From 746248c08dfa186dfe80ddf8121f2603408e9abf Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lachance Date: Wed, 13 Nov 2024 13:27:27 -0500 Subject: [PATCH] Add a new workflow to simplify dependency review (#55) + Add a new workflow to simplify Java dependency review + Add support for warn-on-openssf-scorecard-level + Add a dependency-review-v2 that pulls information from Repository Properties J:DEF-3582 --- .github/workflows/dependency-review-v2.yml | 127 ++++++++++++++++++ .github/workflows/dependency-review.yml | 6 + .../java-maven-openjdk-dependency-review.yml | 101 ++++++++++++++ ...va-maven-openjdk-dependency-submission.yml | 5 +- .github/workflows/test-dependency-review.yml | 13 ++ .gitignore | 1 + 6 files changed, 250 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/dependency-review-v2.yml create mode 100644 .github/workflows/java-maven-openjdk-dependency-review.yml create mode 100644 .gitignore diff --git a/.github/workflows/dependency-review-v2.yml b/.github/workflows/dependency-review-v2.yml new file mode 100644 index 0000000..4cabaa3 --- /dev/null +++ b/.github/workflows/dependency-review-v2.yml @@ -0,0 +1,127 @@ +name: Coveo Dependency Reviewer + +on: + workflow_call: + inputs: + comment-summary-in-pr: + description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests + required: false + default: on-failure + type: string + base-ref: + description: Provide custom git references for the git base + required: false + default: ${{ github.event.pull_request.base.sha }} + type: string + head-ref: + description: Provide custom git references for the git head + required: false + default: ${{ github.event.pull_request.head.sha }} + type: string + fail-on-severity: + description: Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. + required: false + default: high + type: string + runs-on: + description: | + The type of machine to run the job on. Must be provided as a stringified list (e.g. public repos should specify `runs-on: '["ubuntu-latest"]'`) + default: '["coveo", "arm64" , "linux", "eks"]' + type: string + retry-on-snapshot-warnings: + description: Whether to retry on snapshot warnings (to be used for projects where a dependency submission Action is used) + required: false + type: boolean + default: false + retry-on-snapshot-warnings-timeout: + description: Number of seconds to wait before stopping snapshot retries. + required: false + type: number + default: 120 + warn-on-openssf-scorecard-level: + description: Numeric threshold for the OpenSSF Scorecard score. If the score is below this threshold, the action will warn you. + required: false + type: number + default: 3 + +permissions: { } + +jobs: + dependency-review: + name: Dependency Review + runs-on: ${{ fromJson(inputs.runs-on) }} + + permissions: + contents: read + pull-requests: write + + steps: + - name: Checkout scan target + uses: actions/checkout@v4 + + - name: Checkout licenses + uses: actions/checkout@v4 + with: + repository: coveo/dependency-allowed-licenses + path: coveo-dependency-allowed-licenses + + - name: Get Properties + uses: actions/github-script@v7 + id: get-properties + with: + script: | + const owner = context.repo.owner; + const repo = context.repo.repo; + + const repoDetails = await github.request('GET /repos/' + owner + '/' + repo, { + owner: owner, + repo: repo + }); + const isPublic = !repoDetails.data.private; + console.log(`Is this a public repo? ${isPublic}`); + core.setOutput('is_public', isPublic); + + let distributedValue = isPublic; + if (!isPublic) { + const response = await github.request('GET /repos/' + owner + '/' + repo + '/properties/values', { + owner: owner, + repo: repo + }); + console.log('Repository properties: ' + JSON.stringify(response.data, null, 2)); + const distributedProperty = response.data.find(prop => prop.property_name === 'is_distributed'); + distributedValue = distributedProperty ? distributedProperty.value === 'true' : true; + } + core.setOutput('is_distributed', distributedValue); + + - name: Select configuration + id: select-config + uses: actions/github-script@v7 + with: + result-encoding: string + script: | + const isPublic = ${{ steps.get-properties.outputs.is_public }} === 'true'; + const isDistributed = ${{ steps.get-properties.outputs.is_distributed }} === 'true'; + + if (isPublic) { + return 'public.yml' + } + if (!isPublic && isDistributed) { + return 'private-distributed.yml' + } + if (!isPublic && !isDistributed) { + return 'private-undistributed.yml' + } + + core.setFailure(`Could not determine configuration for inputs: ${inputs}`) + + - name: Scan + uses: actions/dependency-review-action@v4.3.3 + with: + comment-summary-in-pr: ${{ inputs.comment-summary-in-pr }} + fail-on-severity: ${{ inputs.fail-on-severity }} + config-file: ./coveo-dependency-allowed-licenses/${{ steps.select-config.outputs.result }} + base-ref: ${{ inputs.base-ref }} + head-ref: ${{ inputs.head-ref }} + retry-on-snapshot-warnings: ${{ inputs.retry-on-snapshot-warnings }} + retry-on-snapshot-warnings-timeout: ${{ inputs.retry-on-snapshot-warnings-timeout }} + warn-on-openssf-scorecard-level: ${{ inputs.warn-on-openssf-scorecard-level }} diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 22c0076..da521c7 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -46,6 +46,11 @@ on: required: false type: number