From 681540c523d0a7a4050ca3776909761544467b8e Mon Sep 17 00:00:00 2001 From: veer322 <140852436+veraaccion@users.noreply.github.com> Date: Wed, 17 Jan 2024 12:03:24 +0530 Subject: [PATCH 1/6] Implemented Veracode Policy Name Validation --- .github/workflows/veracode-check-run.yml | 1 + .github/workflows/veracode-code-analysis.yml | 54 +++++++++ .../workflows/veracode-update-check-run.yml | 106 ++++++++++++++++++ generate_signature.js | 89 +++++++++++++++ 4 files changed, 250 insertions(+) create mode 100644 .github/workflows/veracode-update-check-run.yml create mode 100644 generate_signature.js diff --git a/.github/workflows/veracode-check-run.yml b/.github/workflows/veracode-check-run.yml index 7f327b473..9bfcdb033 100644 --- a/.github/workflows/veracode-check-run.yml +++ b/.github/workflows/veracode-check-run.yml @@ -57,6 +57,7 @@ jobs: "repository_name": "${{ inputs.repositroy_name }}", "check_run_id": ${{ fromJson(steps.create_check_run.outputs.data).id }} }' > workflow-metadata.json + echo "RUN_ID=${{ fromJson(steps.create_check_run.outputs.data).id }}" >> "GITHUB_OUTPUT" shell: bash - name: Save metadata uses: actions/upload-artifact@v3 diff --git a/.github/workflows/veracode-code-analysis.yml b/.github/workflows/veracode-code-analysis.yml index 8408a50b5..e427d93dc 100644 --- a/.github/workflows/veracode-code-analysis.yml +++ b/.github/workflows/veracode-code-analysis.yml @@ -16,6 +16,37 @@ on: go-policy-scan] jobs: + find_veracode_policy_name: + runs-on: ubuntu-latest + outputs: + Total_Elements: ${{ steps.generate_header.outputs.Total_Elements }} + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Encode value + id: encode_step + run: | + ENCODED_NAME=$(echo -n "${{ github.event.client_payload.policy_name }}" | jq -s -R -r @uri) + echo "Encoded name: $ENCODED_NAME" + echo "ENCODED_NAME=$ENCODED_NAME" >> $GITHUB_ENV + + - name: Call generateHeader and capture result + id: generate_header + run: | + ID='${{ secrets.VERACODE_API_ID }}' + KEY='${{ secrets.VERACODE_API_KEY }}' + url='https://api.veracode.com/appsec/v1/policies?name='$ENCODED_NAME + method='GET' + host='api.veracode.com' + RESULT=$(node -e "require('./generate_signature').calculateVeracodeAuthHeader('$url', '$method', '$host', '$ID', '$KEY')") + echo "result:" $RESULT + api_response=$(curl -X GET "$url" -H "Host: $host" -H "Authorization: $RESULT") + echo "API Response: $api_response" + echo "{apiResponse}={api_response}" >> GITHUB_OUTPUT + total_elements=$(echo "$api_response" | jq -r '.page.total_elements') + echo "Total_Elements=$total_elements" >> "$GITHUB_OUTPUT" + echo "mesage:${{ github.event.client_payload.annotationObj.annotation_message }}" register: uses: ./.github/workflows/veracode-check-run.yml with: @@ -26,6 +57,29 @@ jobs: event_type: ${{ github.event.client_payload.event_type }} github_token: ${{ github.event.client_payload.token }} run_id: ${{ github.run_id }} + + update_check: + needs: register + if: ${{ needs.find_veracode_policy_name.outputs.Total_Elements == 0 }} + uses: ./.github/workflows/veracode-update-check-run.yml + with: + check_run_name: ${{ github.workflow }} + head_sha: ${{ github.event.client_payload.sha }} + repositroy_owner: ${{ github.event.client_payload.repository.owner }} + repositroy_name: ${{ github.event.client_payload.repository.name }} + event_type: ${{ github.event.client_payload.event_type }} + github_token: ${{ github.event.client_payload.token }} + run_id: ${{ needs.register.outputs.RUN_ID }} + show_annotation: ${{ (needs.find_veracode_policy_name.outputs.Total_Elements == 0 && github.event.client_payload.break_build_policy_findings == true) }} + message: ${{ github.event.client_payload.annotationObj.message }} + annotation_level: ${{ github.event.client_payload.annotationObj.annotation_level }} + conclusion: ${{ github.event.client_payload.annotationObj.conclusion }} + status: ${{ github.event.client_payload.annotationObj.status }} + title: ${{ github.event.client_payload.annotationObj.title }} + summary: ${{ github.event.client_payload.annotationObj.summary }} + start_line: ${{ github.event.client_payload.annotationObj.start_line }} + end_line: ${{ github.event.client_payload.annotationObj.end_line }} + path: ${{ github.event.client_payload.annotationObj.github_host }}/${{ github.event.client_payload.repository.owner }}/veracode/blob/${{ github.event.client_payload.branch }}/${{ github.event.client_payload.annotationObj.veracodeConfigFile }} build: needs: register diff --git a/.github/workflows/veracode-update-check-run.yml b/.github/workflows/veracode-update-check-run.yml new file mode 100644 index 000000000..d03b9dec4 --- /dev/null +++ b/.github/workflows/veracode-update-check-run.yml @@ -0,0 +1,106 @@ +name: 'Organization workflow action' +on: + workflow_call: + inputs: + run_id: + description: 'ID of workflow run (provided via GitHub syntax `github.run_id`)' + required: true + type: string + repositroy_owner: + description: 'repositroy_owner of original commit (provided by GitHub app via `github.event.client_payload.repository.owner`)' + required: true + type: string + repositroy_name: + description: 'repositroy_name of original commit (provided by GitHub app via `github.event.client_payload.repository.name`)' + required: true + type: string + check_run_name: + description: 'Name of check (Use `github.workflow` to use the name of the workflow)' + required: true + type: string + head_sha: + description: 'head_sha of original commit (provided by GitHub app via `github.event.client_payload.sha`)' + required: true + type: string + github_token: + description: 'github_token is a token (provided by GitHub app via `github.event.client_payload.token`)' + required: true + type: string + event_type: + description: 'event_type triggered by the GitHub App (provided by GitHub app via `github.event.client_payload.event_type`)' + required: true + type: string + show_annotation: + description: 'Boolean flag to indicate if the annotation has to be displayed' + required: false + type: boolean + default: false + message: + description: 'Annotation message that needs to be displayed' + required: false + type: string + conclusion: + description: 'Workflow conclusion' + required: false + type: string + status: + description: 'Workflow status' + required: false + type: string + title: + description: 'title of Annotation' + required: false + type: string + annotation_level: + description: 'Annotation level is whether warning or failure' + required: false + type: string + start_line: + description: 'Start line of the Policy' + required: false + type: string + end_line: + description: 'End line of the Policy' + required: false + type: string + summary: + description: 'Summary of the Annotation' + required: false + type: string + path: + description: 'Path for Configuration file' + required: false + type: string + +jobs: + update_check_run: + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Octokit.js Request to update a check + uses: octokit/request-action@v2.x + id: update_check_run + env: + GITHUB_TOKEN: ${{ inputs.github_token }} + with: + route: PATCH /repos/${{ inputs.repositroy_owner }}/${{ inputs.repositroy_name }}/check-runs/${{ inputs.run_id }} + name: "Veracode Policy Name Validation" + conclusion: ${{ inputs.conclusion }} + status: ${{ inputs.status }} + output: | + title: ${{ inputs.title }} + summary: ${{ inputs.summary }} + annotations: + - path: ${{ inputs.path }} + title: ${{ inputs.title }} + annotation_level: ${{ inputs.annotation_level }} + message: ${{ inputs.message }} + start_line: ${{ inputs.start_line }} + end_line: ${{ inputs.end_line }} + + - name: Show annotations + if: ${{ inputs.show_annotation == true }} + run: | + echo "::error::${{ inputs.message }}" diff --git a/generate_signature.js b/generate_signature.js new file mode 100644 index 000000000..167cabe4b --- /dev/null +++ b/generate_signature.js @@ -0,0 +1,89 @@ +const crypto = require('crypto'); +const preFix = "VERACODE-HMAC-SHA-256"; +const verStr = "vcode_request_version_1"; + +function hmac256(data, key, format) { + var hash = crypto.createHmac('sha256', key).update(data); + // no format = Buffer / byte array + return hash.digest(format); +} + +function getByteArray(hex) { + var bytes = []; + for (var i = 0; i < hex.length - 1; i += 2) { + bytes.push(parseInt(hex.substr(i, 2), 16)); + } + // signed 8-bit integer array (byte array) + return Int8Array.from(bytes); +} + +function generateHeader(url, method, host, id, key) { + var data = `id=${id}&host=${host}&url=${url}&method=${method}`; + var timestamp = (new Date().getTime()).toString(); + var nonce = crypto.randomBytes(16).toString("hex"); + // calculate signature + var hashedNonce = hmac256(getByteArray(nonce), getByteArray(key), null); + var hashedTimestamp = hmac256(timestamp, hashedNonce, null); + var hashedVerStr = hmac256(verStr, hashedTimestamp, null); + var signature = hmac256(data, hashedVerStr, 'hex'); + var output = `${preFix} id=${id},ts=${timestamp},nonce=${nonce},sig=${signature}`; + console.log(output); +} + +/*jshint esversion: 6 */ + +var url = require('url'); + +const authorizationScheme = 'VERACODE-HMAC-SHA-256'; +const requestVersion = "vcode_request_version_1"; +const nonceSize = 16; + +function computeHashHex(message, key_hex) { + // return CryptoJS.HmacSHA256(message, CryptoJS.enc.Hex.parse(key_hex)).toString(CryptoJS.enc.Hex); + hmac1 = crypto.createHmac('sha256', Buffer.from(key_hex,'hex')); + hmac1.update(message); + + // Return the digest in hexadecimal format + return hmac1.digest('hex'); +} + +function calculateDataSignature(apikey, nonceBytes, dateStamp, data) { + let kNonce = computeHashHex(nonceBytes, apikey); + let kDate = computeHashHex(dateStamp, kNonce); + let kSig = computeHashHex(requestVersion, kDate); + return computeHashHex(data, kSig); +} + +function newNonce() { + // return CryptoJS.lib.WordArray.random(nonceSize).toString().toUpperCase(); + return crypto.randomBytes(nonceSize).toString('hex').toUpperCase() +} + +function toHexBinary(input) { + // return CryptoJS.enc.Hex.stringify(CryptoJS.enc.Utf8.parse(input)); + return Buffer.from(input,'utf-8').toString('hex'); +} + +function removePrefixFromApiCredential(input) { + return input.split('-').at(-1); +} + +function calculateVeracodeAuthHeader(requestUrl, httpMethod, host, id, key) { + const formattedId = removePrefixFromApiCredential(id); + const formattedKey = removePrefixFromApiCredential(key); + + let parsedUrl = url.parse(requestUrl); + let data = `id=${formattedId}&host=${host}&url=${parsedUrl.path}&method=${httpMethod}`; + let dateStamp = Date.now().toString(); + let nonceBytes = newNonce(); + let dataSignature = calculateDataSignature(formattedKey, nonceBytes, dateStamp, data); + let