From 5be6314f8fba0cc9459b6715b8772cedfe6af4a9 Mon Sep 17 00:00:00 2001 From: AydarN <9845662+AydarN@users.noreply.github.com> Date: Thu, 29 Jun 2023 00:55:49 +0300 Subject: [PATCH 1/6] test-conf-added --- .github/workflows/maven-library-build.yml | 24 ++++++++++++++++++++++- .github/workflows/maven-service-build.yml | 15 ++++++++++++++ .github/workflows/maven-swag-build.yml | 19 ++++++++++++++++-- .github/workflows/maven-thrift-build.yml | 23 +++++++++++++++++++++- 4 files changed, 77 insertions(+), 4 deletions(-) diff --git a/.github/workflows/maven-library-build.yml b/.github/workflows/maven-library-build.yml index bbe8afaf..af1259c6 100644 --- a/.github/workflows/maven-library-build.yml +++ b/.github/workflows/maven-library-build.yml @@ -43,7 +43,13 @@ jobs: mvn \ --no-transfer-progress \ --batch-mode ${{ inputs.mvn-options }} \ - clean compile ${{ inputs.mvn-args }} + clean compile site ${{ inputs.mvn-args }} + + - name: Upload SBOM + uses: actions/upload-artifact@v3 + with: + name: bom.json + path: 'target/bom.json' test-coverage: runs-on: ubuntu-20.04 @@ -67,3 +73,19 @@ jobs: - name: Upload code coverage uses: codecov/codecov-action@v3 + + scan: + name: Scan with Trivy + needs: build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Install Trivy CLI + run: | + wget https://github.com/aquasecurity/trivy/releases/download/v0.39.1/trivy_0.39.1_Linux-64bit.deb + sudo dpkg -i trivy_0.39.1_Linux-64bit.deb + - uses: actions/download-artifact@v3 + with: + name: bom.json + - name: Run Trivy with SBOM + run: trivy sbom --exit-code 1 --severity CRITICAL,HIGH ./bom.json diff --git a/.github/workflows/maven-service-build.yml b/.github/workflows/maven-service-build.yml index 164481dc..f9be413c 100644 --- a/.github/workflows/maven-service-build.yml +++ b/.github/workflows/maven-service-build.yml @@ -54,3 +54,18 @@ jobs: - name: Upload code coverage uses: codecov/codecov-action@v3 + scan: + name: Scan with Trivy + needs: build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Install Trivy CLI + run: | + wget https://github.com/aquasecurity/trivy/releases/download/v0.39.1/trivy_0.39.1_Linux-64bit.deb + sudo dpkg -i trivy_0.39.1_Linux-64bit.deb + - uses: actions/download-artifact@v3 + with: + name: bom.json + - name: Run Trivy with SBOM + run: trivy sbom --exit-code 1 --severity CRITICAL,HIGH ./bom.json diff --git a/.github/workflows/maven-swag-build.yml b/.github/workflows/maven-swag-build.yml index 1d7735f2..5ec245a2 100644 --- a/.github/workflows/maven-swag-build.yml +++ b/.github/workflows/maven-swag-build.yml @@ -48,8 +48,23 @@ jobs: run: npm run validate - name: Build server jar - run: mvn --batch-mode clean package -f pom.xml -P="server" + run: mvn --batch-mode clean package site -f pom.xml -P="server" - name: Build client jar - run: mvn --batch-mode clean package -f pom.xml -P="client" + run: mvn --batch-mode clean package site -f pom.xml -P="client" + scan: + name: Scan with Trivy + needs: bundle + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Install Trivy CLI + run: | + wget https://github.com/aquasecurity/trivy/releases/download/v0.39.1/trivy_0.39.1_Linux-64bit.deb + sudo dpkg -i trivy_0.39.1_Linux-64bit.deb + - uses: actions/download-artifact@v3 + with: + name: bom.json + - name: Run Trivy with SBOM + run: trivy sbom --exit-code 1 --severity CRITICAL,HIGH ./bom.json diff --git a/.github/workflows/maven-thrift-build.yml b/.github/workflows/maven-thrift-build.yml index e94b6341..75907dc6 100644 --- a/.github/workflows/maven-thrift-build.yml +++ b/.github/workflows/maven-thrift-build.yml @@ -36,5 +36,26 @@ jobs: echo "::set-output name=SHA_7::${GITHUB_SHA::7}" id: commit_info - name: Build package - run: mvn --batch-mode -Dcommit.number=${{ steps.commit_info.outputs.COMMIT_NUMBER }} -Drevision="1.${{ steps.commit_info.outputs.COMMIT_NUMBER }}-${{ steps.commit_info.outputs.SHA_7 }}" clean compile -f pom.xml + run: mvn --batch-mode -Dcommit.number=${{ steps.commit_info.outputs.COMMIT_NUMBER }} -Drevision="1.