default: 120 + warn-on-openssf-scorecard-level: + description: Numeric threshold for the OpenSSF Scorecard score. If the score is below this threshold, the action will warn you. + required: false + type: number + default: 3 jobs: dependency-review: @@ -92,3 +97,4 @@ jobs: head-ref: ${{ inputs.head-ref }} retry-on-snapshot-warnings: ${{ inputs.retry-on-snapshot-warnings }} retry-on-snapshot-warnings-timeout: ${{ inputs.retry-on-snapshot-warnings-timeout }} + warn-on-openssf-scorecard-level: ${{ inputs.warn-on-openssf-scorecard-level }} diff --git a/.github/workflows/java-maven-openjdk-dependency-review.yml b/.github/workflows/java-maven-openjdk-dependency-review.yml new file mode 100644 index 0000000..12088c2 --- /dev/null +++ b/.github/workflows/java-maven-openjdk-dependency-review.yml @@ -0,0 +1,101 @@ +name: 'Maven Dependency Review' + +on: + workflow_call: + inputs: + runs-on: + description: | + The type of machine to run the job on. Must be provided as a stringified list (e.g. `runs-on: '["ubuntu-latest","self-hosted"]'`) + required: true + type: string + + # Dependency Submission inputs + directory: + description: 'The directory that contains the pom.xml that will be used to generate the dependency graph from' + default: '.' + required: false + type: string + mvn-version: + description: | + The Maven version used for the execution. You can specify minor or patch version (3.9 or 3.9.1). Default : 3.9 + required: false + type: number + default: 3.9 + jdk-version: + description: | + The JDK version to use for the build. + default: 21 + required: false + type: number + mvn-additional-arguments: + description: | + The additional arguments to pass to the Maven invocation. You can use this to specify a custom profile for example. + + If you wish to exclude certain modules from the scan, pass: -Dexcludes=groupId:artifactId:type:classifier + + required: false + type: string + + # Dependency Reviewer inputs + comment-summary-in-pr: + description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests + required: false + default: on-failure + type: string + base-ref: + description: Provide custom git references for the git base + required: false + default: ${{ github.event.pull_request.base.sha }} + type: string + head-ref: + description: Provide custom git references for the git head + required: false + default: ${{ github.event.pull_request.head.sha }} + type: string + fail-on-severity: + description: Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. + required: false + default: high + type: string + warn-on-openssf-scorecard-level: + description: Numeric threshold for the OpenSSF Scorecard score. If the score is below this threshold, the action will warn you. + required: false + type: number + default: 3 + +permissions: { } + +jobs: + submit-dependencies: + name: Submit dependencies + uses: ./.github/workflows/java-maven-openjdk-dependency-submission.yml + + permissions: + contents: write + + with: + runs-on: ${{ inputs.runs-on }} + directory: ${{ inputs.directory }} + mvn-version: ${{ inputs.mvn-version }} + jdk-version: ${{ inputs.jdk-version }} + mvn-additional-arguments: ${{ inputs.mvn-additional-arguments }} + + dependency-review: + needs: submit-dependencies + + name: Dependency Review + uses: ./.github/workflows/dependency-review-v2.yml + + permissions: + contents: read + pull-requests: write + + with: + runs-on: ${{ inputs.runs-on }} + comment-summary-in-pr: ${{ inputs.comment-summary-in-pr }} + base-ref: ${{ inputs.base-ref }} + head-ref: ${{ inputs.head-ref }} + fail-on-severity: ${{ inputs.fail-on-severity }} + retry-on-snapshot-warnings: true + retry-on-snapshot-warnings-timeout: 120 + warn-on-openssf-scorecard-level: ${{ inputs.warn-on-openssf-scorecard-level }} diff --git a/.github/workflows/java-maven-openjdk-dependency-submission.yml b/.github/workflows/java-maven-openjdk-dependency-submission.yml index d068ab1..1b7d3a7 100644 --- a/.github/workflows/java-maven-openjdk-dependency-submission.yml +++ b/.github/workflows/java-maven-openjdk-dependency-submission.yml @@ -22,7 +22,8 @@ on: jdk-version: description: | The JDK version to use for the build. - required: true + default: 21 + required: false type: number mvn-additional-arguments: description: | @@ -43,9 +44,7 @@ jobs: image: maven:${{ inputs.mvn-version }}-eclipse-temurin-${{ inputs.jdk-version }} permissions: - actions: read contents: write - security-events: write steps: - name: Checkout repository diff --git a/.github/workflows/test-dependency-review.yml b/.github/workflows/test-dependency-review.yml index 5baa0c4..840e052 100644 --- a/.github/workflows/test-dependency-review.yml +++ b/.github/workflows/test-dependency-review.yml @@ -21,3 +21,16 @@ jobs: distributed: ${{ matrix.distributed }} comment-summary-in-pr: ${{ matrix.comment-summary-in-pr }} runs-on: '["ubuntu-latest"]' + + test_v2: + strategy: + matrix: + warn-on-openssf-scorecard-level: [5, 8] + comment-summary-in-pr: [true, false] + fail-fast: false + + uses: ./.github/workflows/dependency-review-v2.yml + with: + warn-on-openssf-scorecard-level: ${{ matrix.warn-on-openssf-scorecard-level }} + comment-summary-in-pr: ${{ matrix.comment-summary-in-pr }} + runs-on: '["ubuntu-latest"]' diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..485dee6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.idea