Merge pull request #64 from maoo/whitesource-check

feat(build): added whitesource intergration
symphonyoss · Oct 16, 2017 · 6e1a50a · 6e1a50a
2 parents 11c3056 + 8e6ef10
commit 6e1a50a
Show file tree

Hide file tree

Showing 6 changed files with 67 additions and 172 deletions.
diff --git a/.gitignore b/.gitignore
@@ -9,3 +9,7 @@ hubot-symphony.iml
 certs
 **/*-compiled.js
 **/*-compiled.js.map
+package-lock.json
+
+ws-log*
+ws-ls*
diff --git a/.travis.yml b/.travis.yml
@@ -18,6 +18,10 @@ script:
   # execute integration tests against foundation-dev pod
   - "if [[ $TRAVIS_PULL_REQUEST -eq 'false' ]]; then npm run-script it; fi;"
   - npm run build
+  # Cannot run on external PRs due to https://docs.travis-ci.com/user/pull-requests/#Pull-Requests-and-Security-Restrictions
+  - "if [[ $TRAVIS_PULL_REQUEST -eq 'false' ]]; then npm install ; npm run whitesource; fi;"
+  # Break the build, if any Whitesource policy violation is found
+  - "if [[ -e 'ws-log-policy-violations.json' ]]; then echo 'Found Whitesource Policy violation, build failed.' ; exit -1; fi;"
 
 after_success:
   # publish coverage results to coveralls

diff --git a/README.md b/README.md
@@ -88,6 +88,20 @@ npm run diagnostic -- --publicKey [key1.pem] --privateKey [key2.pem] --passphras
 
 If the script runs as expected it will obtain and log both session and key manager tokens, look up and log some details of the bot account and then create a datafeed and poll.  If you send a message using the Symphony client to the bot account you should see the details logged.
 
+### Whitesource reports
+
+To check security and legal compliance, the build integrates with Whitesource to submit and validate the list of third-party packages used by the build.
+
+Simply run the following commands from the root project folder.
+```
+export WHITESOURCE_API_KEY=<WhiteSource API Key>
+npm install ; npm run whitesource
+```
+
+The `<WhiteSource API Key>` can be retrieved from the [WhiteSource project dashboard](https://saas.whitesourcesoftware.com/Wss/WSS.html#!home).
+
+If any issue is found, a file called `ws-log-policy-violations.json` will be generated in root project folder; if no issue is found, metrics will be sent to the [WhiteSource project dashboard](https://saas.whitesourcesoftware.com/Wss/WSS.html#!home) (available to project committers).
+
 ### Contribute
 
 Contributions are accepted via GitHub pull requests. All contributors must be covered by contributor license agreements to comply with the [Code Contribution Process](https://symphonyoss.atlassian.net/wiki/display/FM/Code+Contribution+Process).

diff --git a/package.json b/package.json
@@ -14,7 +14,8 @@
     "test-cov": "nyc npm test",
     "it": "mocha it/*.js",
     "generate-yarn-lockfile": "npm install -g yarn && npm install --production && yarn install",
-    "semantic-release": "semantic-release pre && npm publish --access public && semantic-release post"
+    "semantic-release": "semantic-release pre && npm publish --access public && semantic-release post",
+    "whitesource": "node node_modules/whitesource/bin/whitesource.js run"
   },
   "repository": {
     "type": "git",
@@ -69,7 +70,8 @@
     "semantic-release": "8.0.3",
     "uuid": "3.1.0",
     "validate-commit-msg": "2.14.0",
-    "yargs": "9.0.1"
+    "yargs": "9.0.1",
+    "whitesource": "1.0.9"
   },
   "config": {
     "commitizen": {

diff --git a/whitesource.config.json b/whitesource.config.json
@@ -0,0 +1,6 @@
+{
+	"checkPolicies":true,
+    "productName":"Hubot Symphony",
+    "projectName":"Hubot Symphony",
+    "devDep": false
+}