From 9612f6d8e1c10d7877afc3531f3b3c2ef1e5cabc Mon Sep 17 00:00:00 2001 From: "Mark S. Lewis" Date: Mon, 14 Oct 2024 09:39:33 +0100 Subject: [PATCH] Run vulnerability scan on latest release version Previously the scan ran on the current state of the codebase. This fails to identify vulnerabilities in dependencies for the latest release version if those dependencies have already been updated in the development codebase. The gating factor for whether a new release is required should be whether the previous release contains vulnerabilities. This change runs the scheduled vulnerability scan on the latest release tag. It also adds vulnerability scanning to pull request builds. This is purely informational. A scan failure does not fail the pull request build. Signed-off-by: Mark S. Lewis --- .github/workflows/pull_request.yml | 3 +++ .github/workflows/release.yml | 10 ++------- .github/workflows/scan.yml | 32 ++++++++++++++++++++++++++++ .github/workflows/scheduled-scan.yml | 24 ++++++++++++++------- .github/workflows/test.yml | 16 ++++++-------- 5 files changed, 60 insertions(+), 25 deletions(-) create mode 100644 .github/workflows/scan.yml diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 22777bbd..ff79cf71 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -17,6 +17,9 @@ jobs: test: uses: ./.github/workflows/test.yml + scan: + uses: ./.github/workflows/scan.yml + pull-request: needs: test name: Pull request success diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 605c7706..d64500d8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -34,10 +34,7 @@ jobs: with: distribution: 'temurin' java-version: '11' - cache: 'gradle' - - name: Validate Gradle wrapper - uses: gradle/actions/wrapper-validation@v3 - - uses: gradle/actions/setup-gradle@v3 + - uses: gradle/actions/setup-gradle@v4 - name: Push to registry ${{ matrix.publish_target }} run: | set -xev @@ -69,10 +66,7 @@ jobs: with: distribution: 'temurin' java-version: '11' - cache: 'gradle' - - name: Validate Gradle wrapper - uses: gradle/actions/wrapper-validation@v3 - - uses: gradle/actions/setup-gradle@v3 + - uses: gradle/actions/setup-gradle@v4 - name: Build the dependencies needed for the image run: ./gradlew :fabric-chaincode-docker:copyAllDeps - name: Set up QEMU diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml new file mode 100644 index 00000000..bf6aa6a4 --- /dev/null +++ b/.github/workflows/scan.yml @@ -0,0 +1,32 @@ +name: "Scheduled vulnerability scan" + +on: + workflow_call: + inputs: + ref: + description: Branch, tag or SHA to scan. + type: string + required: false + default: "" + +permissions: + contents: read + +jobs: + osv-scanner: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + - uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 11 + - uses: gradle/actions/setup-gradle@v4 + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: stable + - name: Scan + run: make scan diff --git a/.github/workflows/scheduled-scan.yml b/.github/workflows/scheduled-scan.yml index c303b270..ac8b3ca7 100644 --- a/.github/workflows/scheduled-scan.yml +++ b/.github/workflows/scheduled-scan.yml @@ -1,6 +1,9 @@ name: "Scheduled vulnerability scan" on: + pull_request: + branches: + - main schedule: - cron: "20 3 * * *" workflow_dispatch: @@ -9,13 +12,18 @@ permissions: contents: read jobs: - osv-scanner: + latest-release-version: + name: Get latest release tag runs-on: ubuntu-latest + outputs: + tag_name: ${{ steps.tag-name.outputs.value }} steps: - - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version: stable - - name: Scan - run: make scan + - id: tag-name + run: echo "value=$(curl --location --silent --fail "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest" | jq --raw-output '.tag_name')" >> "${GITHUB_OUTPUT}" + + scan: + name: Scan ${{ needs.latest-release-version.outputs.tag_name }} + needs: latest-release-version + uses: ./.github/workflows/scan.yml + with: + ref: ${{ needs.latest-release-version.outputs.tag_name }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3e057986..7ae6e959 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -7,7 +7,7 @@ name: Test on: workflow_call: inputs: - checkout-ref: + ref: default: '' required: false type: string @@ -18,14 +18,12 @@ jobs: steps: - uses: actions/checkout@v4 with: - ref: ${{ inputs.checkout-ref }} + ref: ${{ inputs.ref }} - uses: actions/setup-java@v4 with: distribution: temurin java-version: 11 - - name: Validate Gradle wrapper - uses: gradle/actions/wrapper-validation@v3 - - uses: gradle/actions/setup-gradle@v3 + - uses: gradle/actions/setup-gradle@v4 - name: Build and Unit test run: ./gradlew :fabric-chaincode-shim:build @@ -34,11 +32,12 @@ jobs: steps: - uses: actions/checkout@v4 with: - ref: ${{ inputs.checkout-ref }} + ref: ${{ inputs.ref }} - uses: actions/setup-java@v4 with: distribution: temurin java-version: 11 + - uses: gradle/actions/setup-gradle@v4 - name: Populate chaincode with latest java-version run: | ./gradlew -I $GITHUB_WORKSPACE/fabric-chaincode-integration-test/chaincodebootstrap.gradle -PchaincodeRepoDir=$GITHUB_WORKSPACE/fabric-chaincode-integration-test/src/contracts/fabric-shim-api/repository publishShimPublicationToFabricRepository @@ -58,7 +57,6 @@ jobs: run: | peer version weft --version - - uses: gradle/actions/setup-gradle@v3 - name: Integration Tests run: ./gradlew :fabric-chaincode-integration-test:build @@ -67,11 +65,11 @@ jobs: steps: - uses: actions/checkout@v4 with: - ref: ${{ inputs.checkout-ref }} + ref: ${{ inputs.ref }} - uses: actions/setup-java@v4 with: distribution: temurin java-version: 11 - - uses: gradle/actions/setup-gradle@v3 + - uses: gradle/actions/setup-gradle@v4 - name: Build Docker image run: ./gradlew :fabric-chaincode-docker:buildImage