${{ steps.commit_info.outputs.COMMIT_NUMBER }}-${{ steps.commit_info.outputs.SHA_7 }}" clean compile site -f pom.xml + - name: Upload SBOM + uses: actions/upload-artifact@v3 + with: + name: bom.json + path: 'target/bom.json' + + scan: + name: Scan with Trivy + needs: build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Install Trivy CLI + run: | + wget https://github.com/aquasecurity/trivy/releases/download/v0.39.1/trivy_0.39.1_Linux-64bit.deb + sudo dpkg -i trivy_0.39.1_Linux-64bit.deb + - uses: actions/download-artifact@v3 + with: + name: bom.json + - name: Run Trivy with SBOM + run: trivy sbom --exit-code 1 --severity CRITICAL,HIGH ./bom.json From ed6deb805b78cc73e0246f793adf6d8e60980620 Mon Sep 17 00:00:00 2001 From: AydarN <9845662+AydarN@users.noreply.github.com> Date: Fri, 30 Jun 2023 05:37:22 +0300 Subject: [PATCH 2/6] actionjdk-version-trivy --- .github/workflows/maven-service-build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/maven-service-build.yml b/.github/workflows/maven-service-build.yml index f9be413c..b45f2707 100644 --- a/.github/workflows/maven-service-build.yml +++ b/.github/workflows/maven-service-build.yml @@ -31,7 +31,7 @@ jobs: uses: actions/checkout@v3 - name: Run Build Java - uses: valitydev/action-jdk-build@v0.0.14 + uses: valitydev/action-jdk-build@trivy with: jdk-version: ${{ inputs.java-version }} jdk-distribution: ${{ inputs.java-distribution }} @@ -45,7 +45,7 @@ jobs: uses: actions/checkout@v3 - name: Run Build Java - uses: valitydev/action-jdk-build@v0.0.14 + uses: valitydev/action-jdk-build@trivy with: jdk-version: ${{ inputs.java-version }} jdk-distribution: ${{ inputs.java-distribution }} From 28aa246a03d425434a85660fce97ada3fd685bf9 Mon Sep 17 00:00:00 2001 From: AydarN <9845662+AydarN@users.noreply.github.com> Date: Fri, 30 Jun 2023 06:05:33 +0300 Subject: [PATCH 3/6] Update maven-library-build.yml --- .github/workflows/maven-library-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/maven-library-build.yml b/.github/workflows/maven-library-build.yml index af1259c6..eb57a984 100644 --- a/.github/workflows/maven-library-build.yml +++ b/.github/workflows/maven-library-build.yml @@ -43,7 +43,7 @@ jobs: mvn \ --no-transfer-progress \ --batch-mode ${{ inputs.mvn-options }} \ - clean compile site ${{ inputs.mvn-args }} + clean compile site - name: Upload SBOM uses: actions/upload-artifact@v3 From a2d67969b4a4b8732a976b58ad49ceaacd9f5e51 Mon Sep 17 00:00:00 2001 From: AydarN <9845662+AydarN@users.noreply.github.com> Date: Fri, 30 Jun 2023 06:06:16 +0300 Subject: [PATCH 4/6] Update maven-swag-build.yml --- .github/workflows/maven-swag-build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/maven-swag-build.yml b/.github/workflows/maven-swag-build.yml index 5ec245a2..4e2397c9 100644 --- a/.github/workflows/maven-swag-build.yml +++ b/.github/workflows/maven-swag-build.yml @@ -48,10 +48,10 @@ jobs: run: npm run validate - name: Build server jar - run: mvn --batch-mode clean package site -f pom.xml -P="server" + run: mvn --batch-mode site clean package -f pom.xml -P="server" - name: Build client jar - run: mvn --batch-mode clean package site -f pom.xml -P="client" + run: mvn --batch-mode site clean package -f pom.xml -P="client" scan: name: Scan with Trivy From 530897f4da9910e678a6da92b296a7ec76982727 Mon Sep 17 00:00:00 2001 From: AydarN <9845662+AydarN@users.noreply.github.com> Date: Fri, 30 Jun 2023 06:06:51 +0300 Subject: [PATCH 5/6] Update maven-thrift-build.yml --- .github/workflows/maven-thrift-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/maven-thrift-build.yml b/.github/workflows/maven-thrift-build.yml index 75907dc6..bf30f8e2 100644 --- a/.github/workflows/maven-thrift-build.yml +++ b/.github/workflows/maven-thrift-build.yml @@ -36,7 +36,7 @@ jobs: echo "::set-output name=SHA_7::${GITHUB_SHA::7}" id: commit_info - name: Build package - run: mvn --batch-mode -Dcommit.number=${{ steps.commit_info.outputs.COMMIT_NUMBER }} -Drevision="1.${{ steps.commit_info.outputs.COMMIT_NUMBER }}-${{ steps.commit_info.outputs.SHA_7 }}" clean compile site -f pom.xml + run: mvn --batch-mode -Dcommit.number=${{ steps.commit_info.outputs.COMMIT_NUMBER }} -Drevision="1.