Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Veracode scans | ||
on: | ||
workflow_call: | ||
inputs: | ||
module_name: | ||
required: true | ||
type: string | ||
major_version: | ||
required: true | ||
type: string | ||
minor_version: | ||
required: true | ||
type: string | ||
stability: | ||
required: true | ||
type: string | ||
img_version: | ||
required: true | ||
type: string | ||
secrets: | ||
veracode_api_id: | ||
required: true | ||
veracode_api_key: | ||
required: true | ||
veracode_srcclr_token: | ||
required: true | ||
docker_registry_id: | ||
required: true | ||
docker_registry_passwd: | ||
required: true | ||
jobs: | ||
build: | ||
name: Binary preparation | ||
runs-on: [self-hosted, collect] | ||
#if: github.event_name != 'pull_request' && (inputs.stability == 'stable' || inputs.stability == 'unstable') | ||
outputs: | ||
targets: ${{ step.binary_preparation.outputs.targets }} | ||
container: | ||
image: ${{ vars.DOCKER_INTERNAL_REGISTRY_URL }}/centreon-collect-alma9:${{ inputs.img_version }} | ||
credentials: | ||
username: ${{ secrets.docker_registry_id }} | ||
password: ${{ secrets.docker_registry_passwd }} | ||
steps: | ||
- uses: actions/checkout@v4 | ||
- name: Compiling Cpp sources | ||
run: | | ||
rm -rf build | ||
mkdir build | ||
cd build | ||
# sudo pip3 install conan==1.57.0 --prefix=/usr --upgrade | ||
# sudo conan install .. -s compiler.cppstd=14 -s compiler.libcxx=libstdc++11 --build=missing | ||
# | ||
# sudo cmake \ | ||
# -G "Ninja" \ | ||
# -DCMAKE_CXX_FLAGS="-gdwarf-2 -g3 -O0 -fno-builtin" \ | ||
# -DWITH_TESTING=OFF \ | ||
# -DWITH_BENCH=OFF \ | ||
# -DWITH_MODULE_SIMU=OFF \ | ||
# -DCMAKE_INSTALL_PREFIX=/usr \ | ||
# -DWITH_STARTUP_SCRIPT=systemd \ | ||
# -DWITH_ENGINE_LOGROTATE_SCRIPT=ON \ | ||
# -DWITH_USER_BROKER=centreon-broker \ | ||
# -DWITH_GROUP_BROKER=centreon-broker \ | ||
# -DWITH_USER_ENGINE=centreon-engine \ | ||
# -DWITH_GROUP_ENGINE=centreon-engine \ | ||
# -DWITH_VAR_DIR=/var/log/centreon-engine \ | ||
# -DWITH_DAEMONS=ON \ | ||
# -DWITH_CREATE_FILES=OFF \ | ||
# -DWITH_CONFIG_FILES=ON \ | ||
# .. | ||
# | ||
# sudo ninja | ||
cp ../README.md 70-rrd.so | ||
cp ../README.md 15-stats.so | ||
cp ../README.md 15-stats_exporter.so | ||
cp ../README.md test.so | ||
cp ../README.md cbmod.so | ||
cp ../README.md 10-neb.so | ||
echo "[DEBUG] - Build size" | ||
du -sh ./lib/* | sort -rh | ||
echo "[DEBUG] - Find compiled files" | ||
find ./ -name "*.so" | ||
- name: Binary preparation | ||
id: binary_preparation | ||
run: | | ||
echo "[INFO] - Keeping only compiled files" | ||
find ./build -type f -not \( -name "*.so" \) -delete | ||
echo "[INFO] - Removing veracode exclusions" | ||
if [[ -f ".veracode-exclusions" ]]; then | ||
for LINE in $( cat .veracode-exclusions | sed 's/[^a-zA-Z0-9_./-]//g' | sed -r 's/\.\./\./g' ); do | ||
if [[ -d "$LINE" ]]; then | ||
rm -rf "$LINE" | ||
echo "[INFO] - folder removed from analysis : '$LINE'" | ||
elif [[ -e "$LINE" ]]; then | ||
rm -f "$LINE" | ||
echo "[INFO] - file removed from analysis : '$LINE'" | ||
elif [[ -z "$LINE" ]]; then | ||
echo "[INFO] - empty directive. Skipping this line" | ||
else | ||
echo "[WARN] - target to exclude not found. Skipping: '$LINE'" | ||
