Merge branch 'main' of https://github.com/SolaceLabs/event-management…

…-agent # Conflicts: # service/application/src/main/java/com/solace/maas/ep/event/management/agent/subscriber/SolaceMessageHandler.java # service/plugin/src/main/java/com/solace/maas/ep/event/management/agent/plugin/constants/RouteConstants.java
solace-iot-team · Jul 12, 2023 · 434bab6 · 434bab6
2 parents ec395ad + 4a9e08f
commit 434bab6
Show file tree

Hide file tree

Showing 131 changed files with 2,259 additions and 750 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -18,6 +18,7 @@ jobs:
   Test_Build:
     name: Run Tests and Deploy
     runs-on: ubuntu-latest
+    environment: ${{ github.ref=='refs/heads/main' && 'build_main' || 'build_pr' }}
     timeout-minutes: 20
     permissions:
        contents: read
@@ -47,11 +48,13 @@ jobs:
           if [[ $GITHUB_REF_NAME == "main" ]]; then
             export WHITESOURCE_SCAN=true
             export GITHUB_PACKAGES_DEPLOY=true
+            export DOCKER_PUSH=true
           else
             export WHITESOURCE_SCAN=false
             export GITHUB_PACKAGES_DEPLOY=false
+            export DOCKER_PUSH=false
           fi
-          echo "$WHITESOURCE_SCAN"
+          echo "DOCKER_PUSH=$DOCKER_PUSH" >> $GITHUB_ENV
           echo "WHITESOURCE_SCAN=$WHITESOURCE_SCAN" >> $GITHUB_ENV
           echo "GITHUB_PACKAGES_DEPLOY=$GITHUB_PACKAGES_DEPLOY" >> $GITHUB_ENV
       - name: Static Code Analysis
@@ -99,7 +102,31 @@ jobs:
 
           echo "Whitesource- Running scan"
           java -jar wss-unified-agent.jar -d  ${{ env.TARGET_DIR }}  -logLevel Info
-
+      - name: Configure AWS credentials
+        if: env.DOCKER_PUSH=='true'
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.EMA_AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.EMA_AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.EMA_AWS_DEFAULT_REGION }}
+      - name: Login to Amazon ECR
+        if: env.DOCKER_PUSH=='true'
+        id: login-ecr
+        uses: aws-actions/[email protected]
+      - name: Docker Build/Push
+        if: env.DOCKER_PUSH=='true'
+        working-directory: service/application/docker
+        run: |
+          ./buildEventManagementAgentDocker.sh -t main
+          ECR_DOCKER_IMAGE="${{ steps.login-ecr.outputs.registry }}/${{ github.event.repository.name }}:main"
+          docker tag "${{ github.event.repository.name }}:main" $ECR_DOCKER_IMAGE
+          docker push $ECR_DOCKER_IMAGE
+          #Tag/Push additional Docker image
+          SHORT_GIT_SHA=${GITHUB_SHA:0:10}
+          JAR_VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout --file ../pom.xml)
+          ADDITIONAL_ECR_DOCKER_IMAGE_TAG="$ECR_DOCKER_IMAGE-$JAR_VERSION-$SHORT_GIT_SHA"
+          docker tag "${{ github.event.repository.name }}:main" $ADDITIONAL_ECR_DOCKER_IMAGE_TAG
+          docker push $ADDITIONAL_ECR_DOCKER_IMAGE_TAG
       - name: Deploy Artifacts
         if: env.GITHUB_PACKAGES_DEPLOY=='true'
         env:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -47,14 +47,35 @@ jobs:
         env:
           WS_APIKEY: ${{ secrets.WHITESOURCE_API_KEY }}
           WS_PROJECTTOKEN: ${{ secrets.WHITESOURCE_PROJECT_TOKEN }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.EMA_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.EMA_AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: ${{ secrets.EMA_AWS_DEFAULT_REGION }}
