Skip to content

Veracode

Veracode #207

Workflow file for this run

---
#
# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License, Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# SPDX-License-Identifier: Apache-2.0
#
name: "Veracode"
on:
schedule:
- cron: '0 2 * * *'
workflow_dispatch:
jobs:
secret-presence:
runs-on: ubuntu-latest
outputs:
ORG_VERACODE_API_ID: ${{ steps.secret-presence.outputs.ORG_VERACODE_API_ID }}
ORG_VERACODE_API_KEY: ${{ steps.secret-presence.outputs.ORG_VERACODE_API_KEY }}
steps:
- name: Check whether secrets exist
id: secret-presence
run: |
[ ! -z "${{ secrets.ORG_VERACODE_API_ID }}" ] && echo "ORG_VERACODE_API_ID=true" >> $GITHUB_OUTPUT
[ ! -z "${{ secrets.ORG_VERACODE_API_KEY }}" ] && echo "ORG_VERACODE_API_KEY=true" >> $GITHUB_OUTPUT
exit 0
verify-formatting:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- uses: ./.github/actions/setup-java
- name: Verify proper formatting
run: ./mvnw spotless:check
###
# Standalone applications have all dependencies in their jar
###
build_standalone:
runs-on: ubuntu-latest
needs: [secret-presence, verify-formatting]
permissions:
contents: read
strategy:
fail-fast: false
matrix:
variant: [{dir: remoting, name: remoting-agent},
{dir: conforming, name: conforming-agent}]
steps:
# Set-Up
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: ./.github/actions/setup-java
# Build
- name: Build ${{ matrix.variant.name }}
run: |-
./mvnw -s settings.xml -pl ${{ matrix.variant.dir }} install
env:
GITHUB_ACTOR: ${{ github.actor }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Tar gzip files for veracode upload
run: |-
tar -czvf ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}.tar.gz ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}-*.jar
- name: Veracode Upload And Scan
uses: veracode/veracode-uploadandscan-action@c3c0b78bddb42d5f6b10d70562f692215a410d7b #v1.0
if: |
needs.secret-presence.outputs.ORG_VERACODE_API_ID && needs.secret-presence.outputs.ORG_VERACODE_API_KEY
continue-on-error: true
with:
appname: knowledge-agents/${{ matrix.variant.name }}
createprofile: true
version: ${{ matrix.variant.name }}-${{ github.sha }}
filepath: ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}.tar.gz
vid: ${{ secrets.ORG_VERACODE_API_ID }}
vkey: ${{ secrets.ORG_VERACODE_API_KEY }}
###
# Embedded applications need dependencies being provided.
# Expecially wrt. Spring 5.3.28 Web there is an open HIGH vulnerability regarding
# org/springframework/remoting/httpinvoker which will not be fixed
# so we manipulate the jar in the docker environment directly and exclude
# the dependency from the scan
###
build_embedded:
runs-on: ubuntu-latest
needs: [secret-presence, verify-formatting]
permissions:
contents: read
strategy:
fail-fast: false
matrix:
variant: [{dir: provisioning, name: provisioning-agent}]
steps:
# Set-Up
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: ./.github/actions/setup-java
# Build
- name: Build ${{ matrix.variant.name }}
run: |-
./mvnw -s settings.xml -pl ${{ matrix.variant.dir }} install
env:
GITHUB_ACTOR: ${{ github.actor }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Tar gzip files for veracode upload
run: |-
tar --exclude='spring-web-5.3.31.jar' -czvf ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}.tar.gz ${{ matrix.variant.dir }}/target/lib/*.jar ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}-*.jar
- name: Veracode Upload And Scan
uses: veracode/veracode-uploadandscan-action@c3c0b78bddb42d5f6b10d70562f692215a410d7b #v1.0
if: |
needs.secret-presence.outputs.ORG_VERACODE_API_ID && needs.secret-presence.outputs.ORG_VERACODE_API_KEY
continue-on-error: true
with:
appname: knowledge-agents/${{ matrix.variant.name }}
createprofile: true
version: ${{ matrix.variant.name }}-${{ github.sha }}
filepath: ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}.tar.gz
vid: ${{ secrets.ORG_VERACODE_API_ID }}
vkey: ${{ secrets.ORG_VERACODE_API_KEY }}