ~/.m2 | ||
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/pom.xml') }} | ||
restore-keys: | | ||
${{ runner.os }}-build-${{ env.cache-name }}- | ||
${{ runner.os }}-build- | ||
${{ runner.os }}- | ||
- name: Set up JDK 17 | ||
uses: actions/setup-java@v3 | ||
with: | ||
java-version: 17 | ||
distribution: 'adopt' | ||
- name: Install XQ | ||
run: pip install xq | ||
- name: Download deps and plugins | ||
run: mvn de.qaware.maven:go-offline-maven-plugin:resolve-dependencies | ||
- name: Build | ||
run: mvn install -DskipTests | ||
- name: License XML report | ||
run: mvn org.codehaus.mojo:license-maven-plugin:2.0.0:download-licenses | ||
- name: Validate XML report | ||
run: | | ||
ALLOW_LICENSES=`cat .github/workflows/acceptable-licenses.txt` | ||
find . -name licenses.xml | awk '{print "cat " $1}' | sh | xq "//dependency[licenses/license/name!=${{ env.ALLOW_LICENSES }}] | sort | uniq > target/complete-licenses.txt | ||
comm -23 target/complete-licenses.txt .github/workflows/acceptable-licenses.txt > target/license-report.txt | ||
LINES_FOUND=`cat target/license-report.txt | wc -l` | ||
echo "License issues found ..." | ||
if [ $LINES_FOUND -gt 1 ]; then cat target/license-report.txt ; exit -1; fi | ||
working-directory: maven | ||
- name: Upload license reports | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: license-reports | ||
path: 'maven/**/dependencies.html' | ||
- name: Upload license XML reports | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: license-xml-report | ||
path: 'maven/**/${{ env.REPORT_PATH }}' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
name: Static code analysis (SemGrep) | ||
|
||
on: [push, pull_request] | ||
|
||
jobs: | ||
semgrep: | ||
name: run-semgrep | ||
runs-on: ubuntu-20.04 | ||
container: | ||
image: returntocorp/semgrep | ||
steps: | ||
- uses: actions/checkout@v3 | ||
- run: semgrep scan --error --config auto | ||
env: | ||
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} |