         run: |
           pip install --quiet --upgrade pip
           export VIRTUAL_ENV=./venv
           python3.8 -m venv $VIRTUAL_ENV && source $VIRTUAL_ENV/bin/activate
           cd ./.github/workflows/release_scripts/  && pip install --quiet -r requirements.txt && python3.8 whitesource_vulnurability_checker.py
+      - name: Pre-Release Check - SonarQube Hotspots
+        env:
+          SONARQUBE_HOTSPOTS_API_URL: ${{ secrets.SONARQUBE_HOTSPOTS_API_URL }}
+          SONARQUBE_QUERY_TOKEN: ${{ secrets.SONARQUBE_QUERY_TOKEN }}
+        run: |
+          export VIRTUAL_ENV=./venv
+          python3.8 -m venv $VIRTUAL_ENV && source $VIRTUAL_ENV/bin/activate
+          cd ./.github/workflows/release_scripts/  && python3.8 sonarqube_vulnurability_checker.py
+      - name: Pre-Release Check - Prisma vulnurabilities
+        env:
+          PRISMA_ROOT_API_URL: ${{ secrets.PRISMA_ROOT_API_URL }}
+          DOCKER_IMAGE_TO_CHECK: ${{ secrets.PRISMA_DOCKER_IMAGE_TO_CHECK }}
+          PRISMA_ACCESS_KEY: ${{ secrets.PRISMA_ACCESS_KEY }}
+          PRISMA_ACCESS_KEY_SECRET: ${{ secrets.PRISMA_ACCESS_KEY_SECRET }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.EMA_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.EMA_AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: ${{ secrets.EMA_AWS_DEFAULT_REGION }}
+        run: |
+          export VIRTUAL_ENV=./venv
+          python3.8 -m venv $VIRTUAL_ENV && source $VIRTUAL_ENV/bin/activate
+          cd ./.github/workflows/release_scripts/  && python3.8 prisma_vulnurability_checker.py
       - name: Prepare Maven Settings
         env:
           MAVEN_REPO_SERVER_USERNAME: "${{ github.actor }}"
@@ -83,3 +104,21 @@ jobs:
           generateReleaseNotes: true
           makeLatest: true
           body: ${{ steps.Changelog.outputs.changelog }}
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.EMA_AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.EMA_AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.EMA_AWS_DEFAULT_REGION }}
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/[email protected]
+      - name: ECR Docker Image Release
+        run: |
+          MANIFEST=$(aws ecr batch-get-image --repository-name ${{ github.event.repository.name }} \
+          --image-ids imageTag=main --region ${{ secrets.EMA_AWS_DEFAULT_REGION }} --output json \
+          | jq --raw-output '.images[].imageManifest')
+
+          aws ecr put-image --repository-name ${{ github.event.repository.name }} \
+            --image-tag ${{ github.event.inputs.releaseVersion }} \
+            --image-manifest "$MANIFEST" --region ${{ secrets.EMA_AWS_DEFAULT_REGION }}
diff --git a/.github/workflows/release_scripts/prisma_vulnurability_checker.py b/.github/workflows/release_scripts/prisma_vulnurability_checker.py
@@ -0,0 +1,90 @@
+import requests
+import json
+import os
+import boto3
+import textwrap
+
+PRISMA_ROOT_API_URL = os.getenv("PRISMA_ROOT_API_URL")
+PRISMA_AUTHENTICATE_URL = f"{PRISMA_ROOT_API_URL}/authenticate"
+PRISMA_REGISTRY_SCAN_RESULT_URL = f"{PRISMA_ROOT_API_URL}/registry"
+PRISMA_ACCESS_KEY = os.getenv('PRISMA_ACCESS_KEY')
+PRISMA_ACCESS_KEY_SECRET = os.getenv('PRISMA_ACCESS_KEY_SECRET')
