Skip to content
This repository has been archived by the owner on Nov 28, 2024. It is now read-only.

Mend Security Scan #197

Mend Security Scan

Mend Security Scan #197

Workflow file for this run

name: Mend Security Scan
on:
schedule:
- cron: '20 0 * * 0'
push:
branches:
- main
pull_request_target:
branches:
- main
workflow_dispatch:
inputs:
logLevel:
description: 'Log level'
required: true
default: 'debug'
type: choice
options:
- info
- warning
- debug
jobs:
mend-scan:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Set up Java 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: '${{ github.workspace }}/go.mod'
- name: 'Setup jq'
uses: dcarbone/[email protected]
with:
version: '1.7'
- name: Download Mend Universal Agent
run: curl https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o ./wss-unified-agent.jar
- name: Run Mend Scan
run: java -jar ./wss-unified-agent.jar -c $CONFIG_FILE -wss.url $WSS_URL -apiKey $API_KEY -userKey $USER_KEY -productToken $PRODUCT_TOKEN
env:
USER_KEY: ${{ secrets.MEND_USER_KEY }}
PRODUCT_TOKEN: ${{ secrets.MEND_SHC_PRODUCT_TOKEN }}
WSS_URL: ${{ secrets.MEND_URL }}
API_KEY: ${{ secrets.MEND_API_TOKEN }}
CONFIG_FILE: './.github/workflows/mend.config'
- name: Generate Report
env:
USER_KEY: ${{ secrets.MEND_API_USER_KEY }}
PROJECT_TOKEN: ${{ secrets.MEND_PROJECT_TOKEN_MPAS_PRODUCT_CONTR }}
API_KEY: ${{ secrets.MEND_API_ORG_TOKEN }}
EMAIL: ${{ secrets.MEND_API_EMAIL }}
id: report
run: |
data=$(cat <<EOF
{
"email": "${EMAIL}",
"orgToken": "${API_KEY}",
"userKey": "${USER_KEY}"
}
EOF
)
login_token=$(curl -X POST 'https://api-sap.whitesourcesoftware.com/api/v2.0/login' \
--header 'Content-Type: application/json' --silent \
--data "${data}" | jq -r .retVal.jwtToken )
security_vulnerability=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/alerts/security?search=status%3Aequals%3AACTIVE%3Bscore%3Abetween%3A6%2C10%3B" \
--header 'Content-Type: application/json' --silent \
--header "Authorization: Bearer ${login_token}")
major_updates_pending=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/alerts/legal?search=status%3Aequals%3AACTIVE%3BavailableVersionType%3Aequals%3AMAJOR" \
--header 'Content-Type: application/json' --silent \
--header "Authorization: Bearer ${login_token}" )
requires_review=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?search=license%3Aequals%3ARequires%20Review" \
--header 'Content-Type: application/json' --silent \
--header "Authorization: Bearer ${login_token}")
high_license_risk=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?pageSize=1000" \
--header 'Content-Type: application/json' --silent \
--header "Authorization: Bearer ${login_token}")
security_vulnerability_no=$(echo "${security_vulnerability}" | jq .additionalData.totalItems )
major_updates_pending_no=$(echo "${major_updates_pending}" | jq -r .additionalData.totalItems )
requires_review_no=$(echo "${requires_review}" |jq -r .additionalData.totalItems )
high_license_risk_no=$(echo "${high_license_risk}" | jq -r '.retVal[].riskScore.riskScore | select( . != null ) > 52 | select(.==true)'| wc -l )
function print {
printf "############################################\n$1\n############################################\nMend Scan Tool: https://sap.whitesourcesoftware.com/Wss/WSS.html#!login \n"
}
function restricted_license {
declare -a sap_restricted_licenses=("LGPL" "GPL" "Affero%20GPL" "MPL" "CDDL" "EPL")