${{ steps.commit_info.outputs.COMMIT_NUMBER }}-${{ steps.commit_info.outputs.SHA_7 }}" site clean compile -f pom.xml - name: Upload SBOM uses: actions/upload-artifact@v3 From 77500a130dc28ec3b9597c881493d46691c8e688 Mon Sep 17 00:00:00 2001 From: AydarN <9845662+AydarN@users.noreply.github.com> Date: Mon, 3 Jul 2023 09:31:35 +0300 Subject: [PATCH 6/6] trivy-for-services --- .github/workflows/maven-library-build.yml | 23 +---------------------- .github/workflows/maven-swag-build.yml | 19 ++----------------- .github/workflows/maven-thrift-build.yml | 23 +---------------------- 3 files changed, 4 insertions(+), 61 deletions(-) diff --git a/.github/workflows/maven-library-build.yml b/.github/workflows/maven-library-build.yml index eb57a984..026e2746 100644 --- a/.github/workflows/maven-library-build.yml +++ b/.github/workflows/maven-library-build.yml @@ -43,13 +43,7 @@ jobs: mvn \ --no-transfer-progress \ --batch-mode ${{ inputs.mvn-options }} \ - clean compile site - - - name: Upload SBOM - uses: actions/upload-artifact@v3 - with: - name: bom.json - path: 'target/bom.json' + clean compile ${{ inputs.mvn-args }} test-coverage: runs-on: ubuntu-20.04 @@ -74,18 +68,3 @@ jobs: - name: Upload code coverage uses: codecov/codecov-action@v3 - scan: - name: Scan with Trivy - needs: build - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Install Trivy CLI - run: | - wget https://github.com/aquasecurity/trivy/releases/download/v0.39.1/trivy_0.39.1_Linux-64bit.deb - sudo dpkg -i trivy_0.39.1_Linux-64bit.deb - - uses: actions/download-artifact@v3 - with: - name: bom.json - - name: Run Trivy with SBOM - run: trivy sbom --exit-code 1 --severity CRITICAL,HIGH ./bom.json diff --git a/.github/workflows/maven-swag-build.yml b/.github/workflows/maven-swag-build.yml index 4e2397c9..1d7735f2 100644 --- a/.github/workflows/maven-swag-build.yml +++ b/.github/workflows/maven-swag-build.yml @@ -48,23 +48,8 @@ jobs: run: npm run validate - name: Build server jar - run: mvn --batch-mode site clean package -f pom.xml -P="server" + run: mvn --batch-mode clean package -f pom.xml -P="server" - name: Build client jar - run: mvn --batch-mode site clean package -f pom.xml -P="client" + run: mvn --batch-mode clean package -f pom.xml -P="client" - scan: - name: Scan with Trivy - needs: bundle - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Install Trivy CLI - run: | - wget https://github.com/aquasecurity/trivy/releases/download/v0.39.1/trivy_0.39.1_Linux-64bit.deb - sudo dpkg -i trivy_0.39.1_Linux-64bit.deb - - uses: actions/download-artifact@v3 - with: - name: bom.json - - name: Run Trivy with SBOM - run: trivy sbom --exit-code 1 --severity CRITICAL,HIGH ./bom.json diff --git a/.github/workflows/maven-thrift-build.yml b/.github/workflows/maven-thrift-build.yml index bf30f8e2..e94b6341 100644 --- a/.github/workflows/maven-thrift-build.yml +++ b/.github/workflows/maven-thrift-build.yml @@ -36,26 +36,5 @@ jobs: echo "::set-output name=SHA_7::${GITHUB_SHA::7}" id: commit_info - name: Build package - run: mvn --batch-mode -Dcommit.number=${{ steps.commit_info.outputs.COMMIT_NUMBER }} -Drevision="1.${{ steps.commit_info.outputs.COMMIT_NUMBER }}-${{ steps.commit_info.outputs.SHA_7 }}" site clean compile -f pom.xml + run: mvn --batch-mode -Dcommit.number=${{ steps.commit_info.outputs.COMMIT_NUMBER }} -Drevision="1.${{ steps.commit_info.outputs.COMMIT_NUMBER }}-${{ steps.commit_info.outputs.SHA_7 }}" clean compile -f pom.xml - - name: Upload SBOM - uses: actions/upload-artifact@v3 - with: - name: bom.json - path: 'target/bom.json' - - scan: - name: Scan with Trivy - needs: build - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Install Trivy CLI - run: | - wget https://github.com/aquasecurity/trivy/releases/download/v0.39.1/trivy_0.39.1_Linux-64bit.deb - sudo dpkg -i trivy_0.39.1_Linux-64bit.deb - - uses: actions/download-artifact@v3 - with: - name: bom.json - - name: Run Trivy with SBOM - run: trivy sbom --exit-code 1 --severity CRITICAL,HIGH ./bom.json