Skip to content

feat: Scan code for security issues #90

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Jan 10, 2022
Merged

feat: Scan code for security issues #90

merged 9 commits into from
Jan 10, 2022

Conversation

@ptiurin
Copy link
Contributor

@ptiurin ptiurin commented Dec 30, 2021
edited
Loading

Adding security scan GH action. It's supposed to be run manually on a PR, at the same time as the integration tests. It also runs automatically on merge to master.
Using pipenv to build the project in order for Fossa to pick deep dependencies according to the docs.

@ptiurin ptiurin force-pushed the feat_security_scan branch from b132509 to 33e2596 Compare January 6, 2022 16:36
@ptiurin ptiurin marked this pull request as ready for review January 7, 2022 09:04
stepansergeevitch
stepansergeevitch approved these changes Jan 10, 2022
View reviewed changes
Copy link
Contributor

@stepansergeevitch stepansergeevitch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM.
One issue is that currently sonar cloud seems to fail because of no coverage.
I assume that we would not provide coverage soon
Is it possible to disable the coverage check so it passes?

@stepansergeevitch
Copy link
Contributor

stepansergeevitch commented Jan 10, 2022

Also, it seems like FOSSA fails with an exception

@ptiurin
Copy link
Contributor Author

ptiurin commented Jan 10, 2022

Is it possible to disable the coverage check so it passes?

Unfortunately no, sonarqube/cloud does not let us disable the check. It's annoying, but we might need to ignore this check ourselves or re-visit a way to provide coverage information.
We've seen it before being wonky, failing or not failing for no particular reason.

@ptiurin
Copy link
Contributor Author

ptiurin commented Jan 10, 2022

Also, it seems like FOSSA fails with an exception

Followed up on IM: Fossa decoration is not working for some reason. I've added the next recommended thing - fossa-test that fails the PR if issues are found. This is not the build itself, it's FOSSA finding problems (which we'll address shortly).

@ptiurin
Copy link
Contributor Author

ptiurin commented Jan 10, 2022

In fact, both issues Fossa has found are false-positives. I didn't resolve them in order to provide an indication what will happen if such issues are found.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 10, 2022

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

0.0% 0.0% Coverage
0.0% 0.0% Duplication

@ptiurin ptiurin merged commit 0d684cf into main Jan 10, 2022
@ptiurin ptiurin deleted the feat_security_scan branch January 10, 2022 21:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@stepansergeevitch stepansergeevitch stepansergeevitch approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ptiurin @stepansergeevitch