fi | ||
done | ||
else | ||
echo "[WARN] - No '.veracode-exclusions' file found for this module. Skipping exclusion step" | ||
fi | ||
echo "[INFO] - Keeping only build's non empty folders" | ||
find ./build -empty -type d -delete | ||
echo "[INFO] - List all compiled files to trigger a matrix job | ||
TARGETS=`find ./build -name "*.so" -printf "%P\n" | jq -R -s -c 'split("\n")[:-1]'` | ||
echo "targets=$TARGETS" >> $GITHUB_OUTPUT | ||
cat $GITHUB_OUTPUT | ||
tar cvzf "${{ inputs.module_name }}-${{ github.sha }}-${{ github.run_id }}-veracode-binary.tar.gz" build | ||
- name: Cache | ||
uses: actions/cache/save@v3 | ||
with: | ||
path: "${{ inputs.module_name }}-${{ github.sha }}-${{ github.run_id }}-veracode-binary.tar.gz" | ||
key: "${{ inputs.module_name }}-${{ github.sha }}-${{ github.run_id }}-veracode-binary" | ||
sandbox-scan: | ||
needs: [build] | ||
name: Sandbox scan | ||
runs-on: ubuntu-latest | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
project_location: ${{ fromJson(needs.build.targets) }} | ||
steps: | ||
- name: Get project name | ||
run: | | ||
echo "[DEBUG] - project_name = ${{ matrix.project_location }} | ||
echo "project_name=`basename ${{ matrix.project_location }}`" | ||
- name: Promote latest scan | ||
# Only last develop should be promoted to policy scan | ||
if: github.ref_name == 'disabled_develop' && github.events != "pull-request" # disable promote for now | ||
env: | ||
VERACODE_API_ID: "${{ secrets.veracode_api_id }}" | ||
VERACODE_API_SECRET: "${{ secrets.veracode_api_key }}" | ||
# Action forked as API calls hardcoded '.com' route | ||
uses: sc979/[email protected] | ||
# Promote should not fail if sandbox was not found. | ||
continue-on-error: true | ||
with: | ||
activity: "promote-latest-scan" | ||
app-name: "${{ inputs.module_name }}" | ||
sandbox-name: "${{ github.ref_name }}" | ||
delete-on-promote: false | ||
- name: Get build binary | ||
uses: actions/cache/restore@v3 | ||
with: | ||
path: "${{ inputs.module_name }}-${{ github.sha }}-${{ github.run_id }}-veracode-binary.tar.gz" | ||
key: "${{ inputs.module_name }}-${{ github.sha }}-${{ github.run_id }}-veracode-binary" | ||
- name: Prepare analysis | ||
run: | | ||
tar xvzf "${{ inputs.module_name }}-${{ github.sha }}-${{ github.run_id }}-veracode-binary.tar.gz" | ||
# Check what's left | ||
ls -la build | ||
# - name: Sandbox scan | ||
# uses: veracode/[email protected] | ||
# continue-on-error: ${{ vars.VERACODE_CONTINUE_ON_ERROR == 'true' }} | ||
# with: | ||
# appname: "${{ inputs.module_name }}" | ||
# version: "${{ inputs.major_version }}.${{ inputs.minor_version }}_runId-${{ github.run_id }}" | ||
# filepath: "${{ inputs.module_name }}-${{ github.sha }}-${{ github.run_id }}-veracode-binary.tar.gz" | ||
# vid: "vera01ei-${{ secrets.veracode_api_id }}" | ||
# vkey: "vera01es-${{ secrets.veracode_api_key }}" | ||
# createprofile: true | ||
# createsandbox: true | ||
# sandboxname: "${{ github.ref_name }}" | ||
# #scantimeout: 120 | ||
# includenewmodules: true | ||
# scanallnonfataltoplevelmodules: true | ||
# deleteincompletescan: 2 | ||
# scanpollinginterval: 120 # time between two checks in seconds / [30 to 120] |