-
Notifications
You must be signed in to change notification settings - Fork 5
133 lines (127 loc) · 5.17 KB
/
veracode.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
---
#
# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License, Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# SPDX-License-Identifier: Apache-2.0
#
name: "Veracode"
on:
schedule:
- cron: '0 2 * * *'
workflow_dispatch:
jobs:
secret-presence:
runs-on: ubuntu-latest
outputs:
ORG_VERACODE_API_ID: ${{ steps.secret-presence.outputs.ORG_VERACODE_API_ID }}
ORG_VERACODE_API_KEY: ${{ steps.secret-presence.outputs.ORG_VERACODE_API_KEY }}
steps:
- name: Check whether secrets exist
id: secret-presence
run: |
[ ! -z "${{ secrets.ORG_VERACODE_API_ID }}" ] && echo "ORG_VERACODE_API_ID=true" >> $GITHUB_OUTPUT
[ ! -z "${{ secrets.ORG_VERACODE_API_KEY }}" ] && echo "ORG_VERACODE_API_KEY=true" >> $GITHUB_OUTPUT
exit 0
verify-formatting:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- uses: ./.github/actions/setup-java
- name: Verify proper formatting
run: ./mvnw spotless:check
###
# Standalone applications have all dependencies in their jar
###
build_standalone:
runs-on: ubuntu-latest
needs: [secret-presence, verify-formatting]
permissions:
contents: read
strategy:
fail-fast: false
matrix:
variant: [{dir: remoting, name: remoting-agent},
{dir: conforming, name: conforming-agent}]
steps:
# Set-Up
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: ./.github/actions/setup-java
# Build
- name: Build ${{ matrix.variant.name }}
run: |-
./mvnw -s settings.xml -pl ${{ matrix.variant.dir }} install
env:
GITHUB_ACTOR: ${{ github.actor }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Tar gzip files for veracode upload
run: |-
tar -czvf ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}.tar.gz ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}-*.jar
- name: Veracode Upload And Scan
uses: veracode/veracode-uploadandscan-action@c3c0b78bddb42d5f6b10d70562f692215a410d7b #v1.0
if: |
needs.secret-presence.outputs.ORG_VERACODE_API_ID && needs.secret-presence.outputs.ORG_VERACODE_API_KEY
continue-on-error: true
with:
appname: knowledge-agents/${{ matrix.variant.name }}
createprofile: true
version: ${{ matrix.variant.name }}-${{ github.sha }}
filepath: ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}.tar.gz
vid: ${{ secrets.ORG_VERACODE_API_ID }}
vkey: ${{ secrets.ORG_VERACODE_API_KEY }}
###
# Embedded applications need dependencies being provided.
# Expecially wrt. Spring 5.3.28 Web there is an open HIGH vulnerability regarding
# org/springframework/remoting/httpinvoker which will not be fixed
# so we manipulate the jar in the docker environment directly and exclude
# the dependency from the scan
###
build_embedded:
runs-on: ubuntu-latest
needs: [secret-presence, verify-formatting]
permissions:
contents: read
strategy:
fail-fast: false
matrix:
variant: [{dir: provisioning, name: provisioning-agent}]
steps:
# Set-Up
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: ./.github/actions/setup-java
# Build
- name: Build ${{ matrix.variant.name }}
run: |-
./mvnw -s settings.xml -pl ${{ matrix.variant.dir }} install
env:
GITHUB_ACTOR: ${{ github.actor }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Tar gzip files for veracode upload
run: |-
tar --exclude='spring-web-5.3.31.jar' -czvf ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}.tar.gz ${{ matrix.variant.dir }}/target/lib/*.jar ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}-*.jar
- name: Veracode Upload And Scan
uses: veracode/veracode-uploadandscan-action@c3c0b78bddb42d5f6b10d70562f692215a410d7b #v1.0
if: |
needs.secret-presence.outputs.ORG_VERACODE_API_ID && needs.secret-presence.outputs.ORG_VERACODE_API_KEY
continue-on-error: true
with:
appname: knowledge-agents/${{ matrix.variant.name }}
createprofile: true
version: ${{ matrix.variant.name }}-${{ github.sha }}
filepath: ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}.tar.gz
vid: ${{ secrets.ORG_VERACODE_API_ID }}
vkey: ${{ secrets.ORG_VERACODE_API_KEY }}