From d9215389b996b668772bdc8e38d5e9a35c8e43da Mon Sep 17 00:00:00 2001 From: Shivendu Verma <126680569+shivenduverma-sap@users.noreply.github.com> Date: Thu, 16 Nov 2023 18:03:36 +0100 Subject: [PATCH 1/7] Update mend.config --- .github/workflows/mend.config | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/.github/workflows/mend.config b/.github/workflows/mend.config index b674c97..45f9f9e 100644 --- a/.github/workflows/mend.config +++ b/.github/workflows/mend.config @@ -2,6 +2,7 @@ # WhiteSource Unified-Agent configuration file for GO # GENERAL SCAN MODE: Package Managers only #################################################################### +#Configuration Reference: https://docs.mend.io/bundle/unified_agent/page/unified_agent_configuration_parameters.html#General # !!! Important for WhiteSource "DIST - *" Products: # Please set @@ -21,24 +22,28 @@ failErrorLevel=ALL # failBuildOnPolicyViolation: # If the flag is true, the Unified Agent exit code will be the result of the policy check. # If the flag is false, the Unified Agent exit code will be the result of the scan. -forceUpdate.failBuildOnPolicyViolation=false +forceUpdate.failBuildOnPolicyViolation=true # offline parameter is important and need to be false offline=false # ignoreSourceFiles parameter is important and need to be true # IMPORTANT: This parameter is going to be deprecated in future # and will be replaced by a new parameter, fileSystemScan. -ignoreSourceFiles=true +# ignoreSourceFiles=true # fileSystemScan parameter is important and need to be false as a # replacement for ignoreSourceFiles=true and overrides the -# soon-to-be-deprecated ignoreSourceFiles. -fileSystemScan=false +# soon-to-be-deprecated ignoreSourceFiles. To scan source files, we need to enable it. +fileSystemScan=true # resolveAllDependencies is important and need to be false resolveAllDependencies=false #wss.connectionTimeoutMinutes=60 # URL to your WhiteSource server. # wss.url=https://sap.whitesourcesoftware.com/agent + +#################################################################### +# GO Configuration +#################################################################### # resolveDependencies parameter is important and need to be true #if you are using 'modules' as a dependency manager, then the go.resolveDependencies is set to false. @@ -46,8 +51,8 @@ resolveAllDependencies=false go.resolveDependencies=true #defaut value for ignoreSourceFiles is set to false -# ignoreSourceFiles parameter is important and need to be true -go.ignoreSourceFiles=true +# ignoreSourceFiles parameter is important and need to be true #To scan source files, we need to disable it. +go.ignoreSourceFiles=false go.collectDependenciesAtRuntime=false # dependencyManager: Determines the Go dependency manager to use when scanning a Go project. # Valid values are 'dep', 'godep', 'vndr', 'gogradle', 'glide', 'govendor', 'gopm' and 'vgo' @@ -61,12 +66,13 @@ go.collectDependenciesAtRuntime=false #Please comment these below 4 lines that has 'go.modules' prefix if you are not using the 'modules' dependency manager. # Default value is true. If set to true, it resolves Go Modules dependencies. go.modules.resolveDependencies=true -#default value is true. If set to true, this will ignore Go source files during the scan. -#go.modules.ignoreSourceFiles=true +#default value is true. If set to true, this will ignore Go source files during the scan. +#To scan source files, we need to disable it. +go.modules.ignoreSourceFiles=false #default value is true. If set to true, removes duplicate dependencies during Go Modules dependency resolution. #go.modules.removeDuplicateDependencies=false #default value is false. if set to true, scans Go Modules project test dependencies. -#go.modules.includeTestDependencies=true +go.modules.includeTestDependencies=true ###################### From 5b3e8ab4d6c982edfa02291aa16b85066f002766 Mon Sep 17 00:00:00 2001 From: Shivendu Verma <126680569+shivenduverma-sap@users.noreply.github.com> Date: Thu, 16 Nov 2023 18:07:04 +0100 Subject: [PATCH 2/7] Update mend_scan.yaml --- .github/workflows/mend_scan.yaml | 88 ++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml index 8ca2721..875a7e1 100644 --- a/.github/workflows/mend_scan.yaml +++ b/.github/workflows/mend_scan.yaml @@ -3,6 +3,20 @@ name: Mend Security Scan on: schedule: - cron: '10 0 * * 0' + push: + branches: + - feature/test-mend + workflow_dispatch: + inputs: + logLevel: + description: 'Log level' + required: true + default: 'debug' + type: choice + options: + - info + - warning + - debug jobs: mend-scan: @@ -23,6 +37,11 @@ jobs: with: go-version-file: '${{ github.workspace }}/go.mod' + - name: 'Setup jq' + uses: dcarbone/install-jq-action@v2.1.0 + with: + version: '1.7' + - name: Download Mend Universal Agent run: curl https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o ./wss-unified-agent.jar @@ -34,4 +53,73 @@ jobs: WSS_URL: ${{ secrets.MEND_URL }} API_KEY: ${{ secrets.MEND_API_TOKEN }} CONFIG_FILE: './.github/workflows/mend.config' + + - name: Generate Report + env: + USER_KEY: ${{ secrets.MEND_API_USER_KEY }} + PROJECT_TOKEN: ${{ secrets.MEND_PROJECT_TOKEN_GIT_CONTR }} + API_KEY: ${{ secrets.MEND_API_ORG_TOKEN }} + EMAIL: ${{ secrets.MEND_API_EMAIL }} + run: | + data=$(cat <52 | select(.==true)'| wc -l ) + + function print { + printf "############################################\n$1\n############################################\n" + } + + print "HIGH/CRITICAL SECURITY VULNERABILITIES: ${security_vulnerability_no}" + if [[ $security_vulnerability_no -gt 0 ]] + then + echo "${security_vulnerability}" | jq -r .retVal[] + fi + + print "MAJOR UPDATES AVAILABLE: ${major_updates_pending_no}" + if [[ $major_updates_pending_no -gt 0 ]] + then + echo "${major_updates_pending}" | jq -r .retVal[] + fi + + print "LICENSE REQUIRES REVIEW: ${requires_review_no}" "Visit the Mend UI and add correct license" + if [[ $requires_review_no -gt 0 ]] + then + echo "${requires_review}" | jq -r .retVal[] + fi + + print "LICENSE RISK HIGH: ${high_license_risk_no}" + if [[ high_license_risk_no -gt 0 ]] + then + echo "Visit the Mend UI and check High Risk Licenses. Understand Risk Score: https://docs.mend.io/bundle/sca_user_guide/page/understanding_risk_score_attribution_and_license_analysis.html" + fi + + if [[ $security_vulnerability_no -gt 0 ]] || [[ $major_updates_pending_no -gt 0 ]] || [[ $requires_review_no -gt 0 ]] || [[ high_license_risk_no -gt 0 ]] + then + exit 1 + fi From 0d8c1d5f56bee759224cd9dfd22447d64ac3d7c2 Mon Sep 17 00:00:00 2001 From: Shivendu Verma <126680569+shivenduverma-sap@users.noreply.github.com> Date: Thu, 16 Nov 2023 18:28:18 +0100 Subject: [PATCH 3/7] Update mend_scan.yaml --- .github/workflows/mend_scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml index 875a7e1..895be68 100644 --- a/.github/workflows/mend_scan.yaml +++ b/.github/workflows/mend_scan.yaml @@ -5,7 +5,7 @@ on: - cron: '10 0 * * 0' push: branches: - - feature/test-mend + - main workflow_dispatch: inputs: logLevel: From b823fa9c94053a1f65f2a5d3edee002eb76b17f9 Mon Sep 17 00:00:00 2001 From: Shivendu Verma <126680569+shivenduverma-sap@users.noreply.github.com> Date: Fri, 17 Nov 2023 17:08:36 +0100 Subject: [PATCH 4/7] Update mend_scan.yaml --- .github/workflows/mend_scan.yaml | 67 ++++++++++++++++++++++++-------- 1 file changed, 50 insertions(+), 17 deletions(-) diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml index 895be68..35e3576 100644 --- a/.github/workflows/mend_scan.yaml +++ b/.github/workflows/mend_scan.yaml @@ -5,7 +5,7 @@ on: - cron: '10 0 * * 0' push: branches: - - main + - feature/test-mend workflow_dispatch: inputs: logLevel: @@ -63,8 +63,8 @@ jobs: run: | data=$(cat <52 | select(.