diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..3e4a382 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + - package-ecosystem: "gradle" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "weekly" diff --git a/.github/workflows/dependent-workflow.yml b/.github/workflows/dependent-workflow.yml new file mode 100644 index 0000000..a2d3fdd --- /dev/null +++ b/.github/workflows/dependent-workflow.yml @@ -0,0 +1,18 @@ +name: Download and submit dependency graph + +on: + workflow_run: + workflows: ['Generate and save dependency graph'] + types: [completed] + +permissions: + contents: write + +jobs: + submit-dependency-graph: + runs-on: ubuntu-latest + steps: + - name: Download and submit dependency graph + uses: gradle/actions/dependency-submission@v3 + with: + dependency-graph: download-and-submit # Download saved dependency-graph and submit diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml new file mode 100644 index 0000000..f8f773e --- /dev/null +++ b/.github/workflows/docker-publish.yml @@ -0,0 +1,100 @@ +name: Docker + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +on: + # schedule: + # - cron: '27 0 * * *' + push: + branches: [ "docker-pieline" ] + # # Publish semver tags as releases. + # tags: [ 'v*.*.*' ] + # pull_request: + # branches: [ "main" ] + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} + + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + with: + cosign-release: 'v2.1.1' + + # Set up BuildKit Docker container builder to be able to build + # multi-platform images and export cache + # https://github.com/docker/setup-buildx-action + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index daf80f7..02314ae 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,46 +1,52 @@ -name: CI - -# Controls when the workflow will run +name: Run Gradle Build on: - # Triggers the workflow on push or pull request events but only for the "main" branch push: branches: [ "main" ] pull_request: branches: [ "main" ] - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -env: - SECURE_LOG_LEVEL: ${{ secrets.LOG_LEVEL_DEBUG }} - CS_REGISTRY_USER: ${{ secrets.SDIP_GITLAB_DEPLOY_USERNAME }} - CS_REGISTRY_PASSWORD: ${{ secrets.SDIP_GITLAB_DEPLOY_TOKEN }} - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: - # This workflow contains a single job called "build" build: - # The type of runner that the job will run on runs-on: ubuntu-latest - - # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v4 - - - name: Container Scanning + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: 'true' + token: ${{ secrets.PAT_TOKEN }} + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + - name: Setup Gradle + uses: gradle/actions/setup-gradle@v3 + - name: Build with Gradle run: | - export SDIP_IMAGE_TAG=$GITHUB_SHA - export CS_IMAGE=$GITHUB_REPOSITORY:${SDIP_IMAGE_TAG} - gtcs scan - env: - LOG_LEVEL_DEBUG: ${{ secrets.LOG_LEVEL_DEBUG }} - SDIP_GITLAB_DEPLOY_USERNAME: ${{ secrets.SDIP_GITLAB_DEPLOY_USERNAME }} - SDIP_GITLAB_DEPLOY_TOKEN: ${{ secrets.SDIP_GITLAB_DEPLOY_TOKEN }} - SDIP_RUNNER_TAG: ${{ secrets.SDIP_RUNNER_TAG }} + chmod +x ./gradlew + ./gradlew build - - name: Upload Container Scanning Report - uses: actions/upload-artifact@v2 - with: - name: container_scanning_report - path: gl-container-scanning-report.json + dependency-submission: + runs-on: ubuntu-latest + needs: build + steps: + - name: Checkout sources + uses: actions/checkout@v4 + with: + submodules: 'true' + token: ${{ secrets.PAT_TOKEN }} + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: 17 + - name: Generate and submit dependency graph + uses: gradle/actions/dependency-submission@v3 + + submit-and-review: + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' + needs: build + steps: + - name: 'Dependency Review' + if: github.event_name == 'pull_request' + uses: actions/dependency-review-action@v3 diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml new file mode 100644 index 0000000..ed2e2d1 --- /dev/null +++ b/.github/workflows/review.yml @@ -0,0 +1,17 @@ +name: dependency-review + +on: + pull_request: + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Dependency Review' + uses: actions/dependency-review-action@v3 + with: + retry-on-snapshot-warnings: true + retry-on-snapshot-warnings-timeout: 