+HTTP_JSON_HEADER = 'application/json'
+# DOCKER_IMAGE_TO_CHECK is the repository name full and the tag that is used to scan it
+DOCKER_IMAGE_TO_CHECK = os.getenv("DOCKER_IMAGE_TO_CHECK")
+PRISMA_BLOCKING_VULNERABILITIES = "critical,high"
+
+
+def get_excluded_packages():
+    dynamodb_client = boto3.resource('dynamodb')
+
+    whitesource_exclusion_table = dynamodb_client.Table('prisma-excluded-packages')
+    whitesource_exclusion_entries = whitesource_exclusion_table.scan()['Items']
+
+    exclusions = set()
+    for exclusion in whitesource_exclusion_entries:
+        exclusions.add(exclusion['packageName'])
+
+    return exclusions
+
+
+def block_print(long_string, each_line_length=75):
+    print("\n\t".join(textwrap.wrap(long_string, each_line_length)))
+
+
+def find_all_high_critical_vulnerabilities_to_resolve(excluded_libraries):
+    # Authenticate
+    authenticate_payload = {
+        'username': PRISMA_ACCESS_KEY,
+        'password': PRISMA_ACCESS_KEY_SECRET
+    }
+    authenticate_headers = {'Accept': HTTP_JSON_HEADER, 'Content-type': HTTP_JSON_HEADER}
+
+    get_token_request = requests.post(
+        PRISMA_AUTHENTICATE_URL,
+        data=json.dumps(authenticate_payload),
+        headers=authenticate_headers
+    )
+    token_response = json.loads(get_token_request.text)
+    scan_result_token = token_response['token']
+
+    # Get scan results
+    scan_result_header = {
+        'accept': HTTP_JSON_HEADER,
+        'content-type': HTTP_JSON_HEADER,
+        'Authorization': f'Bearer {scan_result_token}'
+    }
+    prisma_scan_result_request = requests.get(
+        f'{PRISMA_REGISTRY_SCAN_RESULT_URL}?name={DOCKER_IMAGE_TO_CHECK}',
+        data=json.dumps(authenticate_payload),
+        headers=scan_result_header
+    )
+
+    prisma_project_vulnerabilities = prisma_scan_result_request.json()[0].get('vulnerabilities')
+    vulnerabilities_to_resolve = dict()
+    for vulnerability in prisma_project_vulnerabilities:
+        if vulnerability['severity'] in PRISMA_BLOCKING_VULNERABILITIES:
+            package_full_name = f"{vulnerability['packageName']}-{vulnerability['packageVersion']}"
+            current_vulnerability_description = vulnerability['description']
+            if package_full_name in excluded_libraries:
+                print(f"ⓘ Package {package_full_name} has vulnerabilities but is in exclusion list.")
+            else:
+                if package_full_name not in vulnerabilities_to_resolve:
+                    vulnerabilities_to_resolve[package_full_name] = [current_vulnerability_description]
+                else:
+                    vulnerabilities_to_resolve[package_full_name].append(current_vulnerability_description)
+    return vulnerabilities_to_resolve
+
+
+prisma_exclusion_list = get_excluded_packages()
+prisma_vulnerabilities_to_resolve = find_all_high_critical_vulnerabilities_to_resolve(prisma_exclusion_list)
+if len(prisma_vulnerabilities_to_resolve) != 0:
+    print(f"❌ Following {PRISMA_BLOCKING_VULNERABILITIES} Prisma vulnerabilities should get resolved before release: ")
+    for vulnerability_name in prisma_vulnerabilities_to_resolve:
+        print(f"🔴️ {vulnerability_name}")
+        # print descriptions for this vulnerability
+        for vulnerability_description in prisma_vulnerabilities_to_resolve[vulnerability_name]:
