From 4138fd82ef4a55a7776d77586c78780d78531e6d Mon Sep 17 00:00:00 2001 From: sekhara-madduru <123759301+sekhara-madduru@users.noreply.github.com> Date: Tue, 18 Feb 2025 12:26:35 +0530 Subject: [PATCH 01/14] enabling ghas --- .github/workflows/security.code-scanning.yml | 12 ++++++++++++ .github/workflows/security.dependency-review.yml | 10 ++++++++++ 2 files changed, 22 insertions(+) create mode 100644 .github/workflows/security.code-scanning.yml create mode 100644 .github/workflows/security.dependency-review.yml diff --git a/.github/workflows/security.code-scanning.yml b/.github/workflows/security.code-scanning.yml new file mode 100644 index 0000000..6ac9bc9 --- /dev/null +++ b/.github/workflows/security.code-scanning.yml @@ -0,0 +1,12 @@ +name: CodeQL + +on: + pull_request: + branches: [ main ] + push: + branches: [ main ] + workflow_dispatch: + +jobs: + codeql-java: + uses: chargehound/security-workflows-public/.github/workflows/codeql-java.yml@main \ No newline at end of file diff --git a/.github/workflows/security.dependency-review.yml b/.github/workflows/security.dependency-review.yml new file mode 100644 index 0000000..05e828e --- /dev/null +++ b/.github/workflows/security.dependency-review.yml @@ -0,0 +1,10 @@ +name: Dependency Review + +on: + pull_request: + branches: [ main ] + workflow_dispatch: + +jobs: + dependency-review: + uses: chargehound/security-workflows-public/.github/workflows/dependency-review.yml@main \ No newline at end of file From 2beb9a4f7bf91174fc128f1f1071de384537e7ad Mon Sep 17 00:00:00 2001 From: sekhara-madduru <123759301+sekhara-madduru@users.noreply.github.com> Date: Wed, 19 Feb 2025 10:19:51 +0530 Subject: [PATCH 02/14] adding java version details --- .github/workflows/security.code-scanning.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security.code-scanning.yml b/.github/workflows/security.code-scanning.yml index 6ac9bc9..eaf03af 100644 --- a/.github/workflows/security.code-scanning.yml +++ b/.github/workflows/security.code-scanning.yml @@ -9,4 +9,8 @@ on: jobs: codeql-java: - uses: chargehound/security-workflows-public/.github/workflows/codeql-java.yml@main \ No newline at end of file + uses: chargehound/security-workflows-public/.github/workflows/codeql-java.yml@main + with: + build-mode: 'manual' + build-command: './gradlew build' + java-version: '8' From f83ee48fbf6395af0682528148d1965b16176d14 Mon Sep 17 00:00:00 2001 From: sekhara-madduru <123759301+sekhara-madduru@users.noreply.github.com> Date: Wed, 19 Feb 2025 10:43:32 +0530 Subject: [PATCH 03/14] limiting java to 8 as per codebase --- .github/workflows/test-java.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-java.yaml b/.github/workflows/test-java.yaml index 8dd16b2..efd12ff 100644 --- a/.github/workflows/test-java.yaml +++ b/.github/workflows/test-java.yaml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - java: [ '8', '9', '10', '11'] + java: [ '8' ] name: Test Java ${{ matrix.java }} steps: - uses: actions/checkout@v2 @@ -22,4 +22,4 @@ jobs: - name: Validate Gradle wrapper uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b - name: Run the Gradle tests - run: ./gradlew test + run: ./gradlew build From 26bfe8fa5928764a7f62dfb7a19164fe6df41fbe Mon Sep 17 00:00:00 2001 From: sekhara-madduru <123759301+sekhara-madduru@users.noreply.github.com> Date: Tue, 8 Apr 2025 10:32:44 +0530 Subject: [PATCH 04/14] testing the filter-sarif --- .github/workflows/security.code-scanning.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/security.code-scanning.yml b/.github/workflows/security.code-scanning.yml index eaf03af..2fdd763 100644 --- a/.github/workflows/security.code-scanning.yml +++ b/.github/workflows/security.code-scanning.yml @@ -14,3 +14,4 @@ jobs: build-mode: 'manual' build-command: './gradlew build' java-version: '8' + From 75f1a79ba3291a40e67e4087999d125d6f303ac7 Mon Sep 17 00:00:00 2001 From: sekhara-madduru <123759301+sekhara-madduru@users.noreply.github.com> Date: Fri, 18 Apr 2025 13:57:46 +0530 Subject: [PATCH 05/14] Fixing the PR comments --- .github/workflows/security.code-scanning.yml | 2 +- .github/workflows/test-java.