Dependency updates #1235
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Compliance | |
| on: | |
| # Run compliance jobs for pull requests, to make sure there are no issues before merging | |
| pull_request: | |
| # Re-run compliance jobs in main, to make sure there are no issues from the merge | |
| push: | |
| branches: | |
| - main | |
| # Use the release:publish event to generate compliance reports for releases | |
| # This lines up with the packaging workflow, so reports will be published when packages are published | |
| release: | |
| types: | |
| - published | |
| # Allow manual triggering of the compliance jobs | |
| workflow_dispatch: | |
| # Use latest supported language versions for compliance jobs | |
| env: | |
| JAVA_VERSION: "21" | |
| JAVA_DISTRIBUTION: "zulu" | |
| PYTHON_VERSION: "3.12" | |
| NODE_VERSION: "18" | |
| jobs: | |
| platform_compliance: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| steps: | |
| # fetch-depth = 0 is needed to get tags for version info | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Java | |
| uses: actions/setup-java@v3 | |
| with: | |
| distribution: ${{ env.JAVA_DISTRIBUTION }} | |
| java-version: ${{ env.JAVA_VERSION }} | |
| cache: gradle | |
| # Use a cache to save downloading the whole NVD on every build | |
| # Dependency check will automatically look for updates and download the delta | |
| - name: NVD cache | |
| uses: actions/cache@v3 | |
| with: | |
| key: compliance-cache-data | |
| path: ./build/compliance-cache | |
| - name: OWASP dependency check | |
| run: ./gradlew dependencyCheckAggregate | |
| - name: License check | |
| run: ./gradlew checkLicense | |
| # Always save the reports - they are especially needed when the checks have failed! | |
| - name: Store compliance reports | |
| uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: compliance-reports | |
| path: build/compliance/** | |
| python_runtime_compliance: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| steps: | |
| # fetch-depth = 0 is needed to get tags for version info | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: PIP Upgrade | |
| run: python -m pip install --upgrade pip | |
| # Make sure to check compliance on both core and plugin dependencies | |
| - name: Install dependencies | |
| run: | | |
| cd tracdap-runtime/python | |
| pip install -r requirements.txt | |
| pip install -r requirements_plugins.txt | |
| # CVE-2023-5752 (safety id: 62044) is a vulnerability in pip itself, fixed in the most recent version (23.3) | |
| # Although pip is updated, safety check detects the old version (perhaps because pip is part of the base package) | |
| # Anyway pip is not a dependency of the tracdap-runtime package, clients will get pip from their Python install | |
| # Once the base Python used in CI bumps up to include a later pip, the --ignore flag can be removed | |
| - name: Safety check | |
| run: | | |
| mkdir -p build/compliance/python-runtime-safety | |
| cd tracdap-runtime/python | |
| safety check --ignore 62044 --output text > ../../build/compliance/python-runtime-safety/python-runtime-safety-report.txt | |
| safety check --ignore 62044 --output json > ../../build/compliance/python-runtime-safety/python-runtime-safety-report.json | |
| - name: License check | |
| run: | | |
| # Source license excpetions | |
| . dev/compliance/license-config-python.sh | |
| mkdir -p build/compliance/python-runtime-licenses | |
| cd tracdap-runtime/python | |
| pip-licenses --format=json --ignore-packages $IGNORE_LICENSE > ../../build/compliance/python-runtime-licenses/python-runtime-licenses.json | |
| pip-licenses --format=html --ignore-packages $IGNORE_LICENSE > ../../build/compliance/python-runtime-licenses/python-runtime-licenses.html | |
| pip-licenses --allow-only="$ALLOWED_LICENSES" --ignore-packages $IGNORE_LICENSE | |
| # Always save the reports - they are especially needed when the checks have failed! | |
| - name: Store compliance reports | |
| uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: compliance-reports | |
| path: build/compliance/** | |
| web_api_compliance: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| steps: | |
| # fetch-depth = 0 is needed to get tags for version info | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: npm | |
| cache-dependency-path: tracdap-api/packages/web/package-lock.json | |
| # Use a cache to save downloading global compliance data on every build (e.g. NVD) | |
| # Compliance tasks will automatically look for updates and download deltas | |
| - name: NVD cache | |
| uses: actions/cache@v3 | |
| with: | |
| key: compliance-cache-data | |
| path: ./build/compliance-cache | |
| - name: Install dependencies | |
| run: | | |
| cd tracdap-api/packages/web | |
| npm install | |
| - name: OWASP dependency check | |
| run: | | |
| mkdir -p build/compliance | |
| cd tracdap-api/packages/web | |
| npm run compliance-owasp | |
| - name: License check | |
| run: | | |
| cd tracdap-api/packages/web | |
| npm run compliance-licenses | |
| - name: NPM audit | |
| run: | | |
| mkdir -p build/compliance/web-api-npm-audit | |
| cd tracdap-api/packages/web | |
| npm run compliance-audit | |
| # Always save the reports - they are especially needed when the checks have failed! | |
| - name: Store compliance reports | |
| uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: compliance-reports | |
| path: build/compliance/** | |
| publish_to_github: | |
| if: ${{ github.event_name == 'release' && github.event.action == 'published' }} | |
| runs-on: ubuntu-latest | |
| needs: | |
| - platform_compliance | |
| - python_runtime_compliance | |
| - web_api_compliance | |
| steps: | |
| # fetch-depth = 0 is needed to get tags for version info | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get TRAC d.a.p. version | |
| id: tracdap-version | |
| run: | | |
| tracdap_version=`dev/version.sh` | |
| echo "tracdap_version = ${tracdap_version}" | |
| echo "tracdap_version=${tracdap_version}" >> $GITHUB_OUTPUT | |
| - name: Fetch copmliance report artifacts | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: compliance-reports | |
| path: tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }} | |
| - name: Build compliance reports tarball | |
| run: tar -cvzf tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}.tgz tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}/ | |
| - name: Publish compliance reports | |
| uses: actions/upload-release-asset@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ github.event.release.upload_url }} | |
| asset_path: tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}.tgz | |
| asset_name: tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}.tgz | |
| asset_content_type: application/gzip |