From fbcc611da7520c1f2500ff6dad63d7d761576ad7 Mon Sep 17 00:00:00 2001 From: Prince Mathew Date: Wed, 23 Oct 2024 19:36:32 +0530 Subject: [PATCH 1/9] Added RL scanner workflow --- .github/workflows/rl-scanner.yml | 85 ++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 .github/workflows/rl-scanner.yml diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml new file mode 100644 index 00000000..529f0425 --- /dev/null +++ b/.github/workflows/rl-scanner.yml @@ -0,0 +1,85 @@ + +name: RL-Security-Scanner +run-name: rl-security-scanner + + +on: + merge_group: + workflow_dispatch: + push: + branches: ["main"] + pull_request: + types: + - opened + - synchronize + +jobs: + checkout-build-scan-only: + if: github.event_name == 'workflow_dispatch' || + (github.event_name == 'pull_request') + # && startsWith(github.event.pull_request.head.ref, 'release/')) + runs-on: ubuntu-latest + + + permissions: + pull-requests: write + id-token: write + + steps: + - uses: actions/checkout@v4 + - name: Set up + uses: ./.github/actions/setup + + - name: Build with gradle + shell: bash + run: ./gradlew :auth0:assembleRelease + + - name: Get Artifact Version + id: get_version + run: | + version=$(cat .version) + echo "version=$version" >> $GITHUB_OUTPUT + + - name: List build contents + run: ls -la auth0/build/outputs/aar + + - name: Output build artifact + id: output_build_artifact + run: | + echo "scanfile=$(pwd)/auth0/build/outputs/aar/auth0-release-${{ steps.get_version.outputs.version }}.aar" >> $GITHUB_OUTPUT + + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: "3.10" + + - name: Install Python dependencies + run: | + pip install --upgrade pip + pip install boto3 requests + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ secrets.PRODSEC_TOOLS_ARN }} + aws-region: us-east-1 + mask-aws-account-id: true + + - name: Run Reversing Labs Wrapper Scanner + env: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + WRAPPER_INDEX_URL: "https://${{ secrets.PRODSEC_TOOLS_USER }}:${{ secrets.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" + PYTHONUNBUFFERED: 1 + run: | + pip install rl-wrapper --index-url "$WRAPPER_INDEX_URL" && \ + rl-wrapper \ + --artifact "${{ steps.output_build_artifact.outputs.scanfile }}" \ + --version "${{ steps.get_version.outputs.version }}" \ + --name "${{ github.event.repository.name }}" \ + --repository "${{ github.repository }}" \ + --commit "${{ github.sha }}" \ + --build-env "github_actions" \ + --suppress_output + continue-on-error: true \ No newline at end of file From 597b50885a5b1144bed65cee798b78ea15a38e00 Mon Sep 17 00:00:00 2001 From: Prince Mathew Date: Mon, 28 Oct 2024 23:46:55 +0530 Subject: [PATCH 2/9] New workflow changes for RL scanner --- .github/actions/rl-scanner/action.yml | 73 ++++++++++++++++++++++ .github/workflows/release.yml | 14 +++++ .github/workflows/rl-scanner.yml | 88 ++++++++++++--------------- 3 files changed, 127 insertions(+), 48 deletions(-) create mode 100644 .github/actions/rl-scanner/action.yml diff --git a/.github/actions/rl-scanner/action.yml b/.github/actions/rl-scanner/action.yml new file mode 100644 index 00000000..b5519574 --- /dev/null +++ b/.github/actions/rl-scanner/action.yml @@ -0,0 +1,73 @@ + +name: 'RL-Security-Scanner' +description: 'Runs the Reversing Labs scanner on a specified artifact.' +inputs: + artifact-path: + description: 'Path to the artifact to be scanned.' + required: true + version: + description: 'Version of the artifact.' + required: true + + +runs: + using: 'composite' + steps: + - name: Set up python + uses: actions/setup-python@v4 + with: + python-version: '3.10' + + - name: Install Python dependencies + shell: bash + run: | + pip install boto3 requests + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }} + aws-region: 'us-east-1' + mask-aws-account-id: true + + - name: Install RL Wrapper + shell: bash + run: | + pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" + + - name: Run RL Scanner + shell: bash + env: + RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }} + PYTHONUNBUFFERED: 1 + run: | + if [ ! -f "${{ inputs.artifact-path }}" ]; then + echo "Artifact not found: ${{ inputs.artifact-path }}" + exit 1 + fi + + rl-wrapper \ + --artifact "${{ inputs.artifact-path }}" \ + --version "${{ inputs.version }}" \ + --name "${{ github.event.repository.name }}" \ + --repository "${{ github.repository }}" \ + --commit "${{ github.sha }}" \ + --build-env "github_actions" \ + --suppress_output + + # Check the outcome of the scanner + if [ $? -ne 0 ]; then + echo "RL Scanner failed." + echo "scan-status=failed" >> $GITHUB_ENV + exit 1 + else + echo "RL Scanner passed." + echo "scan-status=success" >> $GITHUB_ENV + fi + +outputs: + scan-status: + description: 'The outcome of the scan process.' + value: ${{ env.scan-status }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 