add security cron job (#1677)

* merge dependabot * update DependencyCheck * test github action with agent * change project * change config 1 * change config 2 * change config 3 * test github action with config server * test github action with config server ui * remove build from depcheck * test github action with configdocsgenerator * remove unnecessary property * use action in release * add cron jobs * reinclude build to depcheck * try including configdocsgenerator * try including configdocsgenerator 2 * try including configdocsgenerator 3 * try including configdocsgenerator 4 * try including configdocsgenerator 5 * try including configdocsgenerator 6 * try including configdocsgenerator 7 * try including configdocsgenerator 8 * try including configdocsgenerator 9 * included configsdocsgenerator and UI * refactor config-server workflow
inspectIT · Dec 3, 2024 · 63a8230 · 63a8230
1 parent 9b79c7c
commit 63a8230
Show file tree

Hide file tree

Showing 11 changed files with 254 additions and 36 deletions.
diff --git a/.github/workflows/agent_security_check.yml b/.github/workflows/agent_security_check.yml
@@ -0,0 +1,48 @@
+name: Automatic Security Check Agent
+
+on:
+  schedule:
+    - cron: "0 8 1,15 * *" # At 08:00 on day-of-month 1 and 15
+
+jobs:
+  security-check:
+    name: Security Check Agent
+    runs-on: ubuntu-latest
+    container: eclipse-temurin:8-jdk
+    steps:
+      - uses: actions/checkout@v3
+      - name: Grant execute permission for gradlew
+        run: chmod +x gradlew
+      - name: build
+        run: ./gradlew :inspectit-ocelot-agent:assemble
+      - name: Run DependencyCheck plugin
+        uses: dependency-check/Dependency-Check_Action@main
+        id: depcheck
+        continue-on-error: true
+        with:
+          project: inspectIT/inspectit-ocelot-agent
+          path: 'inspectit-ocelot-agent'
+          format: 'HTML'
+          args: >
+            --disableAssembly
+            --disableNodeAudit
+            --nvdApiKey ${{ secrets.NVD_API_KEY }}
+            --nvdApiDelay 10000
+      - name: Upload test results
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-check-report-ocelot-agent
+          path: ${{ github.workspace }}/reports
+      - name: Send Notification
+        uses: slackapi/[email protected]
+        with:
+          webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
+          webhook-type: incoming-webhook
+          payload: |
+            text: "*Ocelot-Agent Dependency-Check Report*: ${{ steps.depcheck.outcome }}\nPlease check the report here: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+      # if DependencyCheck failed, the job should also fail, but only after the results were uploaded
+      - name: Validate DependencyCheck outcome
+        if: ${{ steps.depcheck.outcome == 'failure' }}
+        run: |
+          echo "DependencyCheck failed"
+          exit 1
diff --git a/.github/workflows/agent_test.yml b/.github/workflows/agent_test.yml
@@ -97,21 +97,36 @@ jobs:
     name: Dependency Scan
     runs-on: ubuntu-latest
     container: eclipse-temurin:8-jdk
-    needs: [ pr-check ]
     steps:
       - uses: actions/checkout@v3
       - name: Grant execute permission for gradlew
         run: chmod +x gradlew
-      - name: Scan dependencies inspectit-ocelot-sdk
-        run: ./gradlew :inspectit-ocelot-sdk:dependencyCheckAnalyze
-      - name: Scan dependencies inspectit-ocelot-config
-        run: ./gradlew :inspectit-ocelot-config:dependencyCheckAnalyze
-      - name: Scan dependencies inspectit-ocelot-core
-        run: ./gradlew :inspectit-ocelot-core:dependencyCheckAnalyze
-      - name: Scan dependencies inspectit-ocelot-bootstrap
-        run: ./gradlew :inspectit-ocelot-bootstrap:dependencyCheckAnalyze
-      - name: Scan dependencies inspectit-ocelot-agent
-        run: ./gradlew :inspectit-ocelot-agent:dependencyCheckAnalyze
+      - name: build
+        run: ./gradlew :inspectit-ocelot-agent:assemble
+      - name: Run DependencyCheck plugin
+        uses: dependency-check/Dependency-Check_Action@main
+        id: depcheck
+        continue-on-error: true
+        with:
+          project: inspectIT/inspectit-ocelot-agent
+          path: 'inspectit-ocelot-agent'
+          format: 'HTML'
+          args: >
+            --disableAssembly
+            --disableNodeAudit
+            --nvdApiKey ${{ secrets.NVD_API_KEY }}
+            --nvdApiDelay 10000
+      - name: Upload test results
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-check-report-ocelot-agent
+          path: ${{ github.workspace }}/reports
+      # if DependencyCheck failed, the job should also fail, but only after the results were uploaded
+      - name: Validate DependencyCheck outcome
+        if: ${{ steps.depcheck.outcome == 'failure' }}
+        run: |
+          echo "DependencyCheck failed"
+          exit 1
 