==true)'| wc -l ) - + requires_review_no=$(echo "${requires_review}" |jq -r .additionalData.totalItems ) + high_license_risk_no=$(echo "${high_license_risk}" | jq -r '.retVal[].riskScore.riskScore | select( . != null ) > 52 | select(.==true)'| wc -l ) + function print { printf "############################################\n$1\n############################################\n" } - + + function restricted_license { + declare -a sap_restricted_licenses=("LGPL" "GPL" "Affero%20GPL" "MPL" "CDDL" "EPL") + ret_val="" + issue_count=0 + for key in "${!sap_restricted_licenses[@]}"; do + api_resp=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?search=license%3Aequals%3A${sap_restricted_licenses[$key]}" \ + --header 'Content-Type: application/json' --silent \ + --header "Authorization: Bearer ${login_token}") + + api_resp_no=$(echo "${api_resp}" | jq .additionalData.totalItems ) + issue_count=$((issue_count+api_resp_no)) + + if [[ $api_resp_no -gt 0 ]] + then + val=$(echo "${api_resp}" | jq -r .retVal[] ) + ret_val="$ret_val$val" + fi + done + print "RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY: ${issue_count}" + if [[ issue_count -gt 0 ]] + then + echo "${ret_val}" | jq . + fi + + return $issue_count + } + print "HIGH/CRITICAL SECURITY VULNERABILITIES: ${security_vulnerability_no}" if [[ $security_vulnerability_no -gt 0 ]] then echo "${security_vulnerability}" | jq -r .retVal[] fi - + print "MAJOR UPDATES AVAILABLE: ${major_updates_pending_no}" if [[ $major_updates_pending_no -gt 0 ]] then echo "${major_updates_pending}" | jq -r .retVal[] fi - + print "LICENSE REQUIRES REVIEW: ${requires_review_no}" "Visit the Mend UI and add correct license" if [[ $requires_review_no -gt 0 ]] then echo "${requires_review}" | jq -r .retVal[] fi - + print "LICENSE RISK HIGH: ${high_license_risk_no}" if [[ high_license_risk_no -gt 0 ]] then echo "Visit the Mend UI and check High Risk Licenses. Understand Risk Score: https://docs.mend.io/bundle/sca_user_guide/page/understanding_risk_score_attribution_and_license_analysis.html" fi - - if [[ $security_vulnerability_no -gt 0 ]] || [[ $major_updates_pending_no -gt 0 ]] || [[ $requires_review_no -gt 0 ]] || [[ high_license_risk_no -gt 0 ]] + + restricted_license + + if [[ $security_vulnerability_no -gt 0 ]] || [[ $major_updates_pending_no -gt 0 ]] || [[ $requires_review_no -gt 0 ]] || [[ high_license_risk_no -gt 0 ]] || [[ violations -gt 0 ]] then exit 1 fi - From b3492acd7f8bb4b1cec2814b7fd43799c1ea09b2 Mon Sep 17 00:00:00 2001 From: Shivendu Verma <126680569+shivenduverma-sap@users.noreply.github.com> Date: Fri, 17 Nov 2023 17:13:47 +0100 Subject: [PATCH 5/7] Update mend_scan.yaml --- .github/workflows/mend_scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml index 35e3576..a926fc0 100644 --- a/.github/workflows/mend_scan.yaml +++ b/.github/workflows/mend_scan.yaml @@ -5,7 +5,7 @@ on: - cron: '10 0 * * 0' push: branches: - - feature/test-mend + - main workflow_dispatch: inputs: logLevel: From d1095e52943167434132cc8fdde0b3865421f372 Mon Sep 17 00:00:00 2001 From: Shivendu Verma <126680569+shivenduverma-sap@users.noreply.github.com> Date: Thu, 23 Nov 2023 09:56:39 +0100 Subject: [PATCH 6/7] Update mend_scan.yaml --- .github/workflows/mend_scan.yaml | 53 ++++++++++++++++++++++++++------ 1 file changed, 43 insertions(+), 10 deletions(-) diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml index a926fc0..d2da779 100644 --- a/.github/workflows/mend_scan.yaml +++ b/.github/workflows/mend_scan.yaml @@ -6,6 +6,9 @@ on: push: branches: - main + pull_request: + branches: + - main workflow_dispatch: inputs: logLevel: @@ -21,7 +24,8 @@ on: jobs: mend-scan: runs-on: ubuntu-latest - + permissions: + pull-requests: write steps: - name: Checkout Code uses: actions/checkout@v4 @@ -60,6 +64,7 @@ jobs: PROJECT_TOKEN: ${{ secrets.MEND_PROJECT_TOKEN_GIT_CONTR }} API_KEY: ${{ secrets.MEND_API_ORG_TOKEN }} EMAIL: ${{ secrets.MEND_API_EMAIL }} + id: report run: | data=$(cat < 52 | select(.