From 844f6e4cfd06257d1287e033d210110ce24d3c69 Mon Sep 17 00:00:00 2001 From: Antoine SEIN <142824551+asein-sinch@users.noreply.github.com> Date: Tue, 16 Apr 2024 17:05:11 +0200 Subject: [PATCH] DEVEXP-183: Run yarn audit during CI build + Add sonarcloud job (#65) --- .github/scripts/validate-audit-report.sh | 20 +++++++ .github/workflows/run-audit.yaml | 30 ++++++++++ .github/workflows/run_tests.yaml | 13 +++++ examples/webhooks/package.json | 6 +- sonar-project.properties | 2 + yarn.lock | 74 ++++++++---------------- 6 files changed, 91 insertions(+), 54 deletions(-) create mode 100755 .github/scripts/validate-audit-report.sh create mode 100644 .github/workflows/run-audit.yaml create mode 100644 sonar-project.properties diff --git a/.github/scripts/validate-audit-report.sh b/.github/scripts/validate-audit-report.sh new file mode 100755 index 00000000..27ebfbac --- /dev/null +++ b/.github/scripts/validate-audit-report.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +# Although generated as JSON, the audit file put all vulnerabilities at the top level +# The following lines will put all the vulnerabilities in a array +echo '{"vulnerabilities": [' > audit-report.json +awk 'NR > 1 {print ","} {print}' audit-report.txt >> audit-report.json +echo ']}' >> audit-report.json + +# Filter JSON array to remove lerna's transitive dependencies as these dependencies are not used at runtime +jq '.vulnerabilities |= map(select(.data.resolution.path | type == "string" and startswith("lerna") | not))' audit-report.json > audit-report-filtered.json + +# Fail the build if filtered JSON array contains audit advisories +if [ "$(jq '.vulnerabilities[] | select(.type == "auditAdvisory") | .type' audit-report-filtered.json | wc -l)" -gt 0 ]; then + echo "Audit advisories found. Printing details:" + jq '.vulnerabilities[] | select(.type == "auditAdvisory")' audit-report-filtered.json + echo "Failing the build." + exit 1 +else + echo "No audit advisories found." +fi diff --git a/.github/workflows/run-audit.yaml b/.github/workflows/run-audit.yaml new file mode 100644 index 00000000..56e80c34 --- /dev/null +++ b/.github/workflows/run-audit.yaml @@ -0,0 +1,30 @@ +name: Security Audit + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + audit: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Install jq + run: sudo apt-get update && sudo apt-get install jq + + - name: Run security audit + run: | + yarn install --frozen-lockfile + yarn audit --json > audit-report.txt + continue-on-error: true + + - name: Validate audit report + # Manual check to decide on which condition to fail the build + run: .github/scripts/validate-audit-report.sh diff --git a/.github/workflows/run_tests.yaml b/.github/workflows/run_tests.yaml index c8acf581..c7be30da 100644 --- a/.github/workflows/run_tests.yaml +++ b/.github/workflows/run_tests.yaml @@ -24,3 +24,16 @@ jobs: - run: npx eslint "packages/**/tests/**/*.ts" - run: yarn run build - run: yarn run test + + sonarcloud: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + # Disabling shallow clone is recommended for improving relevancy of reporting + fetch-depth: 0 + - name: SonarCloud Scan + uses: sonarsource/sonarcloud-github-action@master + env: + GITHUB_TOKEN: ${{ secrets.PAT_CI }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/examples/webhooks/package.json b/examples/webhooks/package.json index 2dfdafd0..da99390d 100644 --- a/examples/webhooks/package.json +++ b/examples/webhooks/package.json @@ -12,9 +12,9 @@ "start:prod": "node dist/main" }, "dependencies": { - "@nestjs/common": "^10.3.0", - "@nestjs/core": "^10.3.0", - "@nestjs/platform-express": "^10.3.0", + "@nestjs/common": "^10.3.7", + "@nestjs/core": "^10.3.7", + "@nestjs/platform-express": "^10.3.7", "@sinch/sdk-core": "^0.0.5", "dotenv": "^16.3.1", "raw-body": "^2.5.2", diff --git a/sonar-project.properties b/sonar-project.properties new file mode 100644 index 00000000..84a8561c --- /dev/null +++ b/sonar-project.properties @@ -0,0 +1,2 @@ +sonar.projectKey=sinch-developer-experience_sinch-sdk-node-js +sonar.organization=sinch-developer-experience diff --git a/yarn.lock b/yarn.lock index 59d4f424..c3649952 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1504,19 +1504,19 @@ webpack "5.89.0" webpack-node-externals "3.0.0" -"@nestjs/common@^10.3.0": - version "10.3.0" - resolved "https://registry.npmjs.org/@nestjs/common/-/common-10.3.0.tgz" - integrity sha512-DGv34UHsZBxCM3H5QGE2XE/+oLJzz5+714JQjBhjD9VccFlQs3LRxo/epso4l7nJIiNlZkPyIUC8WzfU/5RTsQ== +"@nestjs/common@^10.3.7": + version "10.3.7" + resolved "https://registry.yarnpkg.com/@nestjs/common/-/common-10.3.7.tgz#38ab5ff92277cf1f26f4749c264524e76962cfff" + integrity sha512-gKFtFzcJznrwsRYjtNZoPAvSOPYdNgxbTYoAyLTpoy393cIKgLmJTHu6ReH8/qIB9AaZLdGaFLkx98W/tFWFUw== dependencies: uid "2.0.2" iterare "1.2.1" tslib "2.6.2" -"@nestjs/core@^10.3.0": - version "10.3.0" - resolved "https://registry.npmjs.org/@nestjs/core/-/core-10.3.0.tgz" - integrity sha512-N06P5ncknW/Pm8bj964WvLIZn2gNhHliCBoAO1LeBvNImYkecqKcrmLbY49Fa1rmMfEM3MuBHeDys3edeuYAOA== +"@nestjs/core@^10.3.7": + version "10.3.7" + resolved "https://registry.yarnpkg.com/@nestjs/core/-/core-10.3.7.tgz#736906ec27bc39b91519506babc231c8ab56ea21" + integrity sha512-hsdlnfiQ3kgqHL5k7js3CU0PV7hBJVi+LfFMgCkoagRxNMf67z0GFGeOV2jk5d65ssB19qdYsDa1MGVuEaoUpg== dependencies: uid "2.0.2" "@nuxtjs/opencollective" "0.3.2" @@ -1525,14 +1525,14 @@ path-to-regexp "3.2.0" tslib "2.6.2" -"@nestjs/platform-express@^10.3.0": - version "10.3.0" - resolved "https://registry.npmjs.org/@nestjs/platform-express/-/platform-express-10.3.0.tgz" - integrity sha512-E4hUW48bYv8OHbP9XQg6deefmXb0pDSSuE38SdhA0mJ37zGY7C5EqqBUdlQk4ttfD+OdnbIgJ1zOokT6dd2d7A== +"@nestjs/platform-express@^10.3.7": + version "10.3.7" + resolved "https://registry.yarnpkg.com/@nestjs/platform-express/-/platform-express-10.3.7.tgz#ae3fc59609bdc0ffc5029a6e74d59a5d1e257eef" + integrity sha512-noNJ+PyIxQJLCKfuXz0tcQtlVAynfLIuKy62g70lEZ86UrIqSrZFqvWs/rFUgkbT6J8H7Rmv11hASOnX+7M2rA== dependencies: body-parser "1.20.2" cors "2.8.5" - express "4.18.2" + express "4.19.2" multer "1.4.4-lts.1" tslib "2.6.2" @@ -2940,24 +2940,6 @@ bl@^4.0.3, bl@^4.1.0: inherits "^2.0.4" readable-stream "^3.4.0" -body-parser@1.20.1: - version "1.20.1" - resolved "https://registry.npmjs.org/body-parser/-/body-parser-1.20.1.tgz" - integrity sha512-jWi7abTbYwajOytWCQc37VulmWiRae5RyTpaCyDcS5/lMdtwSz5lOpDE67srw/HYe35f1z3fDQw+3txg7gNtWw== - dependencies: - bytes "3.1.2" - content-type "~1.0.4" - debug "2.6.9" - depd "2.0.0" - destroy "1.2.0" - http-errors "2.0.0" - iconv-lite "0.4.24" - on-finished "2.4.1" - qs "6.11.0" - raw-body "2.5.1" - type-is "~1.6.18" - unpipe "1.0.0" - body-parser@1.20.2: version "1.20.2" resolved "https://registry.npmjs.org/body-parser/-/body-parser-1.20.2.tgz" @@ -3517,10 +3499,10 @@ cookie-signature@1.0.6: resolved "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz" integrity sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ== -cookie@0.5.0: - version "0.5.0" - resolved "https://registry.npmjs.org/cookie/-/cookie-0.5.0.tgz" - integrity sha512-YZ3GUyn/o8gfKJlnlX7g7xq4gyO6OSuhGPKaaGssGB2qgDUS0gPgtTvoyZLTt9Ab6dC4hfc9dV5arkvc/OCmrw== +cookie@0.6.0: + version "0.6.0" + resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.6.0.tgz#2798b04b071b0ecbff0dbb62a505a8efa4e19051" + integrity sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw== core-js-compat@^3.31.0, core-js-compat@^3.33.1: version "3.34.0" @@ -4176,17 +4158,17 @@ exponential-backoff@^3.1.1: resolved "https://registry.npmjs.org/exponential-backoff/-/exponential-backoff-3.1.1.tgz" integrity sha512-dX7e/LHVJ6W3DE1MHWi9S1EYzDESENfLrYohG2G++ovZrYOkm4Knwa0mc1cn84xJOR4KEU0WSchhLbd0UklbHw== -express@4.18.2: - version "4.18.2" - resolved "https://registry.npmjs.org/express/-/express-4.18.2.tgz" - integrity sha512-5/PsL6iGPdfQ/lKM1UuielYgv3BUoJfz1aUwU9vHZ+J7gyvwdQXFEBIEIaxeGf0GIcreATNyBExtalisDbuMqQ== +express@4.19.2: + version "4.19.2" + resolved "https://registry.yarnpkg.com/express/-/express-4.19.2.tgz#e25437827a3aa7f2a827bc8171bbbb664a356465" + integrity sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q== dependencies: accepts "~1.3.8" array-flatten "1.1.1" - body-parser "1.20.1" + body-parser "1.20.2" content-disposition "0.5.4" content-type "~1.0.4" - cookie "0.5.0" + cookie "0.6.0" cookie-signature "1.0.6" debug "2.6.9" depd "2.0.0" @@ -7127,16 +7109,6 @@ range-parser@~1.2.1: resolved "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz" integrity sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg== -raw-body@2.5.1: - version "2.5.1" - resolved "https://registry.npmjs.org/raw-body/-/raw-body-2.5.1.tgz" - integrity sha512-qqJBtEyVgS0ZmPGdCFPWJ3FreoqvG4MVQln/kCgF7Olq95IbOp0/BWyMwbdtn4VTvkM8Y7khCQ2Xgk/tcrCXig== - dependencies: - bytes "3.1.2" - http-errors "2.0.0" - iconv-lite "0.4.24" - unpipe "1.0.0" - raw-body@2.5.2, raw-body@^2.5.2: version "2.5.2" resolved "https://registry.npmjs.org/raw-body/-/raw-body-2.5.2.tgz"