open-component-model
diff --git a/‎.github/workflows/mend.config‎
Lines changed: 15 additions & 9 deletions b/‎.github/workflows/mend.config‎
Lines changed: 15 additions & 9 deletions
diff --git a/‎.github/workflows/mend_scan.yaml‎
Lines changed: 156 additions & 1 deletion b/‎.github/workflows/mend_scan.yaml‎
Lines changed: 156 additions & 1 deletion
diff --git a/‎Makefile‎
Lines changed: 15 additions & 0 deletions b/‎Makefile‎
Lines changed: 15 additions & 0 deletions
@@ -2,6 +2,7 @@
 # WhiteSource Unified-Agent configuration file for GO
 # GENERAL SCAN MODE: Package Managers only
 ####################################################################
+#Configuration Reference: https://docs.mend.io/bundle/unified_agent/page/unified_agent_configuration_parameters.html#General
 
 # !!! Important for WhiteSource "DIST - *" Products:
 # Please set 
@@ -21,33 +22,37 @@ failErrorLevel=ALL
 # failBuildOnPolicyViolation:
 # If the flag is true, the Unified Agent exit code will be the result of the policy check.
 # If the flag is false, the Unified Agent exit code will be the result of the scan.
-forceUpdate.failBuildOnPolicyViolation=false
+forceUpdate.failBuildOnPolicyViolation=true
 # offline parameter is important and need to be false
 offline=false
 
 # ignoreSourceFiles parameter is important and need to be true
 # IMPORTANT: This parameter is going to be deprecated in future
 #            and will be replaced by a new parameter, fileSystemScan. 
-ignoreSourceFiles=true
+# ignoreSourceFiles=true
 # fileSystemScan parameter is important and need to be false as a 
 # replacement for ignoreSourceFiles=true and overrides the 
-# soon-to-be-deprecated ignoreSourceFiles.
-fileSystemScan=false
+# soon-to-be-deprecated ignoreSourceFiles. To scan source files, we need to enable it.
+fileSystemScan=true
 # resolveAllDependencies is important and need to be false
 resolveAllDependencies=false
 
 #wss.connectionTimeoutMinutes=60
 # URL to your WhiteSource server.
 # wss.url=https://sap.whitesourcesoftware.com/agent
+
+####################################################################
+# GO Configuration 
+####################################################################
 
 # resolveDependencies parameter is important and need to be true
 #if you are using 'modules' as a dependency manager, then the go.resolveDependencies is set to false.
 #For any other dependency manager, this value is set to true.
 
 go.resolveDependencies=true
 #defaut value for ignoreSourceFiles  is set to false
-# ignoreSourceFiles parameter is important and need to be true
-go.ignoreSourceFiles=true
+# ignoreSourceFiles parameter is important and need to be true #To scan source files, we need to disable it.
+go.ignoreSourceFiles=false
 go.collectDependenciesAtRuntime=false
 # dependencyManager: Determines the Go dependency manager to use when scanning a Go project.
 # Valid values are 'dep', 'godep', 'vndr', 'gogradle', 'glide', 'govendor', 'gopm' and 'vgo' 
@@ -61,12 +66,13 @@ go.collectDependenciesAtRuntime=false
 #Please comment these below 4 lines that has 'go.modules' prefix if you are not using the 'modules' dependency manager.
 # Default value is true. If set to true, it resolves Go Modules dependencies.
 go.modules.resolveDependencies=true
-#default value is true. If set to true, this will ignore Go source files during the scan.
-#go.modules.ignoreSourceFiles=true
+#default value is true. If set to true, this will ignore Go source files during the scan. 
+#To scan source files, we need to disable it.
+go.modules.ignoreSourceFiles=false
 #default value is true. If set to true, removes duplicate dependencies during Go Modules dependency resolution.
 #go.modules.removeDuplicateDependencies=false
 #default value is false. if set to true, scans Go Modules project test dependencies.
-#go.modules.includeTestDependencies=true
+go.modules.includeTestDependencies=true
 ######################
 
 
 
@@ -3,11 +3,29 @@ name: Mend Security Scan
 on:
   schedule:
     - cron:  '10 0 * * 0'
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:    
+      - main
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: 'Log level'
+        required: true
+        default: 'debug'
+        type: choice
+        options:
+        - info
+        - warning
+        - debug
 
 jobs:
   mend-scan:
     runs-on: ubuntu-latest
-
+    permissions:
+      pull-requests: write
     steps:
     - name: Checkout Code  
       uses: actions/checkout@v4
@@ -23,6 +41,11 @@ jobs:
       with:
         go-version-file: '${{ github.workspace }}/go.mod'
 
+    - name: 'Setup jq'
+      uses: dcarbone/[email protected]
+      with:
+        version: '1.7'
+        
     - name: Download Mend Universal Agent
       run: curl https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o ./wss-unified-agent.jar
 