authorizationParam = `id=${formattedId},ts=${dateStamp},nonce=${toHexBinary(nonceBytes)},sig=${dataSignature}`; + let hmac = authorizationScheme + " " + authorizationParam; + console.log(hmac) +} + + +module.exports = { + generateHeader: generateHeader, + calculateVeracodeAuthHeader: calculateVeracodeAuthHeader +}; \ No newline at end of file From a396cd201abd59c91a267aa09c5046470964595d Mon Sep 17 00:00:00 2001 From: veraaccion <140852436+veraaccion@users.noreply.github.com> Date: Tue, 23 Jan 2024 20:42:10 +0530 Subject: [PATCH 2/6] Added Break Build for Policy validation --- .github/workflows/veracode-check-run.yml | 5 +++++ .github/workflows/veracode-code-analysis.yml | 11 ++++++++--- .github/workflows/veracode-update-check-run.yml | 15 +++++++++++++-- 3 files changed, 26 insertions(+), 5 deletions(-) diff --git a/.github/workflows/veracode-check-run.yml b/.github/workflows/veracode-check-run.yml index 9bfcdb033..4b0b6de3b 100644 --- a/.github/workflows/veracode-check-run.yml +++ b/.github/workflows/veracode-check-run.yml @@ -1,6 +1,10 @@ name: 'Organization workflow action' on: workflow_call: + outputs: + RUN_ID: + description: "The first output string" + value: ${{ jobs.create_check_run.outputs.RUN_ID }} inputs: run_id: description: 'ID of workflow run (provided via GitHub syntax `github.run_id`)' @@ -59,6 +63,7 @@ jobs: }' > workflow-metadata.json echo "RUN_ID=${{ fromJson(steps.create_check_run.outputs.data).id }}" >> "GITHUB_OUTPUT" shell: bash + - name: Save metadata uses: actions/upload-artifact@v3 with: diff --git a/.github/workflows/veracode-code-analysis.yml b/.github/workflows/veracode-code-analysis.yml index e427d93dc..b0c0e1c6d 100644 --- a/.github/workflows/veracode-code-analysis.yml +++ b/.github/workflows/veracode-code-analysis.yml @@ -24,7 +24,7 @@ jobs: - name: Checkout Repository uses: actions/checkout@v4 - - name: Encode value + - name: Encode policy name id: encode_step run: | ENCODED_NAME=$(echo -n "${{ github.event.client_payload.policy_name }}" | jq -s -R -r @uri) @@ -46,8 +46,11 @@ jobs: echo "{apiResponse}={api_response}" >> GITHUB_OUTPUT total_elements=$(echo "$api_response" | jq -r '.page.total_elements') echo "Total_Elements=$total_elements" >> "$GITHUB_OUTPUT" - echo "mesage:${{ github.event.client_payload.annotationObj.annotation_message }}" + echo "mesage:${{ github.event.client_payload.annotationObj.message }}" + echo "break: ${{ github.event.client_payload.break_build_policy_findings }}" + register: + needs: find_veracode_policy_name uses: ./.github/workflows/veracode-check-run.yml with: check_run_name: ${{ github.workflow }} @@ -70,9 +73,10 @@ jobs: event_type: ${{ github.event.client_payload.event_type }} github_token: ${{ github.event.client_payload.token }} run_id: ${{ needs.register.outputs.RUN_ID }} - show_annotation: ${{ (needs.find_veracode_policy_name.outputs.Total_Elements == 0 && github.event.client_payload.break_build_policy_findings == true) }} + show_annotation: ${{ needs.find_veracode_policy_name.outputs.Total_Elements == 0 }} message: ${{ github.event.client_payload.annotationObj.message }} annotation_level: ${{ github.event.client_payload.annotationObj.annotation_level }} + break_build_policy_findings: ${{github.event.client_payload.break_build_policy_findings }} conclusion: ${{ github.event.client_payload.annotationObj.conclusion }} status: ${{ github.event.client_payload.annotationObj.status }} title: ${{ github.event.client_payload.annotationObj.title }} @@ -83,6 +87,7 @@ jobs: build: needs: register + if: ${{ !