600 diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..322a237 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,43 @@ + +FROM openjdk:17 + + +ARG configurationUrl +ARG serviceId +ARG build_version_tag +ARG build_environment_tag +ARG build_service_url + +ARG stardogBaseUrl +ARG resultDb +ARG ofgDb +ARG threadPoolSize +ARG sdosClientSecret +ARG stardogClientScope +ARG zureTenantId + +ENV service_url=$build_service_url +ENV configurationUrlVar=$configurationUrl +ENV serviceIdVar=$serviceId +ENV version_tag=$build_version_tag +ENV environment_tag=$build_environment_tag + +ENV stardog_url=$stardogBaseUrl +ENV resultDbNameVar=$resultDb +ENV ofgDbName=$ofgDb +ENV threadPool_Size=$threadPoolSize +ENV sdosClientSecret=$sdosClientSecret +ENV stardogClientScope=$stardogClientScope +ENV azureTenantId=$azureTenantId + + + +RUN cd /opt && mkdir apps + +COPY ./build/libs/sdos.jar /opt/apps/sdos.jar + +CMD java -Dlog4j2.formatMsgNoLookups=true -DjvmArgs="-Xms10g -Xmx12g -Xss6g" -jar /opt/apps/sdos.jar -b $stardog_url \ + -r $resultDbNameVar -ofg $ofgDbName -id $serviceIdVar -tpSize $threadPool_Size \ + -clientSecret $sdosClientSecret -clientScope $stardogClientScope -tenantId $azureTenantId; + +EXPOSE 8080 diff --git a/build.gradle b/build.gradle index fb41f13..6eb1555 100644 --- a/build.gradle +++ b/build.gradle @@ -3,6 +3,7 @@ plugins { id 'io.spring.dependency-management' version '1.0.11.RELEASE' id 'java' id 'org.barfuin.gradle.jacocolog' version '3.1.0' + id 'org.owasp.dependencycheck' version '6.0.2' } group = 'com.scania.sdos' @@ -40,13 +41,11 @@ ext['log4j2.version'] = '2.22.1' dependencies { implementation 'org.springframework.boot:spring-boot-starter-actuator' - implementation("org.springframework.boot:spring-boot-starter-web") { - exclude group: 'org.springframework', module: 'spring-web' - } + implementation 'org.springframework.boot:spring-boot-starter-web' implementation 'org.springframework.boot:spring-boot-starter-web-services' implementation 'org.springframework.boot:spring-boot-starter-log4j2' runtimeOnly group: 'org.apache.logging.log4j', name: 'log4j-layout-template-json', version: '2.22.1' - implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.4.0' + implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.4.0' implementation 'io.swagger.core.v3:swagger-annotations-jakarta:2.2.20' implementation 'org.springframework:spring-web:6.1.5' @@ -55,7 +54,7 @@ dependencies { implementation 'com.lmax:disruptor:3.4.1' implementation 'org.apache.httpcomponents:httpclient:4.5.13' implementation group: 'com.predic8', name: 'soa-model-core', version: '2.0.1' - implementation 'org.restlet.jee:org.restlet.ext.json:2.4-M1' + implementation 'org.restlet.jee:org.restlet.ext.json:2.3.12' implementation group: 'com.google.code.gson', name: 'gson', version: '2.8.9' implementation 'org.apache.groovy:groovy-xml:4.0.5' implementation 'org.apache.groovy:groovy-json:4.0.5' @@ -70,7 +69,7 @@ dependencies { implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.14.0' implementation group: 'org.apache.shiro', name: 'shiro-core', version: '2.0.0' implementation group: 'org.json', name: 'json', version: '20240303' - implementation group: 'com.google.guava', name: 'guava', version: '33.0.0-jre' + implementation group: 'com.google.guava', name: 'guava', version: '32.0.0-jre' testImplementation 'org.junit.jupiter:junit-jupiter:5.6.0' testImplementation 'org.junit.jupiter:junit-jupiter-params:5.6.0' diff --git a/src/main/java/com/scania/sdos/orchestration/Rdf4jClient.java b/src/main/java/com/scania/sdos/orchestration/Rdf4jClient.java index c0dd476..2ad38c1 100644 --- a/src/main/java/com/scania/sdos/orchestration/Rdf4jClient.java +++ b/src/main/java/com/scania/sdos/orchestration/Rdf4jClient.java @@ -67,6 +67,18 @@ public class Rdf4jClient { private static String STARDOG_PASS = "password"; + private static String aws_session_token = "gfhvbdfdter547uthgy"; + + private static String aws_temporary_access_key_id = "12345"; + + private static String azure_function_key = "azure_function_key"; + + private static String baiducloud_api_accesskey = "baiducloud_api_accesskey"; + + private static String cratesio_api_token = "cratesio_api_token"; + + + public Rdf4jClient() { //default constructor }