diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..9eea8b2 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + - package-ecosystem: "gradle" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "daily" diff --git a/.github/workflows/dependent-workflow.yml b/.github/workflows/dependent-workflow.yml new file mode 100644 index 0000000..a2d3fdd --- /dev/null +++ b/.github/workflows/dependent-workflow.yml @@ -0,0 +1,18 @@ +name: Download and submit dependency graph + +on: + workflow_run: + workflows: ['Generate and save dependency graph'] + types: [completed] + +permissions: + contents: write + +jobs: + submit-dependency-graph: + runs-on: ubuntu-latest + steps: + - name: Download and submit dependency graph + uses: gradle/actions/dependency-submission@v3 + with: + dependency-graph: download-and-submit # Download saved dependency-graph and submit diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml new file mode 100644 index 0000000..491af4f --- /dev/null +++ b/.github/workflows/gitleaks.yml @@ -0,0 +1,38 @@ +name: Gitleaks Scan +on: [push, pull_request] + +jobs: + gitleaks: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Install Gitleaks + run: | + curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.18.4/gitleaks_8.18.4_linux_x64.tar.gz | tar -xz -C /usr/local/bin gitleaks + + - name: Run Gitleaks + run: | + gitleaks detect --redact -v --exit-code=2 --report-format=sarif --report-path=results.sarif --log-level=debug + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_ENABLE_COMMENTS: 'true' + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} + + - name: Upload SARIF report + if: always() + uses: actions/upload-artifact@v4 + with: + name: gitleaks-results.sarif + path: results.sarif + + - name: Output Gitleaks results to console + if: always() + run: | + echo "### 🛑 Gitleaks Detected Secrets 🛑" >> $GITHUB_STEP_SUMMARY + echo "| *Rule ID* | *Commit* | *Secret URL* | *Start Line* | *Author* | *Date* | *Email* | *File* |" >> $GITHUB_STEP_SUMMARY + echo "| --- | --- | --- | --- | --- | --- | --- | --- |" >> $GITHUB_STEP_SUMMARY + jq -r '.runs[0].results[] | "| \(.ruleId) | \(.partialFingerprints.commitSha[:7]) | \(.locations[0].physicalLocation.artifactLocation.uri) | \(.locations[0].physicalLocation.region.startLine) | \(.partialFingerprints.author) | \(.partialFingerprints.date) | \(.partialFingerprints.email | split("+")[1]) | \(.locations[0].physicalLocation.artifactLocation.uri)"' results.sarif >> $GITHUB_STEP_SUMMARY + cat $GITHUB_STEP_SUMMARY + continue-on-error: true \ No newline at end of file diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index fb8e223..6f612cf 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,33 +1,74 @@ -name: Docker - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" on: - # schedule: - # - cron: '27 0 * * *' push: - branches: [ "docker-pipeline" ] - # # Publish semver tags as releases. - # tags: [ 'v*.*.*' ] + branches: [ "docker-pipeline", "test" ] pull_request: - branches: [ "docker-pipeline" ] - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: + branches: [ "docker-pipeline", "test" ] env: - # Use docker.io for Docker Hub if empty REGISTRY: ghcr.io - # github.repository as / IMAGE_NAME: ${{ github.repository }} TG: docker-pipeline - jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + permissions: + # required for all workflows + security-events: write + packages: read + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: java-kotlin + build-mode: none # This mode only analyzes Java. + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + + - if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" + + ################################################################## build: - runs-on: ubuntu-latest permissions: contents: write @@ -44,82 +85,10 @@ jobs: uses: actions/checkout@v4 with: submodules: 'true' - token: ${{ secrets.PAT_TOKEN }} + # token: ${{ secrets.PAT_TOKEN }} - name: validating gradlle uses: gradle/actions/wrapper-validation@v3 - - # - name: 'Dependency Review' - # uses: actions/dependency-review-action@v4 - # # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options. - # with: - # comment-summary-in-pr: always - # fail-on-severity: moderate - # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later - # retry-on-snapshot-warnings: true - - name: 