@@ -34,4 +57,136 @@ jobs:
         WSS_URL: ${{ secrets.MEND_URL }}
         API_KEY: ${{ secrets.MEND_API_TOKEN }}
         CONFIG_FILE: './.github/workflows/mend.config'
+
+    - name: Generate Report
+      env:
+        USER_KEY: ${{ secrets.MEND_API_USER_KEY }}
+        PROJECT_TOKEN: ${{ secrets.MEND_PROJECT_TOKEN_GIT_CONTR }}
+        API_KEY: ${{ secrets.MEND_API_ORG_TOKEN }}
+        EMAIL: ${{ secrets.MEND_API_EMAIL }}
+      id: report
+      run: |
+        data=$(cat <<EOF
+        {
+            "email": "${EMAIL}",
+            "orgToken": "${API_KEY}",
+            "userKey": "${USER_KEY}"
+        }
+        EOF
+        )
+        
+        login_token=$(curl -X POST 'https://api-sap.whitesourcesoftware.com/api/v2.0/login' \
+        --header 'Content-Type: application/json' --silent \
+        --data "${data}" | jq -r .retVal.jwtToken )
+        
+        security_vulnerability=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/alerts/security?search=status%3Aequals%3AACTIVE%3Bscore%3Abetween%3A6%2C10%3B" \
+        --header 'Content-Type: application/json' --silent \
+        --header "Authorization: Bearer ${login_token}")
+        
+        major_updates_pending=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/alerts/legal?search=status%3Aequals%3AACTIVE%3BavailableVersionType%3Aequals%3AMAJOR" \
+        --header 'Content-Type: application/json' --silent \
+        --header "Authorization: Bearer ${login_token}" )
+        
+        requires_review=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?search=license%3Aequals%3ARequires%20Review" \
+        --header 'Content-Type: application/json' --silent \
+        --header "Authorization: Bearer ${login_token}")
+        
+        high_license_risk=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?pageSize=1000" \
+        --header 'Content-Type: application/json' --silent \
+        --header "Authorization: Bearer ${login_token}")
+        
+        security_vulnerability_no=$(echo "${security_vulnerability}" | jq .additionalData.totalItems )
+        major_updates_pending_no=$(echo "${major_updates_pending}" | jq -r .additionalData.totalItems )
+        requires_review_no=$(echo "${requires_review}" |jq -r .additionalData.totalItems )
+        high_license_risk_no=$(echo "${high_license_risk}" | jq -r '.retVal[].riskScore.riskScore | select( . != null ) > 52 | select(.==true)'| wc -l )
+        
+        function print {
+          printf "############################################\n$1\n############################################\nMend Scan Tool: https://sap.whitesourcesoftware.com/Wss/WSS.html#!login \n"
+        }
+        
+        function restricted_license {
+          declare -a sap_restricted_licenses=("LGPL" "GPL" "Affero%20GPL" "MPL" "CDDL" "EPL")
+          ret_val=""
+          issue_count=0
+          for key in "${!sap_restricted_licenses[@]}"; do
+            api_resp=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?search=license%3Aequals%3A${sap_restricted_licenses[$key]}" \
+              --header 'Content-Type: application/json' --silent \
+              --header "Authorization: Bearer ${login_token}")
         