   jmh-compile:
     name: 'Compile JMH Tests'

diff --git a/.github/workflows/configdocsgenerator_test.yml b/.github/workflows/configdocsgenerator_test.yml
@@ -28,13 +28,34 @@ jobs:
   dependency-scan:
     name: Dependency Scan
     runs-on: ubuntu-latest
-    env:
-      working-directory: ./components/inspectit-ocelot-configdocsgenerator
     container: openjdk:8-jdk
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Grant execute permission for gradlew
         run: chmod +x gradlew
-      - name: Scan dependencies
-        working-directory: ${{env.working-directory}}
-        run: ../../gradlew :inspectit-ocelot-configdocsgenerator:dependencyCheckAnalyze
+      - name: build
+        run: ./gradlew :inspectit-ocelot-configdocsgenerator:assemble
+      - name: Run DependencyCheck plugin
+        uses: dependency-check/Dependency-Check_Action@main
+        id: depcheck
+        continue-on-error: true
+        with:
+          project: inspectIT/inspectit-ocelot-configdocsgenerator
+          path: 'components/inspectit-ocelot-configdocsgenerator'
+          format: 'HTML'
+          args: >
+            --disableAssembly
+            --disableNodeAudit
+            --nvdApiKey ${{ secrets.NVD_API_KEY }}
+            --nvdApiDelay 10000
+      - name: Upload test results
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-check-report-ocelot-configdocsgenerator
+          path: ${{ github.workspace }}/reports
+      # if DependencyCheck failed, the job should also fail, but only after the results were uploaded
+      - name: Validate DependencyCheck outcome
+        if: ${{ steps.depcheck.outcome == 'failure' }}
+        run: |
+          echo "DependencyCheck failed"
+          exit 1
diff --git a/.github/workflows/configuration_ui_test.yml b/.github/workflows/configuration_ui_test.yml
@@ -25,13 +25,34 @@ jobs:
   dependency-scan:
     name: Dependency Scan
     runs-on: ubuntu-latest
-    env:
-      working-directory: ./components/inspectit-ocelot-configurationserver-ui
     container: eclipse-temurin:17
     steps:
       - uses: actions/checkout@v3
       - name: Grant execute permission for gradlew
         run: chmod +x gradlew
-      - name: Scan dependencies
-        working-directory: ${{env.working-directory}}
-        run: ../../gradlew :inspectit-ocelot-configurationserver-ui:dependencyCheckAnalyze
+      - name: build
+        run: ./gradlew :inspectit-ocelot-configurationserver-ui:buildFrontend
+      - name: Run DependencyCheck plugin
+        uses: dependency-check/Dependency-Check_Action@main
+        id: depcheck
+        continue-on-error: true
+        with:
+          project: inspectIT/inspectit-ocelot-configuration-server-ui
+          path: 'components/inspectit-ocelot-configurationserver-ui'
+          format: 'HTML'
+          args: >
+            --disableAssembly
+            --disableNodeAudit
+            --nvdApiKey ${{ secrets.NVD_API_KEY }}
+            --nvdApiDelay 10000
+      - name: Upload test results
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-check-report-ocelot-configurationserver-ui
+          path: ${{ github.workspace }}/reports
+      # if DependencyCheck failed, the job should also fail, but only after the results were uploaded
+      - name: Validate DependencyCheck outcome
+        if: ${{ steps.depcheck.outcome == 'failure' }}
+        run: |
+          echo "DependencyCheck failed"
+          exit 1
diff --git a/.github/workflows/configurationserver_security_check.yml b/.github/workflows/configurationserver_security_check.yml
@@ -0,0 +1,86 @@
+name: Automatic Security Check Configuration-Server
+
+on:
+  schedule:
+    - cron: "0 8 1,15 * *" # At 08:00 on day-of-month 1 and 15
+
+jobs:
+  security-check:
+    name: Security Check Configuration-Server
+    runs-on: ubuntu-latest
+    container: eclipse-temurin:17
+    steps:
+      - uses: actions/checkout@v3
+      - name: Grant execute permission for gradlew
+        run: chmod +x gradlew
+      - name: build Configuration-Server
+        run: ./gradlew :inspectit-ocelot-configurationserver:bootJarWithFrontend
+      - name: Run DependencyCheck Backend
+        uses: dependency-check/Dependency-Check_Action@main
+        id: depcheck
+        continue-on-error: true
+        with:
+          project: inspectIT/inspectit-ocelot-configuration-server
+          path: 'components/inspectit-ocelot-configurationserver'
+          format: 'HTML'
+          out: 'reports/configuration-server'
+          args: >
+            --disableAssembly
+            --disableNodeAudit
+            --nvdApiKey ${{ secrets.NVD_API_KEY }}
+            --nvdApiDelay 10000
+      - name: Run DependencyCheck UI
