add mend scans (#68)

.github/workflows/mend.config

@@ -0,0 +1,109 @@
+####################################################################
+# WhiteSource Unified-Agent configuration file for GO
+# GENERAL SCAN MODE: Package Managers only
+####################################################################
+
+# !!! Important for WhiteSource "DIST - *" Products:
+# Please set 
+#   checkPolicies=false
+#   forceCheckAllDependencies=false
+# since Policy checks are not applicable for Security scans and also 
+# not suitable for DIST category. CheckPolicies just cover IP scan 
+# related license checks for SAP hosted cloud products only ("SHC - *").
+checkPolicies=true
+forceCheckAllDependencies=true
+
+# forceUpdate is important and need to be true
+forceUpdate=true
+# In some cases it could happen that Unified Agent is reporting SUCCESS but scan is incomplete or 
+# did not work at all. So parameter failErrorLevel=ALL needs to be set to break the scan if there are issues.
+failErrorLevel=ALL
+# failBuildOnPolicyViolation:
+# If the flag is true, the Unified Agent exit code will be the result of the policy check.
+# If the flag is false, the Unified Agent exit code will be the result of the scan.
+forceUpdate.failBuildOnPolicyViolation=false
+# offline parameter is important and need to be false
+offline=false
+
+# ignoreSourceFiles parameter is important and need to be true
+# IMPORTANT: This parameter is going to be deprecated in future
+#            and will be replaced by a new parameter, fileSystemScan. 
+ignoreSourceFiles=true
+# fileSystemScan parameter is important and need to be false as a 
+# replacement for ignoreSourceFiles=true and overrides the 
+# soon-to-be-deprecated ignoreSourceFiles.
+fileSystemScan=false
+# resolveAllDependencies is important and need to be false
+resolveAllDependencies=false
+
+#wss.connectionTimeoutMinutes=60
+# URL to your WhiteSource server.
+# wss.url=https://sap.whitesourcesoftware.com/agent
+
+# resolveDependencies parameter is important and need to be true
+#if you are using 'modules' as a dependency manager, then the go.resolveDependencies is set to false.
+#For any other dependency manager, this value is set to true.
+
+go.resolveDependencies=true
+#defaut value for ignoreSourceFiles  is set to false
+# ignoreSourceFiles parameter is important and need to be true
+go.ignoreSourceFiles=true
+go.collectDependenciesAtRuntime=false
+# dependencyManager: Determines the Go dependency manager to use when scanning a Go project.
+# Valid values are 'dep', 'godep', 'vndr', 'gogradle', 'glide', 'govendor', 'gopm' and 'vgo' 
+# If empty, then the Unified Agent will try to resolve the dependencies using each one 
+# of the package managers above.
+#go.dependencyManager=
+#go.glide.ignoreTestPackages=false
+#go.gogradle.enableTaskAlias=true
+
+#The below configuration is for the 'modules' dependency manager.
+#Please comment these below 4 lines that has 'go.modules' prefix if you are not using the 'modules' dependency manager.
+# Default value is true. If set to true, it resolves Go Modules dependencies.
+go.modules.resolveDependencies=true
+#default value is true. If set to true, this will ignore Go source files during the scan.
+#go.modules.ignoreSourceFiles=true
+#default value is true. If set to true, removes duplicate dependencies during Go Modules dependency resolution.
+#go.modules.removeDuplicateDependencies=false
+#default value is false. if set to true, scans Go Modules project test dependencies.
+#go.modules.includeTestDependencies=true
+######################
+
+
+##################################
+# Organization tokens:
+##################################
+# ! In case of PIPER, apiKey may not be used in this configuration, 
+#   but set in configuration of piper. 
+#   Please look at PIPER documentation for more information.
+# ! For CoDePipes you may look at CoDePipes for more information.
+# apiKey=
+
+# userKey is required if WhiteSource administrator has enabled "Enforce user level access" option.
+# ! In case of PIPER, apiKey may not be used in this configuration, 
+#   but set in configuration of piper. 
+#   Please look at PIPER documentation for more information.
+# ! For CoDePipes you may look at CoDePipes for more information.
+# userKey=
+
+projectName=mpas-product-controller
+# projectVersion=
+# projectToken=
+
+productName=shc-open-component-model
+# productVersion=
+# productToken
+#updateType=APPEND
+#[email protected]
+
+#########################################################################################
+# Includes/Excludes Glob patterns - PLEASE USE ONLY ONE EXCLUDE LINE AND ONE INCLUDE LINE
+#########################################################################################
+
+includes=**/*.lock
+
+## Exclude file extensions or specific directories by adding **/*.<extension> or **<excluded_dir>/**
+excludes=**/*sources.jar **/*javadoc.jar
+
+case.sensitive.glob=false
+followSymbolicLinks=true

.github/workflows/mend_scan.yaml

@@ -0,0 +1,37 @@
+name: Mend Security Scan
+
+on:
+  schedule:
+    - cron:  '20 0 * * 0'
+
+jobs:
+  mend-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout Code  
+      uses: actions/checkout@v4
+
+    - name: Set up Java 17
+      uses: actions/setup-java@v3
+      with:
+        java-version: '17'
+        distribution: 'temurin'
+
+    - name: Setup Go
+      uses: actions/setup-go@v4
+      with:
+        go-version-file: '${{ github.workspace }}/go.mod'
+
+    - name: Download Mend Universal Agent
+      run: curl https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o ./wss-unified-agent.jar
+
+    - name: Run Mend Scan 
+      run: java -jar ./wss-unified-agent.jar -c $CONFIG_FILE -wss.url $WSS_URL -apiKey $API_KEY -userKey $USER_KEY -productToken $PRODUCT_TOKEN
+      env:
+        USER_KEY: ${{ secrets.MEND_USER_KEY }}
+        PRODUCT_TOKEN: ${{ secrets.MEND_SHC_PRODUCT_TOKEN }}
+        WSS_URL: ${{ secrets.MEND_URL }}
+        API_KEY: ${{ secrets.MEND_API_TOKEN }}
+        CONFIG_FILE: './.github/workflows/mend.config'
+