ret_val=""
issue_count=0
for key in "${!sap_restricted_licenses[@]}"; do
api_resp=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?search=license%3Aequals%3A${sap_restricted_licenses[$key]}" \
--header 'Content-Type: application/json' --silent \
--header "Authorization: Bearer ${login_token}")
api_resp_no=$(echo "${api_resp}" | jq .additionalData.totalItems )
issue_count=$((issue_count+api_resp_no))
if [[ $api_resp_no -gt 0 ]]
then
val=$(echo "${api_resp}" | jq -r .retVal[] )
ret_val="$ret_val$val"
fi
done
export VIOLATIONS_VERBOSE="${ret_val}"
export VIOLATIONS="${issue_count}"
}
print "HIGH/CRITICAL SECURITY VULNERABILITIES: ${security_vulnerability_no}"
if [[ $security_vulnerability_no -gt 0 ]]
then
echo "${security_vulnerability}" | jq -r .retVal[]
fi
print "MAJOR UPDATES AVAILABLE: ${major_updates_pending_no}"
if [[ $major_updates_pending_no -gt 0 ]]
then
echo "${major_updates_pending}" | jq -r .retVal[]
fi
print "LICENSE REQUIRES REVIEW: ${requires_review_no}" "Visit the Mend UI and add correct license"
if [[ $requires_review_no -gt 0 ]]
then
echo "${requires_review}" | jq -r .retVal[]
fi
print "LICENSE RISK HIGH: ${high_license_risk_no}"
if [[ high_license_risk_no -gt 0 ]]
then
echo "Visit the Mend UI and check High Risk Licenses. Understand Risk Score: https://docs.mend.io/bundle/sca_user_guide/page/understanding_risk_score_attribution_and_license_analysis.html"
fi
restricted_license
print "RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY: ${VIOLATIONS}"
if [[ $VIOLATIONS -gt 0 ]]
then
echo "${VIOLATIONS_VERBOSE}" | jq .
fi
echo "security_vulnerability_no=$security_vulnerability_no" >> $GITHUB_OUTPUT
echo "major_updates_pending_no=$major_updates_pending_no" >> $GITHUB_OUTPUT
echo "requires_review_no=$requires_review_no" >> $GITHUB_OUTPUT
echo "high_license_risk_no=$high_license_risk_no" >> $GITHUB_OUTPUT
echo "violations=$VIOLATIONS" >> $GITHUB_OUTPUT
if [[ $security_vulnerability_no -gt 0 ]] || [[ $major_updates_pending_no -gt 0 ]] || [[ $requires_review_no -gt 0 ]] || [[ high_license_risk_no -gt 0 ]] || [[ violations -gt 0 ]]
then
echo "status=x" >> $GITHUB_OUTPUT
else
echo "status=white_check_mark" >> $GITHUB_OUTPUT
fi
- name: Check if PR exists
uses: 8BitJonny/[email protected]
id: pr_exists
with:
filterOutClosed: true
sha: ${{ github.event.pull_request.head.sha }}
- name: Comment Mend Status on PR
if: ${{ github.event_name != 'schedule' && steps.pr_exists.outputs.pr_found == 'true' }}
uses: thollander/[email protected]
with:
message: |
## Mend Scan Summary: :${{ steps.report.outputs.status }}:
### Repository: ${{ github.repository }}
| VIOLATION DESCRIPTION | NUMBER OF VIOLATIONS |
| -------------------------------------------- | --------------------------- |
| HIGH/CRITICAL SECURITY VULNERABILITIES | ${{ steps.report.outputs.security_vulnerability_no }} |
| MAJOR UPDATES AVAILABLE | ${{ steps.report.outputs.major_updates_pending_no }} |
| LICENSE REQUIRES REVIEW | ${{ steps.report.outputs.requires_review_no }} |
| LICENSE RISK HIGH | ${{ steps.report.outputs.high_license_risk_no }} |
| RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY | ${{ steps.report.outputs.VIOLATIONS }} |
[Detailed Logs: mend-scan-> Generate Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
[Mend UI](https://sap.whitesourcesoftware.com/Wss/WSS.html#!login)
comment_tag: tag_mend_scan