+        uses: dependency-check/Dependency-Check_Action@main
+        id: depcheck-ui
+        continue-on-error: true
+        with:
+          project: inspectIT/inspectit-ocelot-configuration-server-ui
+          path: 'components/inspectit-ocelot-configurationserver-ui'
+          format: 'HTML'
+          out: 'reports/configuration-server-ui'
+          args: >
+            --disableAssembly
+            --disableNodeAudit
+            --nvdApiKey ${{ secrets.NVD_API_KEY }}
+            --nvdApiDelay 10000
+      - name: build ConfigDocsGenerator
+        run: ./gradlew :inspectit-ocelot-configdocsgenerator:assemble
+      - name: Run DependencyCheck ConfigDocsGenerator
+        uses: dependency-check/Dependency-Check_Action@main
+        id: depcheck-docs
+        continue-on-error: true
+        with:
+          project: inspectIT/inspectit-ocelot-configdocsgenerator
+          path: 'components/inspectit-ocelot-configdocsgenerator'
+          format: 'HTML'
+          out: 'reports/configdocsgenerator'
+          args: >
+            --disableAssembly
+            --disableNodeAudit
+            --nvdApiKey ${{ secrets.NVD_API_KEY }}
+            --nvdApiDelay 10000
+      - name: Upload test results
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-check-report-ocelot-configurationserver
+          path: ${{ github.workspace }}/reports
+      - name: Set DependencyCheck status
+        run: |
+          if [ ${{ steps.depcheck.outcome == 'failure' || steps.depcheck-ui.outcome == 'failure' || steps.depcheck-docs.outcome == 'failure' }} == "true" ]; then
+            echo "DEP_CHECK_STATUS=failure" >> $GITHUB_ENV
+          else
+            echo "DEP_CHECK_STATUS=success" >> $GITHUB_ENV
+          fi
+      - name: Send Notification
+        uses: slackapi/[email protected]
+        with:
+          webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
+          webhook-type: incoming-webhook
+          payload: |
+            text: "*Ocelot-Configuration-Server Dependency-Check Report*: ${{ env.DEP_CHECK_STATUS }}\nPlease check the report here: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+      # if DependencyCheck failed, the job should also fail, but only after the results were uploaded
+      - name: Validate DependencyCheck outcome
+        if: ${{ env.DEP_CHECK_STATUS == 'failure' }}
+        run: |
+          echo "DependencyCheck failed"
+          exit 1
diff --git a/.github/workflows/configurationserver_test.yml b/.github/workflows/configurationserver_test.yml
@@ -36,13 +36,35 @@ jobs:
   dependency-scan:
     name: Dependency Scan
     runs-on: ubuntu-latest
-    env:
-      working-directory: ./components/inspectit-ocelot-configurationserver
     container: eclipse-temurin:17
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Grant execute permission for gradlew
         run: chmod +x gradlew
-      - name: Scan dependencies
-        working-directory: ${{env.working-directory}}
-        run: ../../gradlew :inspectit-ocelot-configurationserver:dependencyCheckAnalyze
+      - name: build Configuration-Server
+        run: ./gradlew :inspectit-ocelot-configurationserver:bootJarWithFrontend
+      - name: Run DependencyCheck
+        uses: dependency-check/Dependency-Check_Action@main
+        id: depcheck
+        continue-on-error: true
+        with:
+          project: inspectIT/inspectit-ocelot-configuration-server
+          path: 'components/inspectit-ocelot-configurationserver'
+          format: 'HTML'
+          out: 'reports/configuration-server'
+          args: >
+            --disableAssembly
+            --disableNodeAudit
+            --nvdApiKey ${{ secrets.NVD_API_KEY }}
+            --nvdApiDelay 10000
+      - name: Upload test results
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-check-report-ocelot-configurationserver
+          path: ${{ github.workspace }}/reports
+      # if DependencyCheck failed, the job should also fail, but only after the results were uploaded
+      - name: Validate DependencyCheck outcome
+        if: ${{ steps.depcheck.outcome == 'failure' }}
+        run: |
+          echo "DependencyCheck failed"
+          exit 1
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -20,8 +20,6 @@ jobs:
           distribution: temurin
       - name: Grant execute permission for gradlew
         run: chmod +x gradlew
-      - name: Scan dependencies
-        run: ./gradlew dependencyCheckAggregate
       - name: Build artifacts
         run: |
           ./gradlew assemble bootJarWithFrontend :inspectit-ocelot-core:cyclonedxBom :inspectit-ocelot-configurationserver:cyclonedxBom -PbuildVersion=${{ github.ref_name }}

