[ci]: Configure Sonarqube and Defectdojo in iroha2 CI (#4414)

* [ci]: Configure Sonarqube and Defectdojo in iroha2 CI Signed-off-by: BAStos525 <[email protected]> * [ci]: fix grcov --ignore pattern Co-authored-by: Shunkichi Sato <[email protected]> Signed-off-by: BAStos525 <[email protected]> * [ci]: take back llvm-tools-preview Signed-off-by: BAStos525 <[email protected]> --------- Signed-off-by: BAStos525 <[email protected]> Signed-off-by: BAStos525 <[email protected]> Co-authored-by: Shunkichi Sato <[email protected]>
hyperledger-iroha · Apr 16, 2024 · 62398cc · 62398cc
1 parent 8137d65
commit 62398cc
Show file tree

Hide file tree

Showing 7 changed files with 76 additions and 32 deletions.
diff --git a/.github/workflows/iroha2-dev-pr-static.yml b/.github/workflows/iroha2-dev-pr-static.yml
@@ -43,40 +43,41 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: Swatinem/rust-cache@v2
-
       - name: Format
         run: cargo fmt --all -- --check
       - name: Lints without features
         if: always()
         run: cargo clippy --workspace --benches --tests --examples --no-default-features --quiet
       - name: Lints with all features enabled
         if: always()
-        run: cargo clippy --workspace --benches --tests --examples --all-features --quiet
+        run: cargo clippy --workspace --benches --tests --examples --all-features --quiet --message-format=json &> clippy.json
       - name: Documentation
         if: always()
         run: cargo doc --no-deps --quiet
+      - name: Upload clippy report artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: clippy.json
+          path: clippy.json
+
   python_static_analysis:
     runs-on: ubuntu-latest
     container:
       image: hyperledger/iroha2-ci:nightly-2024-01-12
     steps:
       - uses: actions/checkout@v4
-
       - name: Install dependencies using Poetry
         working-directory: client_cli/pytests
         run: |
           poetry install
-
       - name: Check code formatting with Black
         working-directory: client_cli/pytests
         run: |
           poetry run black --check .
-
       - name: Run mypy (Type Checker)
         working-directory: client_cli/pytests
         run: |
           poetry run mypy --explicit-package-bases .
-
       - name: Run flake8 (Linter)
         working-directory: client_cli/pytests
         run: |

diff --git a/.github/workflows/iroha2-dev-pr.yml b/.github/workflows/iroha2-dev-pr.yml
@@ -40,44 +40,38 @@ jobs:
     container:
       image: hyperledger/iroha2-ci:nightly-2024-01-12
     steps:
-      - uses: actions/checkout@v3
-      # TODO Remove this step #2165
-      # - name: Adjust toolchain
-      #   run: |
-      #     rustup component add llvm-tools-preview
+      - uses: actions/checkout@v4
       - uses: Swatinem/rust-cache@v2
       - name: Run tests, with coverage
-        run: |
-          mold --run cargo llvm-cov clean --workspace
-          mold --run cargo llvm-cov --doc --no-report --all-features --workspace --no-fail-fast --ignore-filename-regex='(^client_cli/|main\.rs)'
-          mold --run cargo llvm-cov --no-report --ignore-filename-regex='(^client_cli/|main\.rs)' --all-features --workspace --no-fail-fast
+        run: mold --run cargo test --all-features --workspace --no-fail-fast
+        env:
+          RUSTFLAGS: "-C instrument-coverage"
+          LLVM_PROFILE_FILE: "iroha-%p-%m.profraw"
       - name: Generate lcov report
-        run: |
-          # generate report without tests
-          # https://github.com/taiki-e/cargo-llvm-cov#merge-coverages-generated-under-different-test-conditions
-          mold --run cargo llvm-cov --doctests --no-run --all-features --workspace --lcov --output-path lcov.info
+        if: always()
+        run: grcov . --binary-path ./target/debug/ -s . -t lcov --branch --ignore-not-existing --ignore "/client_cli" --ignore "**/main.rs" -o lcov.info
       - name: Upload coverage to coveralls.io
+        if: always()
         uses: coverallsapp/github-action@v2
         with:
           file: lcov.info
           compare-ref: ${{ github.base_ref }}
           compare-sha: ${{ github.event.pull_request.base.sha}}
           github-token: ${{ secrets.GITHUB_TOKEN }}
-      # (Temporally) Add the parallel coverage upload to Codecov to compare the results with Coveralls
-      # - name: Upload coverage to codecov.io
-      #   uses: codecov/[email protected]
-      #   with:
-      #     files: lcov.info
-      #     commit_parent: ${{ github.event.pull_request.base.sha }}
-      #     fail_ci_if_error: false
+      - name: Upload lcov report artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: lcov.info
+          path: lcov.info
 