==true)'| wc -l ) function print { - printf "############################################\n$1\n############################################\n" + printf "############################################\n$1\n############################################\nMend Scan Tool: https://sap.whitesourcesoftware.com/Wss/WSS.html#!login \n" } function restricted_license { @@ -117,13 +122,8 @@ jobs: ret_val="$ret_val$val" fi done - print "RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY: ${issue_count}" - if [[ issue_count -gt 0 ]] - then - echo "${ret_val}" | jq . - fi - - return $issue_count + export VIOLATIONS_VERBOSE="${ret_val}" + export VIOLATIONS="${issue_count}" } print "HIGH/CRITICAL SECURITY VULNERABILITIES: ${security_vulnerability_no}" @@ -152,7 +152,40 @@ jobs: restricted_license + print "RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY: ${VIOLATIONS}" + if [[ $VIOLATIONS -gt 0 ]] + then + echo "${VIOLATIONS_VERBOSE}" | jq . + fi + + echo "security_vulnerability_no=$security_vulnerability_no" >> $GITHUB_OUTPUT + echo "major_updates_pending_no=$major_updates_pending_no" >> $GITHUB_OUTPUT + echo "requires_review_no=$requires_review_no" >> $GITHUB_OUTPUT + echo "high_license_risk_no=$high_license_risk_no" >> $GITHUB_OUTPUT + echo "violations=$VIOLATIONS" >> $GITHUB_OUTPUT + if [[ $security_vulnerability_no -gt 0 ]] || [[ $major_updates_pending_no -gt 0 ]] || [[ $requires_review_no -gt 0 ]] || [[ high_license_risk_no -gt 0 ]] || [[ violations -gt 0 ]] then - exit 1 + echo "status=x" >> $GITHUB_OUTPUT + else + echo "status=white_check_mark" >> $GITHUB_OUTPUT fi + + - name: Comment Mend Status on PR + uses: thollander/actions-comment-pull-request@v2.4.3 + with: + message: | + # Mend Scan Summary: :${{ steps.report.outputs.status }}: + | VIOLATION DESCRIPTION | NUMBER OF VIOLATIONS | + | -------------------------------------------- | --------------------------- | + | HIGH/CRITICAL SECURITY VULNERABILITIES | ${{ steps.report.outputs.security_vulnerability_no }} | + | MAJOR UPDATES AVAILABLE | ${{ steps.report.outputs.major_updates_pending_no }} | + | LICENSE REQUIRES REVIEW | ${{ steps.report.outputs.requires_review_no }} | + | LICENSE RISK HIGH | ${{ steps.report.outputs.high_license_risk_no }} | + | RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY | ${{ steps.report.outputs.VIOLATIONS }} | + + [Detailed Logs: mend-scan-> Generate Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) + [Mend UI](https://sap.whitesourcesoftware.com/Wss/WSS.html#!login) + comment_tag: tag_mend_scan + + From 397d73f5a5d0023e43ad32da0e85895fe7dc56e8 Mon Sep 17 00:00:00 2001 From: Shivendu Verma <126680569+shivenduverma-sap@users.noreply.github.com> Date: Thu, 23 Nov 2023 10:22:47 +0100 Subject: [PATCH 7/7] Add Repo name --- .github/workflows/mend_scan.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml index d2da779..687c337 100644 --- a/.github/workflows/mend_scan.yaml +++ b/.github/workflows/mend_scan.yaml @@ -175,7 +175,8 @@ jobs: uses: thollander/actions-comment-pull-request@v2.4.3 with: message: | - # Mend Scan Summary: :${{ steps.report.outputs.status }}: + ## Mend Scan Summary: :${{ steps.report.outputs.status }}: + ### Repository: ${{ github.repository }} | VIOLATION DESCRIPTION | NUMBER OF VIOLATIONS | | -------------------------------------------- | --------------------------- | | HIGH/CRITICAL SECURITY VULNERABILITIES | ${{ steps.report.outputs.security_vulnerability_no }} |