diff --git a/build.gradle b/build.gradle
@@ -42,13 +42,19 @@ allprojects {
 
     dependencyCheck {
         //failBuildOnCVSS = 6
+        nvd {
+            apiKey = System.getenv("NVD_API_TOKEN")
+            delay = 10000
+        }
         scanProjects = [
                 ':inspectit-ocelot-agent',
                 ':inspectit-ocelot-core',
                 ':inspectit-ocelot-sdk',
                 ':inspectit-ocelot-bootstrap',
+                ':inspectit-ocelot-config',
                 ':inspectit-ocelot-configurationserver',
-                ':inspectit-ocelot-configurationserver-ui'
+                ':inspectit-ocelot-configurationserver-ui',
+                ':inspectit-ocelot-configdocsgenerator'
         ]
         skipConfigurations = ["jmh", "jmhCompileClasspath", "systemTest", "systemTestCompileClasspath", "systemTestRuntimeClasspath"]
         analyzers {

diff --git a/components/inspectit-ocelot-configurationserver-ui/yarn.lock b/components/inspectit-ocelot-configurationserver-ui/yarn.lock
@@ -2573,9 +2573,9 @@ cosmiconfig@^7.0.0:
     yaml "^1.10.0"
 
 cross-spawn@^7.0.0, cross-spawn@^7.0.2, cross-spawn@^7.0.3:
-  version "7.0.3"
-  resolved "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz"
-  integrity sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==
+  version "7.0.6"
+  resolved "https://registry.yarnpkg.com/cross-spawn/-/cross-spawn-7.0.6.tgz#8a58fe78f00dcd70c370451759dfbfaf03e8ee9f"
+  integrity sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==
   dependencies:
     path-key "^3.1.0"
     shebang-command "^2.0.0"

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -134,6 +134,6 @@ ioSpringDependencyManagement = "io.spring.dependency-management:1.1.6"
 meChampeauJmh = "me.champeau.jmh:0.7.2"
 nlLittlerobotsVersionCatalogUpdate = "nl.littlerobots.version-catalog-update:0.8.5"
 orgCyclonedxBom = "org.cyclonedx.bom:1.8.2"
-# @pin Last version to be compatible with java 1.8
-orgOwaspDependencycheck = "org.owasp.dependencycheck:8.2.1"
+# @pin Dependency-Check 11.* requires Java 11, 10.0.4 does not work with Gradle 7
+orgOwaspDependencycheck = "org.owasp.dependencycheck:10.0.3"
 orgSpringframeworkBoot = { id = "org.springframework.boot", version.ref = "orgSpringframeworkBoot" }
diff --git a/inspectit-ocelot-agent/build.gradle b/inspectit-ocelot-agent/build.gradle
@@ -83,6 +83,7 @@ docker {
 task buildOpenTelemetryFatJar(type: Jar){
     archiveFileName = "opentelemetry-fat.jar"
     destinationDirectory = file("$buildDir/jarGen")
+    duplicatesStrategy = DuplicatesStrategy.EXCLUDE
     from{
         configurations.opentelemetry.collect{it.isDirectory() ? it : zipTree(it) }
     }