'Dependency Review' - if: github.event_name == 'workflow_dispatch' - uses: actions/dependency-review-action@v4 - with: - base-ref: 'docker-pipeline' - - # - uses: github/codeql-action/init@v3 - # with: - # languages: java - - # - name: Autobuild - # uses: github/codeql-action/autobuild@v3 - - # - name: Perform CodeQL Analysis - # uses: github/codeql-action/analyze@v3 - - # - name: Run Trivy scanner - # uses: aquasecurity/trivy-action@master - # with: - # scan-type: 'fs' - # github-pat: ${{ secrets.GITHUB_TOKEN }} - # ignore-unfixed: true - # format: 'sarif' - # output: 'trivy-results.sarif' - # severity: 'CRITICAL' - # # hide-progress: true - # # output: trivy.txt - - # - name: Publish Trivy Output to Summary - # run: | - # if [[ -s trivy.txt ]]; then - # { - # echo "### Security Output" - # echo "
Click to expand" - # echo "" - # echo '```terraform' - # cat trivy.txt - # echo '```' - # echo "
" - # } >> $GITHUB_STEP_SUMMARY - # fi - -########################################################################## - # - name: Run Trivy vulnerability scanner in repo mode - # uses: aquasecurity/trivy-action@master - # with: - # scan-type: 'fs' - # format: 'sarif' - # output: 'trivy-results.sarif' - # severity: 'CRITICAL,LOW,MEDIUM,HIGH' - # vuln-type: 'os,library' - # scanners: 'vuln,secret' - - - # - name: Upload Trivy scan results to GitHub Security tab - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: 'trivy-results.sarif' - - ############################################## - - # - name: Run Codacy Analysis CLI - # uses: codacy/codacy-analysis-cli-action@master - name: Set up JDK 17 uses: actions/setup-java@v4 @@ -127,31 +96,19 @@ jobs: java-version: '17' distribution: 'temurin' - # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies. - # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md - - name: Setup Gradle - uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + - name: Run chmod to make gradlew executable + run: chmod +x ./gradlew + + - name: Set up Gradle Build Action + uses: gradle/gradle-build-action@v3 with: - gradle-version: '8.5' - dependency-graph: generate-and-submit - - - name: Build with Gradle Wrapper - run: | - chmod +x ./gradlew + dependency-graph: generate-and-upload + cache-disabled: true + - run: | ./gradlew build - - # NOTE: The Gradle Wrapper is the default and recommended way to run Gradle (https://docs.gradle.org/current/userguide/gradle_wrapper.html). - # If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version. - # - # - name: Setup Gradle - # uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 - # with: - # gradle-version: '8.5' - # - # - name: Build with Gradle 8.5 - # run: gradle build - - + ./gradlew generateLicenseReport + ./gradlew checkLicense + - uses: actions/upload-artifact@master with: name: jar-file @@ -160,30 +117,7 @@ jobs: - uses: actions/download-artifact@master with: name: jar-file - - - # dependency-submission: - - # runs-on: ubuntu-latest - # permissions: - # contents: write - - # steps: - # - uses: actions/checkout@v4 - # - name: Set up JDK 17 - # uses: actions/setup-java@v4 - # with: - # java-version: '17' - # distribution: 'temurin' - - # # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. - # # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md - # - name: Generate and submit dependency graph - # uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 - # with: - # # Use a particular Gradle version instead of the configured wrapper. - # gradle-version: 8.5 - + docker-build: needs: build runs-on: ubuntu-latest @@ -195,6 +129,19 @@ jobs: steps: - uses: actions/checkout@v4 + + # - name: 'Dependency Review' + # uses: actions/dependency-review-action@v4.3.2 + + # - name: Depcheck + # uses: dependency-check/Dependency-Check_Action@1.1.0 + # id: Depcheck + # with: + # project: 'test' + # path: '.' + # format: 'HTML' + + - name: Set up JDK 17 uses: actions/setup-java@v4 with: @@ -244,8 +191,8 @@ jobs: id: build-and-push uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 with: + load: true context: . - build-args: --load push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} @@ -254,49 +201,13 @@ jobs: - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + uses: aquasecurity/trivy-action@0.21.0 with: - image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH,MEDIUM,LOW' - github-pat: ${{ secrets.PAT_TOKEN }} - docker-host: //var/run/docker.sock + image-ref: '${{ steps.meta.outputs.tags }}' + format: 'sarif' + # output: 'trivy-results.sarif' + severity: 'CRITICAL' + exit-code: '1' + ignore-unfixed: true vuln-type: 'os,library' - scanners: 'vuln,secret' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'trivy-results.sarif' - - # - name: Scan image in a private registry - # uses: aquasecurity/trivy-action@master - # with: - # image-ref: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}" - # scan-type: 'image' - # format: 'sarif' - # output: 'trivy-results-image.sarif' - # github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT - # severity: "MEDIUM,HIGH,CRITICAL" - # scanners: "vuln" - - - - # # Sign the resulting Docker image digest except on PRs. - # # This will only write to the public Rekor transparency log when the Docker - # # repository is public to avoid leaking data. If you would like to publish - # # transparency data even for private images, pass --force to cosign below. - # # https://github.com/sigstore/cosign - # - name: Sign the published Docker image - # if: ${{ github.event_name != 'pull_request' }} - # env: - # # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - # TAGS: ${{ steps.meta.outputs.tags }} - # DIGEST: ${{ steps.build-and-push.outputs.digest }} - # # This step uses the identity token to provision an ephemeral certificate - # # against the sigstore community Fulcio instance. - # run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} - - + continue-on-error: true diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml new file mode 100644 index 0000000..99e8a2a --- /dev/null +++ b/.github/workflows/review.yml @@ -0,0 +1,22 @@ +name: dependency-review + +on: + pull_request: + #branches: [ "docker-pipeline" ] + branches: [ "chk" ] + # Allows you to run this workflow manually from the Actions tab + # workflow_run: + # workflows: ['name: Download and submit dependency graph'] + # types: [completed] +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Dependency Review' + uses: actions/dependency-review-action@v3 + with: + retry-on-snapshot-warnings: true + retry-on-snapshot-warnings-timeout: 600 diff --git a/.github/workflows/trivy-upload.yml b/.github/workflows/trivy-upload.yml new file mode 100644 index 0000000..be6a2e3 --- /dev/null +++ b/.github/workflows/trivy-upload.yml @@ -0,0 +1,341 @@ +name: Docker + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +on: + workflow_run: + workflows: ['CodeQL'] + types: [completed] + +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} + TG: docker-pipeline + + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: write + packages: write + security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + submodules: 'true' + token: ${{ secrets.PAT_TOKEN }} + + - name: validating gradlle + uses: gradle/actions/wrapper-validation@v3 + + # - name: 'Dependency Review' + # uses: actions/dependency-review-action@v4 + # # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options. + # with: + # comment-summary-in-pr: always + # fail-on-severity: moderate + # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later + # retry-on-snapshot-warnings: true + # - name: 'Dependency Review' + # # if: github.event_name == 'workflow_dispatch' + # uses: actions/dependency-review-action@v4 + # with: + # base-ref: 'docker-pipeline' + + # - uses: github/codeql-action/init@v3 + # with: + # languages: java + + # - name: Autobuild + # uses: github/codeql-action/autobuild@v3 + + # - name: Perform CodeQL Analysis + # uses: github/codeql-action/analyze@v3 + + # - name: Run Trivy scanner + # uses: aquasecurity/trivy-action@master + # with: + # scan-type: 'fs' + # github-pat: ${{ secrets.GITHUB_TOKEN }} + # ignore-unfixed: true + # format: 'sarif' + # output: 'trivy-results.sarif' + # severity: 'CRITICAL' + # # hide-progress: true + # # output: trivy.txt + + # - name: Publish Trivy Output to Summary + # run: | + # if [[ -s trivy.txt ]]; then + # { + # echo "### Security Output" + # echo "
Click to expand" + # echo "" + # echo '```terraform' + # cat trivy.txt + # echo '```' + # echo "
