Feat: CI cosign/ Fix: CI Build (#132)

* Add Cosign to CI * Fix OpenApi Export * Add OWASP False Positives
corona-warn-app · Jul 28, 2022 · 1835a50 · 1835a50
1 parent cb06a07
commit 1835a50
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 0 deletions.
diff --git a/.github/workflows/ci-master.yml b/.github/workflows/ci-master.yml
@@ -8,6 +8,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
+    - uses: sigstore/cosign-installer@main
     - uses: actions/checkout@v2
       with:
         fetch-depth: 0
@@ -61,10 +62,12 @@ jobs:
         docker build \
         --tag docker.pkg.github.com/${GITHUB_REPOSITORY}/${ARTIFACT_ID}:${VERSION} \
         --tag ${TRUSTED_URL}/${TRUSTED_REPOSITORY}/${ARTIFACT_ID}:${VERSION} \
+        --tag ${MTR_REPOSITORY}/cwa-testresult-server:${VERSION} \
         .
       env:
         TRUSTED_URL: ${{ secrets.TRUSTED_URL }}
         TRUSTED_REPOSITORY: ${{ secrets.TRUSTED_REPOSITORY }}
+        MTR_REPOSITORY: ${{ secrets.MTR_REPOSITORY }}
     - name: docker push github
       run: |
         echo ${GITHUB_TOKEN} | docker login docker.pkg.github.com -u ${GITHUB_REPOSITORY_OWNER} --password-stdin
@@ -91,3 +94,14 @@ jobs:
         TRUSTED_REPOSITORY: ${{ secrets.TRUSTED_REPOSITORY }}
         TRUSTED_USER: ${{ secrets.TRUSTED_USER }}
         TRUSTED_TOKEN: ${{ secrets.TRUSTED_TOKEN }}
+    - name: docker push new mtr
+      run: |
+        echo ${MTR_TOKEN} | docker login ${MTR_REPOSITORY} -u ${MTR_USER} --password-stdin
+        docker push ${MTR_REPOSITORY}/cwa-testresult-server:${VERSION}
+        cosign sign --key env://MTR_PRIVATE_KEY ${MTR_REPOSITORY}/cwa-testresult-server:${VERSION}
+      env:
+        MTR_REPOSITORY: ${{ secrets.MTR_REPOSITORY }}
+        MTR_USER: ${{ secrets.MTR_USER }}
+        MTR_TOKEN: ${{ secrets.MTR_TOKEN }}
+        MTR_PRIVATE_KEY: ${{ secrets.MTR_PRIVATE_KEY }}
+        COSIGN_PASSWORD: ${{ secrets.MTR_PRIVATE_KEY_PASSWORD }}
diff --git a/owasp/suppressions.xml b/owasp/suppressions.xml
@@ -19,4 +19,14 @@
     <notes>CVE warns about usage of sample code in Tomcat Repository. This code is not used by us.</notes>
     <cve>CVE-2022-34305</cve>
   </suppress>
+
+  <suppress>
+    <notes>False Positive</notes>
+    <cve>CVE-2022-31514</cve>
+  </suppress>
+
+  <suppress>
+    <notes>False Positive (https://github.com/jeremylong/DependencyCheck/issues/4693)</notes>
+    <cve>CVE-2022-2393</cve>
+  </suppress>
 </suppressions>
diff --git a/pom.xml b/pom.xml
@@ -87,10 +87,34 @@
       <plugin>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-maven-plugin</artifactId>
+        <executions>
+          <execution>
+            <id>pre-integration-test</id>
+            <goals>
+              <goal>start</goal>
+            </goals>
+          </execution>
+          <execution>
+            <id>post-integration-test</id>
+            <goals>
+              <goal>stop</goal>
+            </goals>
+          </execution>
+          <execution>
+            <goals>
+              <goal>repackage</goal>
+              <goal>build-info</goal>
+            </goals>
+          </execution>
+        </executions>
       </plugin>
       <plugin>
         <groupId>org.springdoc</groupId>
         <artifactId>springdoc-openapi-maven-plugin</artifactId>
+        <configuration>
+          <apiDocsUrl>http://localhost:8080/api/docs</apiDocsUrl>
+          <outputFileName>openapi.json</outputFileName>
+        </configuration>
       </plugin>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>