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security.code-scanning.yml b/.github/workflows/security.code-scanning.yml index 2fdd763..a47ccbf 100644 --- a/.github/workflows/security.code-scanning.yml +++ b/.github/workflows/security.code-scanning.yml @@ -12,6 +12,6 @@ jobs: uses: chargehound/security-workflows-public/.github/workflows/codeql-java.yml@main with: build-mode: 'manual' - build-command: './gradlew build' + build-command: './gradlew --parallel --no-daemon --no-build-cache clean assemble -x test' java-version: '8' diff --git a/.github/workflows/test-java.yaml b/.github/workflows/test-java.yaml index efd12ff..0665ed3 100644 --- a/.github/workflows/test-java.yaml +++ b/.github/workflows/test-java.yaml @@ -22,4 +22,4 @@ jobs: - name: Validate Gradle wrapper uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b - name: Run the Gradle tests - run: ./gradlew build + run: ./gradlew test From 6b185a0021c0a7c896043ac44bed3a477f964c3d Mon Sep 17 00:00:00 2001 From: sekhara-madduru <123759301+sekhara-madduru@users.noreply.github.com> Date: Fri, 18 Apr 2025 14:24:25 +0530 Subject: [PATCH 06/14] enabling push for the graph submission --- .github/workflows/security.dependency-review.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/security.dependency-review.yml b/.github/workflows/security.dependency-review.yml index 05e828e..ab4ed0d 100644 --- a/.github/workflows/security.dependency-review.yml +++ b/.github/workflows/security.dependency-review.yml @@ -1,6 +1,9 @@ name: Dependency Review on: + push: + branches: ['main'] + pull_request: branches: [ main ] workflow_dispatch: From 27cb270591d2cf7fbffc99c0b2c14e99626dc92f Mon Sep 17 00:00:00 2001 From: sekhara-madduru <123759301+sekhara-madduru@users.noreply.github.com> Date: Fri, 18 Apr 2025 14:28:09 +0530 Subject: [PATCH 07/14] disable the graph submission as it wont support --- .github/workflows/security.dependency-review.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security.dependency-review.yml b/.github/workflows/security.dependency-review.yml index ab4ed0d..3fa4fef 100644 --- a/.github/workflows/security.dependency-review.yml +++ b/.github/workflows/security.dependency-review.yml @@ -1,8 +1,8 @@ name: Dependency Review on: - push: - branches: ['main'] + #push: + # branches: ['main'] pull_request: branches: [ main ] From 0d0962585bb72a5771442ef5bbb93cba852bfea8 Mon Sep 17 00:00:00 2001 From: sekhara-madduru <123759301+sekhara-madduru@users.noreply.github.com> Date: Fri, 2 May 2025 10:46:55 +0530 Subject: [PATCH 08/14] testing the gradle upgrade --- .../workflows/security.dependency-review.yml | 2 +- build.gradle | 36 +++++++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security.dependency-review.yml b/.github/workflows/security.dependency-review.yml index 3fa4fef..c626f2d 100644 --- a/.github/workflows/security.dependency-review.yml +++ b/.github/workflows/security.dependency-review.yml @@ -10,4 +10,4 @@ on: jobs: dependency-review: - uses: chargehound/security-workflows-public/.github/workflows/dependency-review.yml@main \ No newline at end of file + uses: chargehound/security-workflows-public/.github/workflows/dependency-review-gradle@test-gradle-submission \ No newline at end of file diff --git a/build.gradle b/build.gradle index eb21d38..d2ec492 100644 --- a/build.gradle +++ b/build.gradle @@ -134,4 +134,40 @@ uploadArchives { } } } +} + +// TODO: Remove task after upgrading Gradle >= 5.2 +import org.gradle.api.artifacts.ResolvedDependency +import org.gradle.api.artifacts.Configuration +import java.io.BufferedWriter +import java.io.FileWriter +tasks.register("generateDependencyReport") { + doLast { + def outputFile = file("${buildDir}/dependency-report.txt") + File parentDir = outputFile.parentFile + if (!parentDir.exists() && !parentDir.mkdirs()) { + throw new IOException("Failed to create directory ${parentDir}") + } + BufferedWriter writer = new BufferedWriter(new FileWriter(outputFile)) + try { + project.configurations.each { Configuration config -> + if (config.isCanBeResolved()) { + writer.write("Configuration: ${config.name}\n") + config.resolvedConfiguration.firstLevelModuleDependencies.each { ResolvedDependency dep -> + printDependency(dep, writer, 1) + } + } + } + } finally { + writer.close() + } + println("Dependency report generated: ${outputFile.absolutePath}") + } +} +void printDependency(ResolvedDependency dependency, BufferedWriter writer, int level) { + def indentation = " " * level + writer.write("${indentation}- ${dependency.moduleGroup}:${dependency.moduleName}:${dependency.moduleVersion}\n") + dependency.children.each { ResolvedDependency child -> + printDependency(child, writer, level + 1) + } } \ No newline at end of file From e06750f2f2b85944afb9b687dcd07e62e6bfbe92 Mon Sep 17 00:00:00 2001 From: sekhara-madduru <123759301+sekhara-madduru@users.noreply.github.com> Date: Fri, 2 May 2025 11:13:02 +0530 Subject: [PATCH 09/14] testing the gradle --- .github/workflows/security.dependency-review.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security.dependency-review.yml b/.github/workflows/security.dependency-review.yml index c626f2d..53416b5 100644 --- a/.github/workflows/security.dependency-review.yml +++ b/.github/workflows/security.dependency-review.yml @@ -1,8 +1,8 @@ name: Dependency Review on: - #push: - # branches: ['main'] + push: + branches: ['main'] pull_request: branches: [ main ] From 485298e6e689c7487089a112a5aca934131d20e8 Mon Sep 17 00:00:00 2001 From: sekhara-madduru <123759301+sekhara-madduru@users.noreply.github.com> Date: Fri, 2 May 2025 11:23:24 +0530 Subject: [PATCH 10/14] test the action of gradle --- .github/workflows/security.dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.dependency-review.yml b/.github/workflows/security.dependency-review.yml index 53416b5..b57dd00 100644 --- a/.github/workflows/security.dependency-review.yml +++ b/.github/workflows/security.dependency-review.yml @@ -10,4 +10,4 @@ on: jobs: dependency-review: - uses: chargehound/security-workflows-public/.github/workflows/dependency-review-gradle@test-gradle-submission \ No newline at end of file + uses: chargehound/security-workflows-public/.github/workflows/dependency-review-gradle.yml@test-gradle-submission \ No newline at end of file From 5f6fff54f7724d8e4b06fe865e433b76069da100 Mon Sep 17 00:00:00 2001 From: sekhara-madduru <123759301+sekhara-madduru@users.noreply.github.com> Date: Fri, 2 May 2025 11:33:24 +0530 Subject: [PATCH 11/14] updating the java version --- .github/workflows/security.dependency-review.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security.dependency-review.yml b/.github/workflows/security.dependency-review.yml index b57dd00..2c57fea 100644 --- a/.github/workflows/security.dependency-review.yml +++ b/.github/workflows/security.dependency-review.yml @@ -10,4 +10,6 @@ on: jobs: dependency-review: - uses: chargehound/security-workflows-public/.github/workflows/dependency-review-gradle.yml@test-gradle-submission \ No newline at end of file + uses: chargehound/security-workflows-public/.github/workflows/dependency-review-gradle.yml@test-gradle-submission + with: + java-version: '8' \ No newline at end of file From 8173a6a86cc2460246806e1aa7c7ffd3c68451c8 Mon Sep 17 00:00:00 2001 From: sekhara-madduru <123759301+sekhara-madduru@users.noreply.github.com> Date: Fri, 2 May 2025 11:36:59 +0530 Subject: [PATCH 12/14] test the action of java8 --- .github/workflows/security.dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.dependency-review.yml b/.github/workflows/security.dependency-review.yml index 2c57fea..b224891 100644 --- a/.github/workflows/security.dependency-review.yml +++ b/.github/workflows/security.dependency-review.yml @@ -12,4 +12,4 @@ jobs: dependency-review: uses: chargehound/security-workflows-public/.github/workflows/dependency-review-gradle.yml@test-gradle-submission with: - java-version: '8' \ No newline at end of file + java-version: 8 \ No newline at end of file From 780e3815db35c71c15d2add7959dfb5f43c453ce Mon Sep 17 00:00:00 2001 From: sekhara-madduru <123759301+sekhara-madduru@users.noreply.github.com> Date: Wed, 14 May 2025 16:07:11 +0530 Subject: [PATCH 13/14] test dd --- .github/workflows/security.code-scanning.yml | 4 +++- .github/workflows/security.dependency-review.yml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security.code-scanning.yml b/.github/workflows/security.code-scanning.yml index a47ccbf..a868d13 100644 --- a/.github/workflows/security.code-scanning.yml +++ b/.github/workflows/security.code-scanning.yml @@ -9,9 +9,11 @@ on: jobs: codeql-java: - uses: chargehound/security-workflows-public/.github/workflows/codeql-java.yml@main + uses: chargehound/security-workflows-public/.github/workflows/codeql-java.yml@test-gradle-submission with: build-mode: 'manual' build-command: './gradlew --parallel --no-daemon --no-build-cache clean assemble -x test' java-version: '8' + secrets: + DATADOG_API_KEY: ${{ secrets.DATADOG_PAYPAL_QA_TOKEN }} diff --git a/.github/workflows/security.dependency-review.yml b/.github/workflows/security.dependency-review.yml index b224891..8173a6f 100644 --- a/.github/workflows/security.dependency-review.yml +++ b/.github/workflows/security.dependency-review.yml @@ -12,4 +12,6 @@ jobs: dependency-review: uses: chargehound/security-workflows-public/.github/workflows/dependency-review-gradle.yml@test-gradle-submission with: - java-version: 8 \ No newline at end of file + java-version: 8 + secrets: + DATADOG_API_KEY: ${{ secrets.DATADOG_PAYPAL_QA_TOKEN }} \ No newline at end of file From e177136a88db7eb9305a3e038b8f6e66e71fc373 Mon Sep 17 00:00:00 2001 From: sekhara-madduru <123759301+sekhara-madduru@users.noreply.github.com> Date: Tue, 27 May 2025 12:00:29 +0530 Subject: [PATCH 14/14] Update build.gradle --- build.gradle | 37 ++++++++++++++++++++++++++++++++----- 1 file changed, 32 insertions(+), 5 deletions(-) diff --git a/build.gradle b/build.gradle index d2ec492..71e9b5f 100644 --- a/build.gradle +++ b/build.gradle @@ -141,6 +141,7 @@ import org.gradle.api.artifacts.ResolvedDependency import org.gradle.api.artifacts.Configuration import java.io.BufferedWriter import java.io.FileWriter + tasks.register("generateDependencyReport") { doLast { def outputFile = file("${buildDir}/dependency-report.txt") @@ -148,26 +149,52 @@ tasks.register("generateDependencyReport") { if (!parentDir.exists() && !parentDir.mkdirs()) { throw new IOException("Failed to create directory ${parentDir}") } + + // Create a writer to write the dependency report to the file BufferedWriter writer = new BufferedWriter(new FileWriter(outputFile)) try { + writer.write("Manifest: ${project.name}\n") + writer.write("# Generated on ${new Date()}\n\n") + + // Iterate through all project configurations project.configurations.each { Configuration config -> - if (config.isCanBeResolved()) { - writer.write("Configuration: ${config.name}\n") - config.resolvedConfiguration.firstLevelModuleDependencies.each { ResolvedDependency dep -> - printDependency(dep, writer, 1) + try { + if (config.isCanBeResolved()) { + writer.write("${config.name}:\n") + + def dependencies = config.resolvedConfiguration.firstLevelModuleDependencies + if (dependencies.isEmpty()) { + writer.write(" (No dependencies found)\n") + } else { + dependencies.each { ResolvedDependency dep -> + printDependency(dep, writer, 1) + } + } + } else { + writer.write("${config.name}:\n") + writer.write(" (Cannot be resolved)\n") } + } catch (Exception e) { + writer.write("${config.name}:\n") + writer.write(" (Resolution failed: ${e.message})\n") } + + writer.write("\n") } } finally { writer.close() } + println("Dependency report generated: ${outputFile.absolutePath}") } } + +// Recursive function to print dependencies with proper indentation void printDependency(ResolvedDependency dependency, BufferedWriter writer, int level) { def indentation = " " * level writer.write("${indentation}- ${dependency.moduleGroup}:${dependency.moduleName}:${dependency.moduleVersion}\n") + dependency.children.each { ResolvedDependency child -> printDependency(child, writer, level + 1) } -} \ No newline at end of file +}