From 93855f9b907987d9a1634f81e206efd55d77560f Mon Sep 17 00:00:00 2001 From: Iliya Savov Date: Tue, 21 Mar 2023 12:20:11 +0200 Subject: [PATCH 1/3] Initial Snyk integraiton Signed-off-by: Iliya Savov --- .github/workflows/comp-compile-pbj-code.yaml | 60 ++++++++++++++++++ .../workflows/flow-pull-request-checks.yaml | 12 ++++ .github/workflows/flow-snyk-monitor.yaml | 31 +++++++++ .gitignore | 3 + pbj-core/buildSrc/build.gradle.kts | 1 + .../com.hedera.pbj.conventions.gradle.kts | 1 + .../kotlin/com.hedera.pbj.snykcode.gradle.kts | 63 +++++++++++++++++++ 7 files changed, 171 insertions(+) create mode 100644 .github/workflows/flow-snyk-monitor.yaml create mode 100644 pbj-core/buildSrc/src/main/kotlin/com.hedera.pbj.snykcode.gradle.kts diff --git a/.github/workflows/comp-compile-pbj-code.yaml b/.github/workflows/comp-compile-pbj-code.yaml index 57398446..a7cff521 100644 --- a/.github/workflows/comp-compile-pbj-code.yaml +++ b/.github/workflows/comp-compile-pbj-code.yaml @@ -22,6 +22,16 @@ on: type: boolean required: false default: false + enable-snyk-scan: + description: "Snyk Scan Enabled" + type: boolean + required: false + default: false + enable-snyk-monitor: + description: "Snyk Monitor Enabled" + type: boolean + required: false + default: false java-distribution: description: "Java JDK Distribution:" type: string @@ -50,6 +60,9 @@ on: sonar-token: description: "The SonarCloud access token used by the SonarQube agent to report an analysis." required: false + snyk-token: + description: "The Snyk access token is used by Snyk to analyze the code for vulnerabilities." + required: false defaults: run: @@ -168,6 +181,53 @@ jobs: build-root-directory: ${{ env.PBJ_INTEGRATION_TESTS }} arguments: jmh --scan + - name: Gradle Snyk Test (PBJ Core) + id: gradle-snyk-test + uses: gradle/gradle-build-action@v2 + if: ${{ inputs.enable-snyk-scan && !cancelled() && always()}} + with: + gradle-version: ${{ inputs.gradle-version }} + build-root-directory: ${{ env.PBJ_CORE }} + arguments: snyk-test + env: + SNYK_TOKEN: ${{ secrets.snyk-token }} + + - name: Gradle Snyk Code Test (PBJ Core) + id: gradle-snyk-code + uses: gradle/gradle-build-action@v2 + if: ${{ inputs.enable-snyk-scan && !cancelled() && always()}} + with: + gradle-version: ${{ inputs.gradle-version }} + build-root-directory: ${{ env.PBJ_CORE }} + arguments: snyk-code + env: + SNYK_TOKEN: ${{ secrets.snyk-token }} + + - name: Setup Snyk Reports + if: ${{ inputs.enable-snyk-scan && !cancelled() && always()}} + run: npm install -g snyk-to-html @wcj/html-to-markdown-cli + + - name: Publish Snyk Results + if: ${{ inputs.enable-snyk-scan && !cancelled() && always()}} + run: | + snyk-to-html -i build/reports/snyk-test.json -o build/reports/snyk-test.html && \ + html-to-markdown build/reports/snyk-test.html -o build/reports/snyk && \ + cat build/reports/snyk/snyk-test.html.md >> $GITHUB_STEP_SUMMARY + snyk-to-html -i build/reports/snyk-code.sarif -o build/reports/snyk-code.html && \ + html-to-markdown build/reports/snyk-code.html -o build/reports/snyk && \ + cat build/reports/snyk/snyk-code.html.md >> $GITHUB_STEP_SUMMARY + working-directory: ${{ env.PBJ_CORE }} + + - name: Gradle Snyk Monitor(PBJ Core) + id: gradle-snyk-monitor + uses: gradle/gradle-build-action@v2 + if: ${{ inputs.enable-snyk-monitor && !cancelled() && always()}} + with: + gradle-version: ${{ inputs.gradle-version }} + build-root-directory: ${{ env.PBJ_CORE }} + arguments: snyk-monitor + env: + SNYK_TOKEN: ${{ secrets.snyk-token }} # - name: SonarCloud Options # id: sonar-cloud # env: diff --git a/.github/workflows/flow-pull-request-checks.yaml b/.github/workflows/flow-pull-request-checks.yaml index f3c10646..2b1ed068 100644 --- a/.github/workflows/flow-pull-request-checks.yaml +++ b/.github/workflows/flow-pull-request-checks.yaml @@ -43,3 +43,15 @@ jobs: secrets: access-token: ${{ secrets.GITHUB_TOKEN }} sonar-token: ${{ secrets.SONAR_TOKEN }} + + snyk-scan: + name: Snyk Scan + uses: ./.github/workflows/comp-compile-pbj-code.yaml + with: + custom-job-label: Standard + enable-integration-tests: false + enable-sonar-analysis: false + enable-snyk-scan: true + secrets: + access-token: ${{ secrets.GITHUB_TOKEN }} + snyk-token: ${{ secrets.SNYK_TOKEN }} diff --git a/.github/workflows/flow-snyk-monitor.yaml b/.github/workflows/flow-snyk-monitor.yaml new file mode 100644 index 00000000..18e89d93 --- /dev/null +++ b/.github/workflows/flow-snyk-monitor.yaml @@ -0,0 +1,31 @@ +name: "Snyk Monitor" + +on: + push: + branches: + - main + workflow_dispatch: + +permissions: + contents: read + security-events: write + checks: write + issues: read + pull-requests: write + statuses: write + id-token: write + +defaults: + run: + shell: bash + +jobs: + snyk-monitor: + name: Snyk Monitor + uses: ./.github/workflows/comp-compile-pbj-code.yaml + with: + custom-job-label: Standard + enable-snyk-monitor: true + secrets: + access-token: ${{ secrets.GITHUB_TOKEN }} + snyk-token: ${{ secrets.SNYK_TOKEN }} diff --git a/.gitignore b/.gitignore index 12bde8ae..45a3e0e0 100644 --- a/.gitignore +++ b/.gitignore @@ -706,3 +706,6 @@ Temporary Items ### Generated Protobuf Files /tests/src/main/proto/ + +### Snyk binary +snyk \ No newline at end of file diff --git a/pbj-core/buildSrc/build.gradle.kts b/pbj-core/buildSrc/build.gradle.kts index 46113a23..3e08ff84 100644 --- a/pbj-core/buildSrc/build.gradle.kts +++ b/pbj-core/buildSrc/build.gradle.kts @@ -13,4 +13,5 @@ dependencies { implementation("gradle.plugin.lazy.zoo.gradle:git-data-plugin:1.2.2") implementation("com.adarshr:gradle-test-logger-plugin:3.2.0") implementation("io.github.gradle-nexus:publish-plugin:1.1.0") + implementation("gradle.plugin.io.snyk.gradle.plugin:snyk:0.4") } diff --git a/pbj-core/buildSrc/src/main/kotlin/com.hedera.pbj.conventions.gradle.kts b/pbj-core/buildSrc/src/main/kotlin/com.hedera.pbj.conventions.gradle.kts index 323d63fa..977d8547 100644 --- a/pbj-core/buildSrc/src/main/kotlin/com.hedera.pbj.conventions.gradle.kts +++ b/pbj-core/buildSrc/src/main/kotlin/com.hedera.pbj.conventions.gradle.kts @@ -21,6 +21,7 @@ plugins { id("com.hedera.pbj.spotless-conventions") id("com.hedera.pbj.spotless-java-conventions") id("com.hedera.pbj.spotless-kotlin-conventions") + id("com.hedera.pbj.snykcode") id("com.adarshr.test-logger") } diff --git a/pbj-core/buildSrc/src/main/kotlin/com.hedera.pbj.snykcode.gradle.kts b/pbj-core/buildSrc/src/main/kotlin/com.hedera.pbj.snykcode.gradle.kts new file mode 100644 index 00000000..62d58bfd --- /dev/null +++ b/pbj-core/buildSrc/src/main/kotlin/com.hedera.pbj.snykcode.gradle.kts @@ -0,0 +1,63 @@ +/*- + * ‌ + * Hedera Mirror Node + * ​ + * Copyright (C) 2019 - 2023 Hedera Hashgraph, LLC + * ​ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ‍ + */ + +plugins { + id("io.snyk.gradle.plugin.snykplugin") +} +abstract class SnykCodeTask : io.snyk.gradle.plugin.SnykTask() { + @TaskAction + fun doSnykTest() { + log.debug("Snyk Code Test Task") + authentication() + val output: io.snyk.gradle.plugin.Runner.Result = runSnykCommand("code test") + log.lifecycle(output.output) + if (output.exitcode > 0) { + throw GradleException("Snyk Code Test failed") + } + } +} + + +tasks.register("snyk-code") { + dependsOn("snyk-check-binary") + doFirst { + snyk { + setSeverity("high") + setArguments("--all-sub-projects --sarif-file-output=build/reports/snyk-code.sarif") + } + } +} + +tasks.`snyk-monitor` { + doFirst { + snyk { + setArguments("--all-sub-projects") + } + } +} + +tasks.`snyk-test` { + doFirst { + snyk { + setSeverity("high") + setArguments("--all-sub-projects --json-file-output=build/reports/snyk-test.json") + } + } +} From a058dbd850eb68557018bb938e6e9a436982b311 Mon Sep 17 00:00:00 2001 From: Iliya Savov Date: Thu, 20 Apr 2023 18:29:32 +0300 Subject: [PATCH 2/3] Add setup for nodejs Signed-off-by: Iliya Savov --- .github/workflows/comp-compile-pbj-code.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/comp-compile-pbj-code.yaml b/.github/workflows/comp-compile-pbj-code.yaml index a7cff521..028b18b6 100644 --- a/.github/workflows/comp-compile-pbj-code.yaml +++ b/.github/workflows/comp-compile-pbj-code.yaml @@ -107,6 +107,12 @@ jobs: notifications jdks + - name: Setup Node.js + uses: actions/setup-node@v3 + if: ${{ inputs.enable-snyk-scan && !cancelled() && always()}} + with: + node-version: 18 + - name: Gradle Assemble (PBJ Core) id: gradle-build uses: gradle/gradle-build-action@v2 From 297f5946074b3c93219104ccfef8185135b2218c Mon Sep 17 00:00:00 2001 From: Iliya Savov Date: Thu, 20 Apr 2023 19:00:19 +0300 Subject: [PATCH 3/3] Don't run snyk on forks Signed-off-by: Iliya Savov --- .github/workflows/flow-pull-request-checks.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/flow-pull-request-checks.yaml b/.github/workflows/flow-pull-request-checks.yaml index 2b1ed068..beca1d70 100644 --- a/.github/workflows/flow-pull-request-checks.yaml +++ b/.github/workflows/flow-pull-request-checks.yaml @@ -47,6 +47,7 @@ jobs: snyk-scan: name: Snyk Scan uses: ./.github/workflows/comp-compile-pbj-code.yaml + if: ${{ github.event.pull_request.head.repo.full_name == github.repository }} with: custom-job-label: Standard enable-integration-tests: false