Fortify branch: Scala 3.4.2 (was 3.3.3) #157
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: test | |
| on: | |
| push: | |
| branches: | |
| - fortify | |
| pull_request: | |
| branches: | |
| - fortify | |
| jobs: | |
| test: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| java: [11, 17, 21] | |
| scala: [2.13.x, 3.x] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: coursier/cache-action@v6 | |
| - uses: actions/setup-java@v4 | |
| with: | |
| distribution: temurin | |
| java-version: ${{matrix.java}} | |
| - uses: actions/cache@v4 | |
| env: | |
| cache-name: fortify | |
| with: | |
| path: ./Fortify | |
| key: fortify-24.2.0 | |
| # https://github.com/gruntwork-io/fetch | |
| - uses: Homebrew/actions/setup-homebrew@master | |
| - name: Install Fetch | |
| run: brew install fetch | |
| - name: Install secrets | |
| env: | |
| LIGHTBEND_LICENSE: ${{secrets.LIGHTBEND_LICENSE}} | |
| FORTIFY_LICENSE: ${{secrets.FORTIFY_LICENSE}} | |
| run: | | |
| mkdir -p ~/.lightbend | |
| echo "$LIGHTBEND_LICENSE" > ~/.lightbend/license | |
| echo "$FORTIFY_LICENSE" > fortify.license | |
| # The easiest way I could think of to make the Fortify installer available to CI | |
| # was to attach it as a release asset to a tag in a private repo. | |
| - name: Install Fortify | |
| run: | | |
| if [[ ! -d Fortify ]] ; then | |
| GITHUB_OAUTH_TOKEN=${{secrets.FORTIFY_INSTALLER_TOKEN}} fetch --repo="https://github.com/lightbend/scala-fortify" --tag="24.2.0_linux_x64" --release-asset="Fortify_SCA_24.2.0_linux_x64.run" . | |
| chmod +x Fortify_SCA_24.2.0_linux_x64.run | |
| mkdir Fortify | |
| echo installdir=`pwd`/Fortify/Fortify_SCA_24.2.0 > Fortify_SCA_24.2.0_linux_x64.run.options | |
| echo fortify_license_path=`pwd`/fortify.license >> Fortify_SCA_24.2.0_linux_x64.run.options | |
| ./Fortify_SCA_24.2.0_linux_x64.run --mode unattended | |
| # download the Scala security rules; VersionTests makes sure they're the ones we expect | |
| ./Fortify/Fortify_SCA_24.2.0/bin/fortifyupdate | |
| # otherwise we get some false positives from sample files | |
| rm -rf ./Fortify/Fortify_SCA_24.2.0/Samples | |
| fi | |
| - name: Test | |
| run: | | |
| sbt ++${{matrix.scala}} compile | |
| rm -f target/vulnerabilities-actual-${{matrix.scala}}.txt | |
| ./Fortify/Fortify_SCA_24.2.0/bin/sourceanalyzer \ | |
| -b play-webgoat \ | |
| -logfile target/scan.log \ | |
| -scan \ | |
| | tail -n +4 > target/vulnerabilities-actual-${{matrix.scala}}.txt | |
| cat target/scan.log | |
| sum vulnerabilities-${{matrix.scala}}.txt target/vulnerabilities-actual-${{matrix.scala}}.txt | |
| diff -u vulnerabilities-${{matrix.scala}}.txt target/vulnerabilities-actual-${{matrix.scala}}.txt |