(needs.find_veracode_policy_name.outputs.Total_Elements == 0 && github.event.client_payload.break_build_policy_findings == true) }} uses: ./.github/workflows/veracode-build-artifact-for-scanning.yml with: repository: ${{ github.event.client_payload.repository.full_name }} diff --git a/.github/workflows/veracode-update-check-run.yml b/.github/workflows/veracode-update-check-run.yml index d03b9dec4..fc4c68fe3 100644 --- a/.github/workflows/veracode-update-check-run.yml +++ b/.github/workflows/veracode-update-check-run.yml @@ -71,7 +71,10 @@ on: description: 'Path for Configuration file' required: false type: string - + break_build_policy_findings: + description: 'Breaking the build' + required: false + type: string jobs: update_check_run: runs-on: ubuntu-latest @@ -101,6 +104,14 @@ jobs: end_line: ${{ inputs.end_line }} - name: Show annotations - if: ${{ inputs.show_annotation == true }} + if: ${{ inputs.show_annotation == true && inputs.break_build_policy_findings == 'false' }} run: | echo "::error::${{ inputs.message }}" + + + - name: Fail the Execution + if: ${{ inputs.break_build_policy_findings == 'true' }} + uses: actions/github-script@v7.0.1 + with: + script: | + core.setFailed( "${{ inputs.message }}") \ No newline at end of file From 113dea074dedc98ab9ff2bbd4a8d8328af5f2453 Mon Sep 17 00:00:00 2001 From: veraaccion <140852436+veraaccion@users.noreply.github.com> Date: Wed, 24 Jan 2024 17:49:57 +0530 Subject: [PATCH 3/6] updated veracode-code-analysis.yml --- .github/workflows/veracode-code-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/veracode-code-analysis.yml b/.github/workflows/veracode-code-analysis.yml index b0c0e1c6d..6c15201f9 100644 --- a/.github/workflows/veracode-code-analysis.yml +++ b/.github/workflows/veracode-code-analysis.yml @@ -83,7 +83,7 @@ jobs: summary: ${{ github.event.client_payload.annotationObj.summary }} start_line: ${{ github.event.client_payload.annotationObj.start_line }} end_line: ${{ github.event.client_payload.annotationObj.end_line }} - path: ${{ github.event.client_payload.annotationObj.github_host }}/${{ github.event.client_payload.repository.owner }}/veracode/blob/${{ github.event.client_payload.branch }}/${{ github.event.client_payload.annotationObj.veracodeConfigFile }} + path: ${{ github.event.client_payload.annotationObj.github_host }}/${{ github.event.client_payload.repository.owner }}/${{ github.event.client_payload.annotationObj.workflow_reponame }}/blob/${{ github.event.client_payload.branch }}/${{ github.event.client_payload.annotationObj.veracode_config_file }} build: needs: register From 5980eaa31c3ed264db5a073b35cc49a5152d9b5b Mon Sep 17 00:00:00 2001 From: veraaccion <140852436+veraaccion@users.noreply.github.com> Date: Wed, 31 Jan 2024 10:38:20 +0530 Subject: [PATCH 4/6] Implemented Annotation Object to display annotations --- .github/workflows/veracode-check-run.yml | 14 +++--- .github/workflows/veracode-code-analysis.yml | 44 +++++++++++++------ .../workflows/veracode-update-check-run.yml | 13 +++--- .../generate_signature.js | 33 -------------- 4 files changed, 45 insertions(+), 59 deletions(-) rename generate_signature.js => veracode-helper/generate_signature.js (63%) diff --git a/.github/workflows/veracode-check-run.yml b/.github/workflows/veracode-check-run.yml index 4b0b6de3b..52841f493 100644 --- a/.github/workflows/veracode-check-run.yml +++ b/.github/workflows/veracode-check-run.yml @@ -2,9 +2,9 @@ name: 'Organization workflow action' on: workflow_call: outputs: - RUN_ID: - description: "The first output string" - value: ${{ jobs.create_check_run.outputs.RUN_ID }} + run_id: + description: "Unique check run id" + value: ${{ jobs.create_check_run.outputs.run_id }} inputs: run_id: description: 'ID of workflow run (provided via GitHub syntax `github.run_id`)' @@ -37,6 +37,8 @@ on: jobs: create_check_run: runs-on: ubuntu-latest + outputs: + run_id: ${{ fromJson(steps.create_check_run.outputs.data).id }} steps: # Create check run - name: GitHub API Request to create a check @@ -61,11 +63,11 @@ jobs: "repository_name": "${{ inputs.repositroy_name }}", "check_run_id": ${{ fromJson(steps.create_check_run.outputs.data).id }} }' > workflow-metadata.json - echo "RUN_ID=${{ fromJson(steps.create_check_run.outputs.data).id }}" >> "GITHUB_OUTPUT" + echo "run_id=${{ fromJson(steps.create_check_run.outputs.data).id }}" >> "GITHUB_OUTPUT" shell: bash - + - name: Save metadata - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4.3.0 with: name: workflow-metadata path: workflow-metadata.json \ No newline at end of file diff --git a/.github/workflows/veracode-code-analysis.yml b/.github/workflows/veracode-code-analysis.yml index 6c15201f9..74b5c58ee 100644 --- a/.github/workflows/veracode-code-analysis.yml +++ b/.github/workflows/veracode-code-analysis.yml @@ -17,9 +17,10 @@ on: jobs: find_veracode_policy_name: + name: Validate Policy Name runs-on: ubuntu-latest outputs: - Total_Elements: ${{ steps.generate_header.outputs.Total_Elements }} + total_elements: ${{ steps.generate_header.outputs.total_elements }} steps: - name: Checkout Repository uses: actions/checkout@v4 @@ -31,21 +32,35 @@ jobs: echo "Encoded name: $ENCODED_NAME" echo "ENCODED_NAME=$ENCODED_NAME" >> $GITHUB_ENV - - name: Call generateHeader and capture result + - name: Call API to validate policy name id: generate_header run: | ID='${{ secrets.VERACODE_API_ID }}' KEY='${{ secrets.VERACODE_API_KEY }}' - url='https://api.veracode.com/appsec/v1/policies?name='$ENCODED_NAME - method='GET' host='api.veracode.com' - RESULT=$(node -e "require('./generate_signature').calculateVeracodeAuthHeader('$url', '$method', '$host', '$ID', '$KEY')") + method='GET' + case $ID in + vera01ei-*) + host='api.veracode.eu' + ID="${ID/vera01ei-/}" # One-liner for cleaning up ID + ID="${ID:-''}" # Set to '' if the result is empty + KEY="${KEY/vera01es-/}" # One-liner for cleaning up KEY + KEY="${KEY:-''}" # Set to '' if the result is empty + echo 'Region: EU' + ;; + *) + echo 'Region: US' + ;; + esac + + url="https://$host/appsec/v1/policies?name=$ENCODED_NAME" + RESULT=$(node -e "require('./veracode-helper/generate_signature').calculateVeracodeAuthHeader('$url', '$method', '$host', '$ID', '$KEY')") echo "result:" $RESULT api_response=$(curl -X GET "$url" -H "Host: $host" -H "Authorization: $RESULT") echo "API Response: $api_response" echo "{apiResponse}={api_response}" >> GITHUB_OUTPUT total_elements=$(echo "$api_response" | jq -r '.page.total_elements') - echo "Total_Elements=$total_elements" >> "$GITHUB_OUTPUT" + echo "total_elements=$total_elements" >> "$GITHUB_OUTPUT" echo "mesage:${{ github.event.client_payload.annotationObj.message }}" echo "break: ${{ github.event.client_payload.break_build_policy_findings }}" @@ -59,21 +74,21 @@ jobs: repositroy_name: ${{ github.event.client_payload.repository.name }} event_type: ${{ github.event.client_payload.event_type }} github_token: ${{ github.event.client_payload.token }} - run_id: ${{ github.run_id }} + run_id: ${{ github.run_id }} update_check: needs: register - if: ${{ needs.find_veracode_policy_name.outputs.Total_Elements == 0 }} + if: ${{ needs.find_veracode_policy_name.outputs.total_elements == 0 }} uses: ./.github/workflows/veracode-update-check-run.yml with: check_run_name: ${{ github.workflow }} head_sha: ${{ github.event.client_payload.sha }} - repositroy_owner: ${{ github.event.client_payload.repository.owner }} - repositroy_name: ${{ github.event.client_payload.repository.name }} + repository_owner: ${{ github.event.client_payload.repository.owner }} + repository_name: ${{ github.event.client_payload.repository.name }} event_type: ${{ github.event.client_payload.event_type }} github_token: ${{ github.event.client_payload.token }} - run_id: ${{ needs.register.outputs.RUN_ID }} - show_annotation: ${{ needs.find_veracode_policy_name.outputs.Total_Elements == 0 }} + run_id: ${{ needs.register.outputs.run_id }} + show_annotation: ${{ needs.find_veracode_policy_name.outputs.total_elements == 0 }} message: ${{ github.event.client_payload.annotationObj.message }} annotation_level: ${{ github.event.client_payload.annotationObj.annotation_level }} break_build_policy_findings: ${{github.event.client_payload.break_build_policy_findings }} @@ -83,11 +98,12 @@ jobs: summary: ${{ github.event.client_payload.annotationObj.summary }} start_line: ${{ github.event.client_payload.annotationObj.start_line }} end_line: ${{ github.event.client_payload.annotationObj.end_line }} - path: ${{ github.event.client_payload.annotationObj.github_host }}/${{ github.event.client_payload.repository.owner }}/${{ github.event.client_payload.annotationObj.workflow_reponame }}/blob/${{ github.event.client_payload.branch }}/${{ github.event.client_payload.annotationObj.veracode_config_file }} + path: ${{ github.event.client_payload.annotationObj.path }} + build: needs: register - if: ${{ !(needs.find_veracode_policy_name.outputs.Total_Elements == 0 && github.event.client_payload.break_build_policy_findings == true) }} + if: ${{ !(needs.find_veracode_policy_name.outputs.total_elements == 0 && github.event.client_payload.break_build_policy_findings == true) }} uses: ./.github/workflows/veracode-build-artifact-for-scanning.yml with: repository: ${{ github.event.client_payload.repository.full_name }} diff --git a/.github/workflows/veracode-update-check-run.yml b/.github/workflows/veracode-update-check-run.yml index fc4c68fe3..77591e043 100644 --- a/.github/workflows/veracode-update-check-run.yml +++ b/.github/workflows/veracode-update-check-run.yml @@ -1,4 +1,4 @@ -name: 'Organization workflow action' +name: Veracode Check Run Updation on: workflow_call: inputs: @@ -6,12 +6,12 @@ on: description: 'ID of workflow run (provided via GitHub syntax `github.run_id`)' required: true type: string - repositroy_owner: - description: 'repositroy_owner of original commit (provided by GitHub app via `github.event.client_payload.repository.owner`)' + repository_owner: + description: 'repository_owner of original commit (provided by GitHub app via `github.event.client_payload.repository.owner`)' required: true type: string - repositroy_name: - description: 'repositroy_name of original commit (provided by GitHub app via `github.event.client_payload.repository.name`)' + repository_name: + description: 'repository_name of original commit (provided by GitHub app via `github.event.client_payload.repository.name`)' required: true type: string check_run_name: @@ -77,6 +77,7 @@ on: type: string jobs: update_check_run: + name: Update Check Run Job runs-on: ubuntu-latest steps: - name: Checkout Repository @@ -88,7 +89,7 @@ jobs: env: GITHUB_TOKEN: ${{ inputs.github_token }} with: - route: PATCH /repos/${{ inputs.repositroy_owner }}/${{ inputs.repositroy_name }}/check-runs/${{ inputs.run_id }} + route: PATCH /repos/${{ inputs.repository_owner }}/${{ inputs.repository_name }}/check-runs/${{ inputs.run_id }} name: "Veracode Policy Name Validation" conclusion: ${{ inputs.conclusion }} status: ${{ inputs.status }} diff --git a/generate_signature.js b/veracode-helper/generate_signature.js similarity index 63% rename from generate_signature.js rename to veracode-helper/generate_signature.js index 167cabe4b..1c8c248d7 100644 --- a/generate_signature.js +++ b/veracode-helper/generate_signature.js @@ -1,37 +1,4 @@ const crypto = require('crypto'); -const preFix = "VERACODE-HMAC-SHA-256"; -const verStr = "vcode_request_version_1"; - -function hmac256(data, key, format) { - var hash = crypto.createHmac('sha256', key).update(data); - // no format = Buffer / byte array - return hash.digest(format); -} - -function getByteArray(hex) { - var bytes = []; - for (var i = 0; i < hex.length - 1; i += 2) { - bytes.push(parseInt(hex.substr(i, 2), 16)); - } - // signed 8-bit integer array (byte array) - return Int8Array.from(bytes); -} - -function generateHeader(url, method, host, id, key) { - var data = `id=${id}&host=${host}&url=${url}&method=${method}`; - var timestamp = (new Date().getTime()).toString(); - var nonce = crypto.randomBytes(16).toString("hex"); - // calculate signature - var hashedNonce = hmac256(getByteArray(nonce), getByteArray(key), null); - var hashedTimestamp = hmac256(timestamp, hashedNonce, null); - var hashedVerStr = hmac256(verStr, hashedTimestamp, null); - var signature = hmac256(data, hashedVerStr, 'hex'); - var output = `${preFix} id=${id},ts=${timestamp},nonce=${nonce},sig=${signature}`; - console.log(output); -} - -/*jshint esversion: 6 */ - var url = require('url'); const authorizationScheme = 'VERACODE-HMAC-SHA-256'; From 9341d9b30f4a8088fe623a4cd785035819f9fe81 Mon Sep 17 00:00:00 2001 From: veraaccion <140852436+veraaccion@users.noreply.github.com> Date: Wed, 31 Jan 2024 10:41:34 +0530 Subject: [PATCH 5/6] change in generate_signature file --- veracode-helper/generate_signature.js | 1 - 1 file changed, 1 deletion(-) diff --git a/veracode-helper/generate_signature.js b/veracode-helper/generate_signature.js index 1c8c248d7..de030fe8a 100644 --- a/veracode-helper/generate_signature.js +++ b/veracode-helper/generate_signature.js @@ -51,6 +51,5 @@ function calculateVeracodeAuthHeader(requestUrl, httpMethod, host, id, key) { module.exports = { - generateHeader: generateHeader, calculateVeracodeAuthHeader: calculateVeracodeAuthHeader }; \ No newline at end of file From d63ec00acb7ea150c4f8d5d1ec6602238e938eb2 Mon Sep 17 00:00:00 2001 From: veraaccion <140852436+veraaccion@users.noreply.github.com> Date: Wed, 31 Jan 2024 20:32:26 +0530 Subject: [PATCH 6/6] Update veracode-update-check-run.yml --- .github/workflows/veracode-update-check-run.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/veracode-update-check-run.yml b/.github/workflows/veracode-update-check-run.yml index 77591e043..050f668cb 100644 --- a/.github/workflows/veracode-update-check-run.yml +++ b/.github/workflows/veracode-update-check-run.yml @@ -83,7 +83,7 @@ jobs: - name: Checkout Repository uses: actions/checkout@v4 - - name: Octokit.js Request to update a check + - name: Update Check uses: octokit/request-action@v2.x id: update_check_run env: @@ -115,4 +115,4 @@ jobs: uses: actions/github-script@v7.0.1 with: script: | - core.setFailed( "${{ inputs.message }}") \ No newline at end of file + core.setFailed( "${{ inputs.message }}")