" + # } >> $GITHUB_STEP_SUMMARY + # fi + +########################################################################## + # - name: Run Trivy vulnerability scanner in repo mode + # uses: aquasecurity/trivy-action@master + # with: + # scan-type: 'fs' + # format: 'sarif' + # output: 'trivy-results.sarif' + # severity: 'CRITICAL,LOW,MEDIUM,HIGH' + # vuln-type: 'os,library' + # scanners: 'vuln,secret' + + + # - name: Upload Trivy scan results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: 'trivy-results.sarif' + + ############################################## + + # - name: Run Codacy Analysis CLI + # uses: codacy/codacy-analysis-cli-action@master + + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + + - name: Run chmod to make gradlew executable + run: chmod +x ./gradlew + + # - name: check + # run: | + # ./gradlew dependencyCheckAnalyze --debug + + # - name: upload check + # uses: actions/upload-artifact@v2 + # with: + # name: dependency-check-report + # path: ${{ github.workspace }}/build/reports/dependency-check-report.html + + - name: Set up Gradle Build Action + uses: gradle/gradle-build-action@v3 + with: + dependency-graph: generate-and-upload + cache-disabled: true + - run: ./gradlew build + + # # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies. + # # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md + # - name: Setup Gradle + # uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + # with: + # gradle-version: '8.5' + # # dependency-graph: generate-and-submit + # # cache-disabled: true + + # - name: Build with Gradle Wrapper + # run: ./gradlew build + + # NOTE: The Gradle Wrapper is the default and recommended way to run Gradle (https://docs.gradle.org/current/userguide/gradle_wrapper.html). + # If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version. + # + # - name: Setup Gradle + # uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 + # with: + # gradle-version: '8.5' + # + # - name: Build with Gradle 8.5 + # run: gradle build + + + - uses: actions/upload-artifact@master + with: + name: jar-file + path: build/libs + + - uses: actions/download-artifact@master + with: + name: jar-file + + + # dependency-submission: + # needs: build + # runs-on: ubuntu-latest + # permissions: + # contents: read + + # steps: + # - uses: actions/checkout@v4 + # - name: Set up JDK 17 + # uses: actions/setup-java@v4 + # with: + # java-version: '17' + # distribution: 'temurin' + + # # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. + # # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md + # - name: Generate and submit dependency graph + # uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 + # with: + # # Use a particular Gradle version instead of the configured wrapper. + # gradle-version: 8.5 + # dependency-graph: generate-and-upload + + # - name: Perform dependency review + # if: github.event_name == 'pull_request' + # uses: actions/dependency-review-action@v3 + + docker-build: + needs: build + runs-on: ubuntu-latest + permissions: + contents: write + packages: write + security-events: write + actions: read + steps: + + - uses: actions/checkout@v4 + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + + - uses: actions/download-artifact@master + with: + name: jar-file + path: build/libs + + # # Install the cosign tool except on PR + # # https://github.com/sigstore/cosign-installer + # - name: Install cosign + # if: github.event_name != 'pull_request' + # uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + # with: + # cosign-release: 'v2.1.1' + + # # Set up BuildKit Docker container builder to be able to build + # # multi-platform images and export cache + # # https://github.com/docker/setup-buildx-action + # - name: Set up Docker Buildx + # uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # # Extract metadata (tags, labels) for Docker + # # https://github.com/docker/metadata-action + # - name: Extract Docker metadata + # id: meta + # uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 + # with: + # images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + # # Build and push Docker image with Buildx (don't push on PR) + # # https://github.com/docker/build-push-action + # - name: Build and push Docker image + # id: build-and-push + # uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + # with: + # build-args: --load + # context: . + # push: ${{ github.event_name != 'pull_request' }} + # tags: ${{ steps.meta.outputs.tags }} + # labels: ${{ steps.meta.outputs.labels }} + # cache-from: type=gha + # cache-to: type=gha,mode=max + - name: build and push docker image + run: | + ls -ltr && docker ps + docker build -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}} . + + - name: trivy manual image scan + run: | + wget https://github.com/aquasecurity/trivy/releases/download/v0.26.0/trivy_0.26.0_Linux-64bit.deb + sudo dpkg -i trivy_0.26.0_Linux-64bit.deb + trivy image --format sarif --output trivy_license_image.sarif ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}} + + - name: Upload Trivy image license results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy_license_image.sarif' + + - name: trivy manual local code scan + run: | + trivy rootfs /home/runner/work/sdos/sdos + + # - name: Upload Trivy code results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: 'trivy_code.sarif' + + + # - name: Run Trivy vulnerability scanner + # uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + # with: + # image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}' + # format: 'sarif' + # # template: '@/contrib/sarif.tpl' + # output: 'trivy-results.sarif' + # severity: 'CRITICAL,HIGH,MEDIUM,LOW' + # github-pat: ${{ secrets.PAT_TOKEN }} + # # docker-host: //var/run/docker.sock + # vuln-type: 'os,library' + # # scanners: 'vuln,secret' + + # - name: Upload Trivy scan results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: 'trivy-results.sarif' + + # - name: Scan image in a private registry + # uses: aquasecurity/trivy-action@master + # with: + # image-ref: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}" + # scan-type: 'image' + # format: 'sarif' + # output: 'trivy-results-image.sarif' + # github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT + # severity: "MEDIUM,HIGH,CRITICAL" + # scanners: "vuln" + + + + # # # Sign the resulting Docker image digest except on PRs. + # # # This will only write to the public Rekor transparency log when the Docker + # # # repository is public to avoid leaking data. If you would like to publish + # # # transparency data even for private images, pass --force to cosign below. + # # # https://github.com/sigstore/cosign + # # - name: Sign the published Docker image + # # if: ${{ github.event_name != 'pull_request' }} + # # env: + # # # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + # # TAGS: ${{ steps.meta.outputs.tags }} + # # DIGEST: ${{ steps.build-and-push.outputs.digest }} + # # # This step uses the identity token to provision an ephemeral certificate + # # # against the sigstore community Fulcio instance. + # # run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/build.gradle b/build.gradle index fb41f13..9cf3607 100644 --- a/build.gradle +++ b/build.gradle @@ -3,9 +3,10 @@ plugins { id 'io.spring.dependency-management' version '1.0.11.RELEASE' id 'java' id 'org.barfuin.gradle.jacocolog' version '3.1.0' + id 'com.github.jk1.dependency-license-report' version '2.8' } -group = 'com.scania.sdos' +group = 'com.scania.sdip' version = '0.0.1-SNAPSHOT' apply plugin: 'maven-publish' java { @@ -37,6 +38,9 @@ repositories { ext['log4j2.version'] = '2.22.1' +checkLicense { + allowedLicenseFile = project.hasProperty('allowedLicenseFile') ? allowedLicenseFile : null +} dependencies { implementation 'org.springframework.boot:spring-boot-starter-actuator' @@ -119,7 +123,7 @@ test { } tasks.withType(JavaExec).configureEach { - jvmArgs = ['-Xms4g', '-Xmx6g', '-Xss1g'] + jvmArgs = ['-Xms4g', '-Xmx6g', '-Xss2g'] } tasks.withType(Jar) { duplicatesStrategy = DuplicatesStrategy.EXCLUDE } diff --git a/src/main/java/com/scania/sdos/orchestration/Rdf4jClient.java b/src/main/java/com/scania/sdos/orchestration/Rdf4jClient.java index c0dd476..0f8d156 100644 --- a/src/main/java/com/scania/sdos/orchestration/Rdf4jClient.java +++ b/src/main/java/com/scania/sdos/orchestration/Rdf4jClient.java @@ -67,6 +67,18 @@ public class Rdf4jClient { private static String STARDOG_PASS = "password"; + private static String password = "gfhvbdfdter547uthgy"; + + private static String aws_temporary_access_key_id = "12345"; + + private static String azure_function_key = "azure_function_key"; + + private static String baiducloud_api_accesskey = "baiducloud_api_accesskey"; + + private static String cratesio_api_token = "cratesio_api_token"; + + + public Rdf4jClient() { //default constructor }