+            block_print(f'\t ➡️ {vulnerability_description}\n')
+    exit(1)
+else:
+    print(f"No {PRISMA_BLOCKING_VULNERABILITIES} Prisma vulnerabilities found! ✅")
diff --git a/.github/workflows/release_scripts/sonarqube_vulnurability_checker.py b/.github/workflows/release_scripts/sonarqube_vulnurability_checker.py
@@ -0,0 +1,45 @@
+import requests
+import os
+import textwrap
+
+SONARQUBE_PROJECT_KEY = "SolaceLabs_event-management-agent"
+SONARQUBE_PROJECT_MAIN_BRANCH = "main"
+SONARQUBE_QUERY_TOKEN = os.getenv("SONARQUBE_QUERY_TOKEN")
+SONARQUBE_HOTSPOTS_API_URL = os.getenv("SONARQUBE_HOTSPOTS_API_URL")
+SONARQUBE_BLOCKING_VULNERABILITIES = "HIGH"
+SONARQUBE_BLOCKING_HOTSPOT_STATUS = 'TO_REVIEW'
+
+
+def block_print(long_string, each_line_length=75):
+    print("\n\t".join(textwrap.wrap(long_string, each_line_length)))
+
+
+def find_all_high_critical_vulnerabilities_to_resolve():
+    sonarqube_hotspot_query_params = {
+        "projectKey": SONARQUBE_PROJECT_KEY,
+        "branch": SONARQUBE_PROJECT_MAIN_BRANCH,
+        "status": SONARQUBE_BLOCKING_HOTSPOT_STATUS
+    }
+
+    hotspots_response = requests.get(
+        SONARQUBE_HOTSPOTS_API_URL,
+        params=sonarqube_hotspot_query_params,
+        auth=(SONARQUBE_QUERY_TOKEN, '')).json()
+
+    print(f"Total hotspots found for service: {SONARQUBE_PROJECT_KEY} is {hotspots_response['paging']['total']}")
+    hotspots_to_resolve = dict()
+    for hotspot in hotspots_response['hotspots']:
+        if hotspot['vulnerabilityProbability'] in SONARQUBE_BLOCKING_VULNERABILITIES:
+            hotspots_to_resolve[f"{hotspot['component']}:{hotspot['line']}"] = hotspot["message"]
+    return hotspots_to_resolve
+
+
+hotspots_to_resolve = find_all_high_critical_vulnerabilities_to_resolve()
+if len(hotspots_to_resolve) != 0:
+    print(f"❌ Following {SONARQUBE_BLOCKING_VULNERABILITIES} SonarQube hotspots should get resolved before release: ")
+    for hotspot in hotspots_to_resolve:
+        block_print(f"🔴️ {hotspot}")
+        block_print(f'\t ➡️ {hotspots_to_resolve[hotspot]}\n')
+    exit(1)
+else:
+    print(f"No non-reviewed {SONARQUBE_BLOCKING_VULNERABILITIES} SonarQube hotspots found! ✅")
diff --git a/service/application/docker/buildEventManagementAgentDocker.sh b/service/application/docker/buildEventManagementAgentDocker.sh
@@ -105,13 +105,14 @@ export BASE_IMAGE=event-management-agent-base:${BASE_IMAGE_TAG}
 export GITHASH=$(git rev-parse HEAD)
 export GITBRANCH=$(git branch --show-current)
 export BUILD_TIMESTAMP=$(date -u)
-cp ../target/event-management-agent-1.0.0-SNAPSHOT.jar .
+export JAR_VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout --file ../pom.xml)
+cp ../target/event-management-agent-${JAR_VERSION}.jar .
 
 cd ..
 docker build docker -t event-management-agent:${IMAGE_TAG} --build-arg BASE_IMAGE=${BASE_IMAGE}\
-       --build-arg JAR_FILE=event-management-agent-1.0.0-SNAPSHOT.jar --build-arg GITHASH=${GITHASH}\
+       --build-arg JAR_FILE=event-management-agent-${JAR_VERSION}.jar --build-arg GITHASH=${GITHASH}\
        --build-arg BUILD_TIMESTAMP="${BUILD_TIMESTAMP}" --build-arg GITBRANCH=${GITBRANCH}
 cd ${script_dir}
 
 # cleanup
-rm event-management-agent-1.0.0-SNAPSHOT.jar
+rm event-management-agent-${JAR_VERSION}.jar