From ccc75c0f084c0a3f4c798a734587b4fc8dffc890 Mon Sep 17 00:00:00 2001 From: Aaron Steinfeld Date: Thu, 15 Jun 2023 08:52:50 -0400 Subject: [PATCH 1/4] chore: clean up vulnerabilities, move to owasp scan --- .github/workflows/pr-build.yml | 18 ------------------ .github/workflows/pr-test.yml | 5 +++++ build.gradle.kts | 8 ++++++++ owasp-suppressions.xml | 11 +++++++++++ .../build.gradle.kts | 6 +++--- platform-metrics/build.gradle.kts | 4 ++-- platform-service-framework/build.gradle.kts | 6 +++--- 7 files changed, 32 insertions(+), 26 deletions(-) create mode 100644 owasp-suppressions.xml diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index caa6cb3..a32c9f6 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -8,7 +8,6 @@ on: - main jobs: - build: runs-on: ubuntu-20.04 steps: @@ -37,20 +36,3 @@ jobs: uses: hypertrace/github-actions/gradle@main with: args: build - - snyk-scan: - runs-on: ubuntu-20.04 - steps: - # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - - name: Check out code - uses: actions/checkout@v2.3.4 - with: - ref: ${{github.event.pull_request.head.ref}} - repository: ${{github.event.pull_request.head.repo.full_name}} - fetch-depth: 0 - - name: Setup snyk - uses: snyk/actions/setup@0.3.0 - - name: Snyk test - run: snyk test --all-sub-projects --org=hypertrace --severity-threshold=low --policy-path=.snyk --configuration-matching='^runtimeClasspath$' - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml index 29043d3..c7dcb28 100644 --- a/.github/workflows/pr-test.yml +++ b/.github/workflows/pr-test.yml @@ -58,3 +58,8 @@ jobs: with: github_token: ${{ secrets.GITHUB_TOKEN }} files: ./**/build/test-results/**/*.xml + dependency-check: + runs-on: ubuntu-22.04 + steps: + - name: Dependency Check + uses: hypertrace/github-actions/dependency-check@main diff --git a/build.gradle.kts b/build.gradle.kts index 8635869..2956167 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -7,6 +7,7 @@ plugins { id("org.hypertrace.publish-plugin") version "1.0.2" apply false id("org.hypertrace.jacoco-report-plugin") version "0.2.0" apply false id("org.hypertrace.code-style-plugin") version "1.1.2" apply false + id("org.owasp.dependencycheck") version "8.1.2" } subprojects { @@ -25,3 +26,10 @@ subprojects { } } } + +dependencyCheck { + format = org.owasp.dependencycheck.reporting.ReportGenerator.Format.ALL.toString() + suppressionFile = "owasp-suppressions.xml" + scanConfigurations.add("runtimeClasspath") + failBuildOnCVSS = 3.0F +} \ No newline at end of file diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml new file mode 100644 index 0000000..571f242 --- /dev/null +++ b/owasp-suppressions.xml @@ -0,0 +1,11 @@ + + + + + ^pkg:maven/org\.hypertrace\..*@.*$ + cpe:/a:grpc:grpc + cpe:/a:utils_project:utils + + \ No newline at end of file diff --git a/platform-http-service-framework/build.gradle.kts b/platform-http-service-framework/build.gradle.kts index 392be2b..9636d84 100644 --- a/platform-http-service-framework/build.gradle.kts +++ b/platform-http-service-framework/build.gradle.kts @@ -15,9 +15,9 @@ dependencies { implementation("org.slf4j:slf4j-api:1.7.36") implementation("com.google.inject.extensions:guice-servlet:5.1.0") implementation("com.google.guava:guava:31.1-jre") - implementation("org.eclipse.jetty:jetty-servlet:9.4.50.v20221201") - implementation("org.eclipse.jetty:jetty-server:9.4.50.v20221201") - implementation("org.eclipse.jetty:jetty-servlets:9.4.50.v20221201") + implementation("org.eclipse.jetty:jetty-servlet:9.4.51.v20230217") + implementation("org.eclipse.jetty:jetty-server:9.4.51.v20230217") + implementation("org.eclipse.jetty:jetty-servlets:9.4.51.v20230217") annotationProcessor("org.projectlombok:lombok:1.18.24") compileOnly("org.projectlombok:lombok:1.18.24") diff --git a/platform-metrics/build.gradle.kts b/platform-metrics/build.gradle.kts index 926e373..04b9d78 100644 --- a/platform-metrics/build.gradle.kts +++ b/platform-metrics/build.gradle.kts @@ -24,8 +24,8 @@ dependencies { implementation("io.prometheus:simpleclient_dropwizard:0.12.0") implementation("io.prometheus:simpleclient_servlet:0.12.0") implementation("io.prometheus:simpleclient_pushgateway:0.12.0") - implementation("org.eclipse.jetty:jetty-servlet:9.4.50.v20221201") - implementation("com.google.guava:guava:31.1-jre") + implementation("org.eclipse.jetty:jetty-servlet:9.4.51.v20230217") + implementation("com.google.guava:guava:32.0.1-jre") testImplementation("org.junit.jupiter:junit-jupiter:5.9.0") testImplementation("org.mockito:mockito-core:4.8.0") diff --git a/platform-service-framework/build.gradle.kts b/platform-service-framework/build.gradle.kts index 4b87ec7..187d44b 100644 --- a/platform-service-framework/build.gradle.kts +++ b/platform-service-framework/build.gradle.kts @@ -23,7 +23,7 @@ dependencies { because("version 2.12.7.1 has a vulnerability https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424") } } - implementation("org.eclipse.jetty:jetty-servlet:9.4.50.v20221201") + implementation("org.eclipse.jetty:jetty-servlet:9.4.51.v20230217") // Use for metrics servlet implementation("io.prometheus:simpleclient_servlet:0.12.0") @@ -40,6 +40,6 @@ dependencies { testImplementation("org.apache.logging.log4j:log4j-slf4j-impl:2.19.0") testImplementation("org.junit.jupiter:junit-jupiter:5.9.0") testImplementation("org.mockito:mockito-core:4.8.0") - testImplementation("org.eclipse.jetty:jetty-servlet:9.4.50.v20221201:tests") - testImplementation("org.eclipse.jetty:jetty-http:9.4.50.v20221201:tests") + testImplementation("org.eclipse.jetty:jetty-servlet:9.4.51.v20230217:tests") + testImplementation("org.eclipse.jetty:jetty-http:9.4.51.v20230217:tests") } From ba519276c602f0518819e0784893d6a1408a186d Mon Sep 17 00:00:00 2001 From: Aaron Steinfeld Date: Thu, 15 Jun 2023 08:56:09 -0400 Subject: [PATCH 2/4] ci: update action versions --- .github/workflows/pr-build.yml | 4 ++-- .github/workflows/pr-test.yml | 8 ++++---- .github/workflows/publish.yml | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index a32c9f6..1c15846 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -13,7 +13,7 @@ jobs: steps: # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - name: Check out code - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v3 with: ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -24,7 +24,7 @@ jobs: - name: Cache packages id: cache-packages - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ~/.gradle key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }} diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml index c7dcb28..dc3441b 100644 --- a/.github/workflows/pr-test.yml +++ b/.github/workflows/pr-test.yml @@ -11,7 +11,7 @@ jobs: steps: # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - name: Check out code - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v3 with: fetch-depth: 0 @@ -20,7 +20,7 @@ jobs: - name: Cache packages id: cache-packages - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ~/.gradle key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }} @@ -34,7 +34,7 @@ jobs: args: jacocoTestReport - name: Upload coverage to Codecov - uses: codecov/codecov-action@v2 + uses: codecov/codecov-action@v3 with: name: unit test reports fail_ci_if_error: true @@ -46,7 +46,7 @@ jobs: args: copyAllReports --output-dir=/tmp/test-reports - name: Archive test reports - uses: actions/upload-artifact@v1 + uses: actions/upload-artifact@v3 with: name: test-reports path: /tmp/test-reports diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 26eda18..a47174e 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -12,7 +12,7 @@ jobs: steps: # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - name: Check out code - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v3 with: fetch-depth: 0 @@ -20,7 +20,7 @@ jobs: uses: hypertrace/github-actions/checksum@main - name: Cache packages - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ~/.gradle key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }} From ddbe2f1d88ed876cf5ffd5f2a442eb3a7ef9a192 Mon Sep 17 00:00:00 2001 From: Aaron Steinfeld Date: Thu, 15 Jun 2023 11:01:03 -0400 Subject: [PATCH 3/4] chore: more cleanup, upgrades --- .github/workflows/pr-build.yml | 21 ++++------------- .github/workflows/pr-test.yml | 23 ++++--------------- .github/workflows/publish.yml | 20 ++++------------ build.gradle.kts | 2 +- .../build.gradle.kts | 6 ++--- .../build.gradle.kts | 2 +- 6 files changed, 18 insertions(+), 56 deletions(-) diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index 1c15846..5965c8d 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -4,35 +4,22 @@ on: branches: - main pull_request_target: - branches: + branches: - main jobs: build: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation + # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - name: Check out code uses: actions/checkout@v3 with: ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} fetch-depth: 0 - - - name: create checksum file - uses: hypertrace/github-actions/checksum@main - - - name: Cache packages - id: cache-packages - uses: actions/cache@v3 - with: - path: ~/.gradle - key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }} - restore-keys: | - gradle-packages-${{ runner.os }}-${{ github.job }} - gradle-packages-${{ runner.os }} - name: Build with Gradle uses: hypertrace/github-actions/gradle@main - with: + with: args: build diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml index dc3441b..a2c2170 100644 --- a/.github/workflows/pr-test.yml +++ b/.github/workflows/pr-test.yml @@ -7,30 +7,17 @@ on: jobs: test: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation + # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - name: Check out code uses: actions/checkout@v3 with: fetch-depth: 0 - - - name: create checksum file - uses: hypertrace/github-actions/checksum@main - - - name: Cache packages - id: cache-packages - uses: actions/cache@v3 - with: - path: ~/.gradle - key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }} - restore-keys: | - gradle-packages-${{ runner.os }}-${{ github.job }} - gradle-packages-${{ runner.os }} - name: Unit test uses: hypertrace/github-actions/gradle@main - with: + with: args: jacocoTestReport - name: Upload coverage to Codecov @@ -42,7 +29,7 @@ jobs: - name: copy test reports uses: hypertrace/github-actions/gradle@main - with: + with: args: copyAllReports --output-dir=/tmp/test-reports - name: Archive test reports @@ -51,7 +38,7 @@ jobs: name: test-reports path: /tmp/test-reports if: always() - + - name: Publish Unit Test Results uses: docker://ghcr.io/enricomi/publish-unit-test-result-action:v1.6 if: always() diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index a47174e..d6a54f8 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,14 +1,14 @@ name: Publish artifacts on: -# Will only run when release is published. + # Will only run when release is published. release: - types: + types: - created workflow_dispatch: jobs: publish-artifacts: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - name: Check out code @@ -16,21 +16,9 @@ jobs: with: fetch-depth: 0 - - name: create checksum file - uses: hypertrace/github-actions/checksum@main - - - name: Cache packages - uses: actions/cache@v3 - with: - path: ~/.gradle - key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }} - restore-keys: | - gradle-packages-${{ runner.os }}-${{ github.job }} - gradle-packages-${{ runner.os }} - - name: publish java artifacts uses: hypertrace/github-actions/gradle@main - with: + with: args: publish env: ORG_GRADLE_PROJECT_artifactory_contextUrl: ${{ secrets.ARTIFACTORY_CONTEXT_URL }} diff --git a/build.gradle.kts b/build.gradle.kts index 2956167..d31de34 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -7,7 +7,7 @@ plugins { id("org.hypertrace.publish-plugin") version "1.0.2" apply false id("org.hypertrace.jacoco-report-plugin") version "0.2.0" apply false id("org.hypertrace.code-style-plugin") version "1.1.2" apply false - id("org.owasp.dependencycheck") version "8.1.2" + id("org.owasp.dependencycheck") version "8.2.1" } subprojects { diff --git a/platform-grpc-service-framework/build.gradle.kts b/platform-grpc-service-framework/build.gradle.kts index 051535e..cba8c68 100644 --- a/platform-grpc-service-framework/build.gradle.kts +++ b/platform-grpc-service-framework/build.gradle.kts @@ -7,10 +7,10 @@ plugins { dependencies { api(project(":platform-service-framework")) - api(platform("io.grpc:grpc-bom:1.52.1")) + api(platform("io.grpc:grpc-bom:1.56.0")) api("io.grpc:grpc-api") api("io.grpc:grpc-services") - api("org.hypertrace.core.grpcutils:grpc-client-utils:0.11.2") + api("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.0") api("com.typesafe:config:1.4.2") api(project(":service-framework-spi")) @@ -19,5 +19,5 @@ dependencies { implementation(project(":platform-metrics")) implementation("org.slf4j:slf4j-api:1.7.36") - implementation("org.hypertrace.core.grpcutils:grpc-server-utils:0.11.2") + implementation("org.hypertrace.core.grpcutils:grpc-server-utils:0.12.0") } diff --git a/platform-http-service-framework/build.gradle.kts b/platform-http-service-framework/build.gradle.kts index 9636d84..34008c1 100644 --- a/platform-http-service-framework/build.gradle.kts +++ b/platform-http-service-framework/build.gradle.kts @@ -5,7 +5,7 @@ plugins { dependencies { api(project(":platform-service-framework")) - api("org.hypertrace.core.grpcutils:grpc-client-utils:0.11.2") + api("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.0") api("com.typesafe:config:1.4.2") api("javax.servlet:javax.servlet-api:4.0.1") api("com.google.inject:guice:5.1.0") From 162c2e2feec0af7893f645735ba3eaaf12ea276d Mon Sep 17 00:00:00 2001 From: Aaron Steinfeld Date: Thu, 15 Jun 2023 11:08:34 -0400 Subject: [PATCH 4/4] ci: update owners --- .github/CODEOWNERS | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index da3e929..97162ab 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,7 +1,7 @@ # Each line is a file pattern followed by one or more owners. # global -* @buchi-busireddy @tim-mwangi @surajpuvvada @avinashkolluru +* @hypertrace/platform-util-owners # GH action -.github/ @aaron-steinfeld @jbahire @kotharironak @buchi-busireddy \ No newline at end of file +.github/ @hypertrace/ci-owners \ No newline at end of file