   integration:
     runs-on: [self-hosted, Linux, iroha2]
     container:
       image: hyperledger/iroha2-ci:nightly-2024-01-12
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: Swatinem/rust-cache@v2
       - name: Run tests, with no-default-features
         run: |

diff --git a/.github/workflows/iroha2-dev.yml b/.github/workflows/iroha2-dev.yml
@@ -150,3 +150,51 @@ jobs:
         with:
           name: telemetry
           path: target/telemetry
+
+  sonarqube-defectdojo:
+    runs-on: ubuntu-latest
+    container:
+      image: hyperledger/iroha2-ci:nightly-2024-01-12
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download clippy report artifact
+        uses: dawidd6/[email protected]
+        with:
+          workflow: iroha2-dev-pr-static.yml
+          name: clippy.json
+          search_artifacts: true
+      - name: Download lcov report artifact
+        uses: dawidd6/[email protected]
+        with:
+          workflow: iroha2-dev-pr.yml
+          name: lcov.info
+          search_artifacts: true
+      - name: SonarQube
+        uses: sonarsource/sonarqube-scan-action@master
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+        with:
+          args: >
+            -Dcommunity.rust.clippy.reportPaths=clippy.json
+            -Dcommunity.rust.lcov.reportPaths=lcov.info
+      - name: DefectDojo
+        id: defectdojo
+        uses: C4tWithShell/[email protected]
+        with:
+          token: ${{ secrets.DEFECTOJO_TOKEN }}
+          defectdojo_url: ${{ secrets.DEFECTOJO_URL }}
+          product_type: iroha2
+          engagement: ${{ github.ref_name }}
+          tools: "SonarQube API Import,Github Vulnerability Scan"
+          sonar_projectKey: hyperledger:iroha
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_repository: ${{ github.repository }}
+          product: ${{ github.repository }}
+          environment: Test
+          reports: '{"Github Vulnerability Scan": "github.json"}'
+      - name: Show Defectdojo response
+        if: always()
+        run: |
+          set -e
+          printf '%s\n' '${{ steps.defectdojo.outputs.response }}'
diff --git a/.github/workflows/iroha2-no-incorrect-image.yml b/.github/workflows/iroha2-no-incorrect-image.yml
@@ -14,7 +14,7 @@ jobs:
         uses: actions/setup-python@v1
         with:
           python-version: "3.11"
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Install dependencies
         run: pip install -r .github/scripts/ci_test/requirements.txt --no-input
       - name: Check containers on iroha2 stable branch

diff --git a/Dockerfile.build b/Dockerfile.build
@@ -9,7 +9,7 @@ ENV RUSTUP_HOME=/usr/local/rustup \
 
 ENV PATH=$POETRY_HOME/bin:$PATH
 
-RUN pacman -Syu rustup mold musl rust-musl openssl libgit2 \
+RUN pacman -Syu rustup mold musl rust-musl openssl libgit2 jq \
     git docker docker-buildx docker-compose \
     python python-pip --noconfirm --disable-download-timeout && \
     curl -sSL https://install.python-poetry.org | python3 -
@@ -24,7 +24,7 @@ RUN rustup component add llvm-tools-preview clippy
 RUN rustup component add rust-src
 RUN rustup component add rustfmt
 RUN rustup target add wasm32-unknown-unknown
-RUN cargo install cargo-llvm-cov
+RUN cargo install grcov
 
 # TODO: Figure out a way to pull in libgit2, which doesn't crash if this useless variable is gone.
 RUN git config --global --add safe.directory .
diff --git a/Dockerfile.build.glibc b/Dockerfile.build.glibc
@@ -9,7 +9,7 @@ ENV RUSTUP_HOME=/usr/local/rustup \
 
 ENV PATH=$POETRY_HOME/bin:$PATH
 
-RUN pacman -Syu rustup mold openssl libgit2 git docker \
+RUN pacman -Syu rustup mold openssl libgit2 git docker jq \
     docker-buildx docker-compose glibc lib32-glibc \
     python python-pip --noconfirm --disable-download-timeout && \
     curl -sSL https://install.python-poetry.org | python3 -
@@ -24,7 +24,7 @@ RUN rustup component add llvm-tools-preview clippy
 RUN rustup component add rust-src
 RUN rustup component add rustfmt
 RUN rustup target add wasm32-unknown-unknown
-RUN cargo install cargo-llvm-cov
+RUN cargo install grcov
 
 # TODO: Figure out a way to pull in libgit2, which doesn't crash if this useless variable is gone.
 RUN git config --global --add safe.directory .
diff --git a/sonar-project.properties b/sonar-project.properties
@@ -0,0 +1 @@
+sonar.projectKey=hyperledger:iroha