FEAT [DTECSCSAO-4805] GHAS integration: Code scanning & Dependency review (#21)

sekhara-madduru · web-flow · commit 987345ca8ca1 · 2025-06-30T21:27:41.000-07:00
* enabling ghas

* adding java version details

* limiting java to 8 as per codebase

* testing the filter-sarif

* Fixing the PR comments

* enabling push for the graph submission

* disable the graph submission as it wont support

* testing the gradle upgrade

* testing the gradle

* test the action of gradle

* updating the java version

* test the action of java8

* test dd

* Update build.gradle
diff --git a/.github/workflows/security.code-scanning.yml b/.github/workflows/security.code-scanning.yml
@@ -0,0 +1,19 @@
+name: CodeQL
+
+on:
+  pull_request:
+    branches: [ main ]
+  push:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  codeql-java:
+    uses: chargehound/security-workflows-public/.github/workflows/codeql-java.yml@test-gradle-submission
+    with:
+      build-mode: 'manual'
+      build-command: './gradlew --parallel --no-daemon --no-build-cache clean assemble -x test'
+      java-version: '8'
+    secrets:
+      DATADOG_API_KEY: ${{ secrets.DATADOG_PAYPAL_QA_TOKEN }}         
+      
diff --git a/.github/workflows/security.dependency-review.yml b/.github/workflows/security.dependency-review.yml
@@ -0,0 +1,17 @@
+name: Dependency Review
+
+on:
+  push:
+    branches: ['main']
+    
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  dependency-review:
+    uses: chargehound/security-workflows-public/.github/workflows/dependency-review-gradle.yml@test-gradle-submission
+    with:
+      java-version: 8
+    secrets:
+      DATADOG_API_KEY: ${{ secrets.DATADOG_PAYPAL_QA_TOKEN }}         
diff --git a/.github/workflows/test-java.yaml b/.github/workflows/test-java.yaml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java: [ '8', '9', '10', '11']
+        java: [ '8' ]
     name: Test Java ${{ matrix.java }}
     steps:
       - uses: actions/checkout@v2
diff --git a/build.gradle b/build.gradle
@@ -134,4 +134,67 @@ uploadArchives {
       }
     }
   }
-}
+}
+
+// TODO: Remove task after upgrading Gradle >= 5.2 
+import org.gradle.api.artifacts.ResolvedDependency
+import org.gradle.api.artifacts.Configuration
+import java.io.BufferedWriter
+import java.io.FileWriter
+
+tasks.register("generateDependencyReport") {
+    doLast {
+        def outputFile = file("${buildDir}/dependency-report.txt")
+        File parentDir = outputFile.parentFile
+        if (!parentDir.exists() && !parentDir.mkdirs()) {
+            throw new IOException("Failed to create directory ${parentDir}")
+        }
+
+        // Create a writer to write the dependency report to the file
+        BufferedWriter writer = new BufferedWriter(new FileWriter(outputFile))
+        try {
+            writer.write("Manifest: ${project.name}\n")
+            writer.write("# Generated on ${new Date()}\n\n")
+
+            // Iterate through all project configurations
+            project.configurations.each { Configuration config ->
+                try {
+                    if (config.isCanBeResolved()) {
+                        writer.write("${config.name}:\n")
+
+                        def dependencies = config.resolvedConfiguration.firstLevelModuleDependencies
+                        if (dependencies.isEmpty()) {
+                            writer.write("  (No dependencies found)\n")
+                        } else {
+                            dependencies.each { ResolvedDependency dep ->
+                                printDependency(dep, writer, 1)
+                            }
+                        }
+                    } else {
+                        writer.write("${config.name}:\n")
+                        writer.write("  (Cannot be resolved)\n")
+                    }
+                } catch (Exception e) {
+                    writer.write("${config.name}:\n")
+                    writer.write("  (Resolution failed: ${e.message})\n")
+                }
+
+                writer.write("\n")
+            }
+        } finally {
+            writer.close()
+        }
+
+        println("Dependency report generated: ${outputFile.absolutePath}")
+    }
+}
+
+// Recursive function to print dependencies with proper indentation
+void printDependency(ResolvedDependency dependency, BufferedWriter writer, int level) {
+    def indentation = "  " * level
+    writer.write("${indentation}- ${dependency.moduleGroup}:${dependency.moduleName}:${dependency.moduleVersion}\n")
+
+    dependency.children.each { ResolvedDependency child ->
+        printDependency(child, writer, level + 1)
+    }
+}