+            api_resp_no=$(echo "${api_resp}" | jq .additionalData.totalItems )
+            issue_count=$((issue_count+api_resp_no))
+        
+            if [[ $api_resp_no -gt 0 ]]
+            then
+              val=$(echo "${api_resp}" | jq -r .retVal[] )
+              ret_val="$ret_val$val"
+            fi
+          done
+          export VIOLATIONS_VERBOSE="${ret_val}"
+          export VIOLATIONS="${issue_count}"
+        }
+        
+        print "HIGH/CRITICAL SECURITY VULNERABILITIES: ${security_vulnerability_no}"
+        if [[ $security_vulnerability_no -gt 0 ]]
+        then
+          echo "${security_vulnerability}" | jq -r .retVal[]
+        fi
+        
+        print "MAJOR UPDATES AVAILABLE: ${major_updates_pending_no}"
+        if [[ $major_updates_pending_no -gt 0 ]]
+        then
+          echo "${major_updates_pending}" | jq -r .retVal[]
+        fi
+        
+        print "LICENSE REQUIRES REVIEW: ${requires_review_no}" "Visit the Mend UI and add correct license"
+        if [[ $requires_review_no -gt 0 ]]
+        then
+          echo "${requires_review}" | jq -r .retVal[]
+        fi
+        
+        print "LICENSE RISK HIGH: ${high_license_risk_no}"
+        if [[ high_license_risk_no -gt 0 ]]
+        then
+          echo "Visit the Mend UI and check High Risk Licenses. Understand Risk Score: https://docs.mend.io/bundle/sca_user_guide/page/understanding_risk_score_attribution_and_license_analysis.html"
+        fi
+        
+        restricted_license
+        
+        print "RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY: ${VIOLATIONS}"
+        if [[ $VIOLATIONS -gt 0 ]]
+        then
+          echo "${VIOLATIONS_VERBOSE}" | jq .
+        fi
+        
+        echo "security_vulnerability_no=$security_vulnerability_no" >> $GITHUB_OUTPUT 
+        echo "major_updates_pending_no=$major_updates_pending_no" >> $GITHUB_OUTPUT
+        echo "requires_review_no=$requires_review_no" >> $GITHUB_OUTPUT
+        echo "high_license_risk_no=$high_license_risk_no" >> $GITHUB_OUTPUT
+        echo "violations=$VIOLATIONS" >> $GITHUB_OUTPUT
+        
+        if [[ $security_vulnerability_no -gt 0 ]] || [[ $major_updates_pending_no -gt 0 ]] || [[ $requires_review_no -gt 0 ]] || [[ high_license_risk_no -gt 0 ]] || [[ violations -gt 0 ]]
+        then
+          echo "status=x" >> $GITHUB_OUTPUT
+        else 
+          echo "status=white_check_mark" >> $GITHUB_OUTPUT
+        fi
+        
+    - name: Comment Mend Status on PR
+      uses: thollander/[email protected]
+      with:
+        message: |
+          ## Mend Scan Summary: :${{ steps.report.outputs.status }}:
+          ### Repository: ${{ github.repository }}
+          | VIOLATION DESCRIPTION                        | NUMBER OF VIOLATIONS        |
+          | -------------------------------------------- | --------------------------- |
+          | HIGH/CRITICAL SECURITY VULNERABILITIES       | ${{ steps.report.outputs.security_vulnerability_no }} |
+          | MAJOR UPDATES AVAILABLE                      | ${{ steps.report.outputs.major_updates_pending_no }}  |
+          | LICENSE REQUIRES REVIEW                      | ${{ steps.report.outputs.requires_review_no }}        |
+          | LICENSE RISK HIGH                            | ${{ steps.report.outputs.high_license_risk_no }}      |
+          | RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY  | ${{ steps.report.outputs.VIOLATIONS }}                |
+          
+          [Detailed Logs: mend-scan-> Generate Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
+          [Mend UI](https://sap.whitesourcesoftware.com/Wss/WSS.html#!login)
+        comment_tag: tag_mend_scan
+
+
@@ -126,6 +126,13 @@ deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
 	$(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f -
 
+api-docs-mpas: gen-crd-api-reference-docs  ## Generate API reference documentation
+	$(GEN_CRD_API_REFERENCE_DOCS) -api-dir=./apis/mpas/v1alpha1 -config=./hack/api-docs/config.json -template-dir=./hack/api-docs/template -out-file=./docs/apis/mpas/v1alpha1/gitcontroller.md
+
+api-docs-delivery: gen-crd-api-reference-docs  ## Generate API reference documentation
+	$(GEN_CRD_API_REFERENCE_DOCS) -api-dir=./apis/delivery/v1alpha1 -config=./hack/api-docs/config.json -template-dir=./hack/api-docs/template -out-file=./docs/apis/delivery/v1alpha1/gitcontroller.md
+
+
 ##@ Build Dependencies
 
 ## Location to install dependencies to
@@ -138,11 +145,13 @@ GOLANGCI_LINT ?= $(LOCALBIN)/golangci-lint
 KUSTOMIZE ?= $(LOCALBIN)/kustomize
 CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
 ENVTEST ?= $(LOCALBIN)/setup-envtest
+GEN_CRD_API_REFERENCE_DOCS ?= $(LOCALBIN)/gen-crd-api-reference-docs
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v3.8.7
 CONTROLLER_TOOLS_VERSION ?= v0.9.2
 GOLANGCI_LINT_VERSION ?= v1.55.2
+GEN_API_REF_DOCS_VERSION ?= e327d0730470cbd61b06300f81c5fcf91c23c113
 
 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
 .PHONY: kustomize
@@ -174,3 +183,9 @@ generate-license:
 golangci-lint: $(GOLANGCI_LINT)
 $(GOLANGCI_LINT): $(LOCALBIN)
 	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s $(GOLANGCI_LINT_VERSION)
+
+# Find or download gen-crd-api-reference-docs
+.PHONY: gen-crd-api-reference-docs
+gen-crd-api-reference-docs: $(GEN_CRD_API_REFERENCE_DOCS)
+$(GEN_CRD_API_REFERENCE_DOCS): $(LOCALBIN)
+	GOBIN=$(LOCALBIN) go install github.com/ahmetb/gen-crd-api-reference-docs@$(GEN_API_REF_DOCS_VERSION)