From 4bb4bd85e3910c2f044e37ca9ad37f3dcd81b37a Mon Sep 17 00:00:00 2001 From: Rob Moffat Date: Thu, 2 Mar 2023 14:20:44 +0000 Subject: [PATCH] Added mao's scanning actions from FINOS security scanning --- .github/workflows/acceptable-licenses.txt | 49 +++++++++++++++++++ .github/workflows/allow-list.xml | 10 ++++ .github/workflows/cve-scanning.yml | 28 +++++++++++ .github/workflows/license-check.yml | 59 +++++++++++++++++++++++ .github/workflows/semgrep.yml | 15 ++++++ 5 files changed, 161 insertions(+) create mode 100644 .github/workflows/acceptable-licenses.txt create mode 100644 .github/workflows/allow-list.xml create mode 100644 .github/workflows/cve-scanning.yml create mode 100644 .github/workflows/license-check.yml create mode 100644 .github/workflows/semgrep.yml diff --git a/.github/workflows/acceptable-licenses.txt b/.github/workflows/acceptable-licenses.txt new file mode 100644 index 00000000..1fb00afa --- /dev/null +++ b/.github/workflows/acceptable-licenses.txt @@ -0,0 +1,49 @@ +3-Clause BSD License +Apache 2.0 +Apache 2 +Apache License 2.0 +Apache License, 2.0 +Apache License, Version 2.0 +Apache License, version 2.0 +Apache-2.0 +Apple License +BSD 2-Clause +BSD License 3 +BSD-2-Clause +BSD-3-Clause +Bouncy Castle Licence +CC0 +CDDL + GPLv2 with classpath exception +CDDL 1.1 +CDDL+GPL License +CDDL/GPLv2+CE +COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0 +Dual license consisting of the CDDL v1.1 and GPL v2 +EDL 1.0 +EPL 2.0 +Eclipse Distribution License - v 1.0 +Eclipse Public License - v 1.0 +Eclipse Public License - v 2.0 +Eclipse Public License v2.0 +GNU Lesser General Public License +GPL2 w/ CPE +LGPL 2.1 +MIT License +MIT license +MPL 1.1 +Modified BSD +Prior BSD License +Public Domain, per Creative Commons CC0 +Public Domain +Similar to Apache License but with the acknowledgment clause removed +The Apache License, Version 2.0 +The Apache Software License, Version 2.0 +The BSD License +The GNU General Public License (GPL), Version 2, With Classpath Exception +The GNU Lesser General Public License, Version 2.1 +The MIT License (MIT) +The MIT License +Unicode/ICU License +Universal Permissive License, Version 1.0 +W3C license +jQuery license diff --git a/.github/workflows/allow-list.xml b/.github/workflows/allow-list.xml new file mode 100644 index 00000000..f244b64c --- /dev/null +++ b/.github/workflows/allow-list.xml @@ -0,0 +1,10 @@ + + + + + org.apache.struts:struts2-core:2.3.8 + CVE-2017-5638 + + diff --git a/.github/workflows/cve-scanning.yml b/.github/workflows/cve-scanning.yml new file mode 100644 index 00000000..9401c0ea --- /dev/null +++ b/.github/workflows/cve-scanning.yml @@ -0,0 +1,28 @@ +name: Maven CVE Scanning + +on: + pull_request: + paths: + - 'pom.xml' + - '.github/workflows/cve-scanning.yml' + push: + paths: + - 'pom.xml' + - '.github/workflows/cve-scanning.yml' + schedule: + # Run every day at 5am and 5pm + - cron: '0 5,17 * * *' + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - name: Set up JDK 11 + uses: actions/setup-java@v3 + with: + java-version: '11' + distribution: 'adopt' + - name: Build with Maven + run: mvn org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=7 -DsuppressionFile=".github/workflows/allow-list.xml" diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml new file mode 100644 index 00000000..bc3e7a1e --- /dev/null +++ b/.github/workflows/license-check.yml @@ -0,0 +1,59 @@ +name: License Scanning for Maven + +on: + schedule: + - cron: '0 8,18 * * 1-5' + push: + paths: + - 'maven/pom.xml' + - '.github/workflows/license-check.yml' + - '.github/workflows/acceptable-licenses.txt' + +jobs: + scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Cache Maven dependencies + uses: actions/cache@v2 + env: + cache-name: cache-mvn-modules + with: + path: ~/.m2 + key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/pom.xml') }} + restore-keys: | + ${{ runner.os }}-build-${{ env.cache-name }}- + ${{ runner.os }}-build- + ${{ runner.os }}- + - name: Set up JDK 17 + uses: actions/setup-java@v3 + with: + java-version: 17 + distribution: 'adopt' + - name: Install XQ + run: pip install xq + - name: Download deps and plugins + run: mvn de.qaware.maven:go-offline-maven-plugin:resolve-dependencies + - name: Build + run: mvn install -DskipTests + - name: License XML report + run: mvn org.codehaus.mojo:license-maven-plugin:2.0.0:download-licenses + - name: Validate XML report + run: | + ALLOW_LICENSES=`cat .github/workflows/acceptable-licenses.txt` + find . -name licenses.xml | awk '{print "cat " $1}' | sh | xq "//dependency[licenses/license/name!=${{ env.ALLOW_LICENSES }}] | sort | uniq > target/complete-licenses.txt + comm -23 target/complete-licenses.txt .github/workflows/acceptable-licenses.txt > target/license-report.txt + LINES_FOUND=`cat target/license-report.txt | wc -l` + echo "License issues found ..." + if [ $LINES_FOUND -gt 1 ]; then cat target/license-report.txt ; exit -1; fi + working-directory: maven + - name: Upload license reports + uses: actions/upload-artifact@v3 + with: + name: license-reports + path: 'maven/**/dependencies.html' + - name: Upload license XML reports + uses: actions/upload-artifact@v3 + with: + name: license-xml-report + path: 'maven/**/${{ env.REPORT_PATH }}' diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 00000000..d84e24e6 --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,15 @@ +name: Static code analysis (SemGrep) + +on: [push, pull_request] + +jobs: + semgrep: + name: run-semgrep + runs-on: ubuntu-20.04 + container: + image: returntocorp/semgrep + steps: + - uses: actions/checkout@v3 + - run: semgrep scan --error --config auto + env: + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}