130a0e76..24b48251 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,8 +14,22 @@ permissions: ### TODO: Also remove `java-release` workflow from this repo's .github/workflows folder once the repo is public. jobs: + rl-scanner: + uses: ./.github/workflows/rl-scanner.yml + with: + java-version: 8.0.402-zulu + artifact-name: 'auth0-release.aar' + secrets: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + release: uses: ./.github/workflows/java-release.yml + needs: rl-scanner with: java-version: 8.0.402-zulu secrets: diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index 529f0425..3391835b 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -1,34 +1,43 @@ - name: RL-Security-Scanner run-name: rl-security-scanner on: - merge_group: - workflow_dispatch: - push: - branches: ["main"] - pull_request: - types: - - opened - - synchronize + workflow_call: + inputs: + java-version: + required: true + type: string + is-android: + required: true + type: string + secrets: + ossr-username: + required: true + ossr-password: + required: true + signing-key: + required: true + signing-password: + required: true + github-token: + required: true + jobs: - checkout-build-scan-only: - if: github.event_name == 'workflow_dispatch' || - (github.event_name == 'pull_request') - # && startsWith(github.event.pull_request.head.ref, 'release/')) + rl-scanner: + name: Run Reversing Labs Scanner + if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) runs-on: ubuntu-latest + outputs: + scan-status: ${{ steps.rl-scan-conclusion.outcome }} - permissions: - pull-requests: write - id-token: write - steps: + - name: Checkout code - uses: actions/checkout@v4 - - name: Set up - uses: ./.github/actions/setup + with: + fetch-depth: 0 - name: Build with gradle shell: bash @@ -46,40 +55,23 @@ jobs: - name: Output build artifact id: output_build_artifact run: | - echo "scanfile=$(pwd)/auth0/build/outputs/aar/auth0-release-${{ steps.get_version.outputs.version }}.aar" >> $GITHUB_OUTPUT + echo "scanfile=$(pwd)/auth0/build/outputs/aar/auth0-release-${{ steps.get_version.outputs.version }}.aar" >> $GITHUB_OUTPUT - - name: Set up Python - uses: actions/setup-python@v4 - with: - python-version: "3.10" - - name: Install Python dependencies - run: | - pip install --upgrade pip - pip install boto3 requests - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + - name: Run Reversing Labs Scanner + id: rl-scan-conclusion + uses: ./.github/actions/rl-scanner with: - role-to-assume: ${{ secrets.PRODSEC_TOOLS_ARN }} - aws-region: us-east-1 - mask-aws-account-id: true - - - name: Run Reversing Labs Wrapper Scanner + artifact-path: "$(pwd)/${{ inputs.artifact-name }}" + version: "${{ steps.get_version.outputs.version }}" env: RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} - WRAPPER_INDEX_URL: "https://${{ secrets.PRODSEC_TOOLS_USER }}:${{ secrets.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" - PYTHONUNBUFFERED: 1 - run: | - pip install rl-wrapper --index-url "$WRAPPER_INDEX_URL" && \ - rl-wrapper \ - --artifact "${{ steps.output_build_artifact.outputs.scanfile }}" \ - --version "${{ steps.get_version.outputs.version }}" \ - --name "${{ github.event.repository.name }}" \ - --repository "${{ github.repository }}" \ - --commit "${{ github.sha }}" \ - --build-env "github_actions" \ - --suppress_output - continue-on-error: true \ No newline at end of file + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + + - name: Output scan result + run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV \ No newline at end of file From 256e842398e7c24c1554eaf82b25e00eb667affd Mon Sep 17 00:00:00 2001 From: Prince Mathew Date: Mon, 28 Oct 2024 23:58:25 +0530 Subject: [PATCH 3/9] Fixed the action failure error --- .github/workflows/rl-scanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index 3391835b..a7b05353 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -35,7 +35,7 @@ jobs: steps: - name: Checkout code - - uses: actions/checkout@v4 + uses: actions/checkout@v4 with: fetch-depth: 0 From cbdb41f5cfaadd8d756c8051a9aa1ca6a4cfb4ad Mon Sep 17 00:00:00 2001 From: Prince Mathew Date: Tue, 29 Oct 2024 15:38:03 +0530 Subject: [PATCH 4/9] Changes added to test the RL integration --- .github/workflows/release.yml | 5 ++++- .github/workflows/rl-scanner.yml | 5 +---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 24b48251..bda48070 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,8 +5,12 @@ on: types: - closed workflow_dispatch: + push: + branches: + - 'reversing_labs' permissions: + id-token: write contents: write ### TODO: Replace instances of './.github/workflows/' w/ `auth0/dx-sdk-actions/workflows/` and append `@latest` after the common `dx-sdk-actions` repo is made public. @@ -18,7 +22,6 @@ jobs: uses: ./.github/workflows/rl-scanner.yml with: java-version: 8.0.402-zulu - artifact-name: 