From a8d05da77f08a075704e5ad8f91c07b5a038ffb0 Mon Sep 17 00:00:00 2001 From: Marcin Strankowski <74721865+mstrankowski@users.noreply.github.com> Date: Wed, 31 Jul 2024 14:24:05 +0200 Subject: [PATCH] ACSA-252: Switch SCA scan from maven to srcclr (#691) --- .github/actions/veracode/action.yml | 31 ++++++++++++++++++------ .github/actions/veracode/source_clear.sh | 11 +++++---- docs/README.md | 11 ++++++++- version.txt | 2 +- 4 files changed, 40 insertions(+), 15 deletions(-) diff --git a/.github/actions/veracode/action.yml b/.github/actions/veracode/action.yml index 54217a50b..cfbc60352 100644 --- a/.github/actions/veracode/action.yml +++ b/.github/actions/veracode/action.yml @@ -4,20 +4,35 @@ inputs: srcclr-api-token: description: "Agent API Token" required: true - srcclr-install-default-options: - description: Default options for Source Clear scan - required: false - default: '-DskipTests -Dmaven.javadoc.skip=true' - srcclr-install-options: - description: Additional options for Source Clear scan + srcclr-project-ext: + description: "Direct scan results to Veracode project named: /" required: false runs: using: "composite" steps: + - name: "Install srcclr CLI tool" + shell: bash + run: | + # Install srcclr CLI tool (Veracode) as per https://docs.veracode.com/r/t_sc_cli_agent + curl -sSL 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xdf7dd7a50b746dd4' | sudo gpg --dearmor -o /usr/share/keyrings/veracode-sca-archive.gpg + echo 'deb [signed-by=/usr/share/keyrings/veracode-sca-archive.gpg] https://download.sourceclear.com/ubuntu stable/' | sudo tee /etc/apt/sources.list.d/veracode-sca.list + sudo apt-get update + sudo apt-get install srcclr + - name: "Set target project URI, with extension if provided" + shell: bash + run: | + SRCCLR_SCM_URI="${{ github.server_url }}/${{ github.repository }}" + + if [ -n "${{ inputs.srcclr-project-ext }}" ]; then + SRCCLR_SCM_URI="$SRCCLR_SCM_URI/${{ inputs.srcclr-project-ext }}" + fi + + echo "SRCCLR_SCM_URI=$SRCCLR_SCM_URI" >> $GITHUB_ENV - name: "Run scanning" run: ${{ github.action_path }}/source_clear.sh shell: bash env: SRCCLR_API_TOKEN: ${{ inputs.srcclr-api-token }} - SRCCLR_INSTALL_DEFAULT_OPTIONS: ${{ inputs.srcclr-install-default-options }} - SRCCLR_INSTALL_OPTIONS: ${{ inputs.srcclr-install-options }} + SRCCLR_SCM_REF: ${{ github.event_name == 'pull_request' && github.ref || github.ref_name }} + SRCCLR_SCM_REF_TYPE: ${{ github.event_name == 'pull_request' && 'tag' || 'branch' }} + SRCCLR_SCM_REV: ${{ github.sha }} diff --git a/.github/actions/veracode/source_clear.sh b/.github/actions/veracode/source_clear.sh index 2b4da13ef..674ab08ee 100755 --- a/.github/actions/veracode/source_clear.sh +++ b/.github/actions/veracode/source_clear.sh @@ -4,14 +4,15 @@ echo "=========================== Starting SourceClear Script ================== PS4="\[\e[35m\]+ \[\e[m\]" set +e -v -x -mvn -B -q clean install \ - ${SRCCLR_INSTALL_DEFAULT_OPTIONS} ${SRCCLR_INSTALL_OPTIONS} \ - com.srcclr:srcclr-maven-plugin:scan \ - -Dcom.srcclr.apiToken=${SRCCLR_API_TOKEN} > scan.log +srcclr scan \ + --scm-uri="$SRCCLR_SCM_URI" \ + --scm-ref="$SRCCLR_SCM_REF" \ + --scm-ref-type="$SRCCLR_SCM_REF_TYPE" \ + --scm-rev="$SRCCLR_SCM_REV" > scan.log SUCCESS=$? # this will read exit code of the previous command -grep -e 'Full Report Details' -e 'Failed' scan.log +grep -e 'Full Report Details' scan.log set +vex echo "=========================== Finishing SourceClear Script ==========================" diff --git a/docs/README.md b/docs/README.md index 7b8c3ee9a..c45cc6f51 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1537,12 +1537,21 @@ Validates Maven dependency graph versions to ensure all target includes artifact Runs Veracode Source Clear Scan +To add custom maven execution instructions, for skipping test modules etc., use [custom_maven_command](https://docs.veracode.com/r/Java_Scan_Directives#custom_maven_command) +scan directive in srcclr.yml file of the scanned repository. + +When monitoring multiple versions of the same project in Veracode, optional input srcclr-project-ext can be used to direct scan results to a specific Veracode project instead of the default one. +For example: ACS_EXT_MASTER Veracode application has an Alfresco/alfresco-enterprise-repo agent-based scans linked to itself through a Veracode project named Alfresco/alfresco-enterprise-repo, in order to include recent agent-based scan results in the promoted scan. +When supporting an older version of ACS_EXT_MASTER like ACS_EXT_MASTER_7_4, we can set this input value to '7.4.N' on branch "release/7.4.N" of Alfresco/alfresco-enterprise-repo, to direct this branch's agent-based scan results to a project named Alfresco/alfresco-enterprise-repo/7.4.N instead. +If that project doesn't exist, it will be created automatically. You can then set the default branch for the created project (release/7.4.N) and link it to an application (ACS_EXT_MASTER_7_4) in Veracode. +This way, the agent-based scan results will be added in the latest promoted scan of ACS_EXT_MASTER_7_4 Veracode application. + ```yaml - uses: Alfresco/alfresco-build-tools/.github/actions/veracode@ref #continue-on-error: true # uncomment this line to prevent the Veracode scan step from failing the whole build with: srcclr-api-token: ${{ secrets.SRCCLR_API_TOKEN }} - srcclr-install-options: '-DskipTestModules' # optional, additional maven options + srcclr-project-ext: '' # optional, allows for directing scan results to Veracode project named: / ``` ### github cache cleanup diff --git a/version.txt b/version.txt index ff506ef80..9773998bc 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -v5.35.0 +v6.0.0