'auth0-release.aar' secrets: RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index a7b05353..b5b68396 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -8,9 +8,6 @@ on: java-version: required: true type: string - is-android: - required: true - type: string secrets: ossr-username: required: true @@ -27,7 +24,7 @@ on: jobs: rl-scanner: name: Run Reversing Labs Scanner - if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) +# if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) runs-on: ubuntu-latest outputs: scan-status: ${{ steps.rl-scan-conclusion.outcome }} From a9ae9209969093fe22e4926da4ca978ffc100b2b Mon Sep 17 00:00:00 2001 From: Prince Mathew Date: Tue, 29 Oct 2024 15:45:42 +0530 Subject: [PATCH 5/9] Resolved the wrong secret parameters passed --- .github/workflows/rl-scanner.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index b5b68396..bfb315bf 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -9,15 +9,17 @@ on: required: true type: string secrets: - ossr-username: + RLSECURE_LICENSE: required: true - ossr-password: + RLSECURE_SITE_KEY: required: true - signing-key: + SIGNAL_HANDLER_TOKEN: required: true - signing-password: + PRODSEC_TOOLS_USER: required: true - github-token: + PRODSEC_TOOLS_TOKEN: + required: true + PRODSEC_TOOLS_ARN: required: true From d852293d67234d7ac8a1a0df4a2405db570dddd8 Mon Sep 17 00:00:00 2001 From: Prince Mathew Date: Tue, 29 Oct 2024 15:59:54 +0530 Subject: [PATCH 6/9] Artifact path error fix --- .github/workflows/release.yml | 1 + .github/workflows/rl-scanner.yml | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bda48070..713888a5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,6 +22,7 @@ jobs: uses: ./.github/workflows/rl-scanner.yml with: java-version: 8.0.402-zulu + artifact-name: 'auth0-release.aar' secrets: RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index bfb315bf..89301fa1 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -8,6 +8,9 @@ on: java-version: required: true type: string + artifact-name: + required: true + type: string secrets: RLSECURE_LICENSE: required: true @@ -57,12 +60,11 @@ jobs: echo "scanfile=$(pwd)/auth0/build/outputs/aar/auth0-release-${{ steps.get_version.outputs.version }}.aar" >> $GITHUB_OUTPUT - - name: Run Reversing Labs Scanner id: rl-scan-conclusion uses: ./.github/actions/rl-scanner with: - artifact-path: "$(pwd)/${{ inputs.artifact-name }}" + artifact-path: "$(pwd)/auth0/build/outputs/aar/${{artifact-name}}" version: "${{ steps.get_version.outputs.version }}" env: RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} From 40f69adda2f3f7023b1798fdf658eaf400035449 Mon Sep 17 00:00:00 2001 From: Prince Mathew Date: Tue, 29 Oct 2024 17:53:41 +0530 Subject: [PATCH 7/9] Artifact name fix --- .github/workflows/rl-scanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index 89301fa1..d6444ff2 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -64,7 +64,7 @@ jobs: id: rl-scan-conclusion uses: ./.github/actions/rl-scanner with: - artifact-path: "$(pwd)/auth0/build/outputs/aar/${{artifact-name}}" + artifact-path: "$(pwd)/auth0/build/outputs/aar/${{ artifact-name }}" version: "${{ steps.get_version.outputs.version }}" env: RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} From 2919eeb1e45324ae1ed1b4d6c9d67f2093175fec Mon Sep 17 00:00:00 2001 From: Prince Mathew Date: Tue, 29 Oct 2024 17:57:02 +0530 Subject: [PATCH 8/9] Missed adding inputs to the artifact name property --- .github/workflows/rl-scanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index d6444ff2..6638e972 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -64,7 +64,7 @@ jobs: id: rl-scan-conclusion uses: ./.github/actions/rl-scanner with: - artifact-path: "$(pwd)/auth0/build/outputs/aar/${{ artifact-name }}" + artifact-path: "$(pwd)/auth0/build/outputs/aar/${{ inputs.artifact-name }}" version: "${{ steps.get_version.outputs.version }}" env: RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} From 92d642c99aa5e72b3b6cf6e99fde7b332e7c143f Mon Sep 17 00:00:00 2001 From: Prince Mathew Date: Tue, 29 Oct 2024 21:45:56 +0530 Subject: [PATCH 9/9] Reverted the changes for testing --- .github/workflows/release.yml | 3 --- .github/workflows/rl-scanner.yml | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 713888a5..d74a96c0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,9 +5,6 @@ on: types: - closed workflow_dispatch: - push: - branches: - - 'reversing_labs' permissions: id-token: write diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index 6638e972..6f6e01ab 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -29,7 +29,7 @@ on: jobs: rl-scanner: name: Run Reversing Labs Scanner -# if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) + if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) runs-on: ubuntu-latest outputs: scan-status: ${{ steps.rl-scan-conclusion.outcome }}