chore: move state from main to fix the cve fix on release branch (#435)

* fix: Inherit secrets and update branch retrieval for manual publish workflow (#415) * chore: bump slackapi/slack-github-action in /.github/workflows (#416) Bumps [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action) from 1.26.0 to 1.27.0. - [Release notes](https://github.com/slackapi/slack-github-action/releases) - [Commits](slackapi/slack-github-action@v1.26.0...v1.27.0) --- updated-dependencies: - dependency-name: slackapi/slack-github-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Run Full CI/CD on release tag and release branch creation (#417) * chore: Run Full CI/CD on release tag and release branch creation * chore: Run Full CI/CD on release tag and release branch creation * chore: Run Full CI/CD on release tag and release branch creation --------- Co-authored-by: Rupeekshan Maheswaran <63111541+Rupeekshan@users.noreply.github.com> * chore: Make the Image Security Scan as a part of CI workflow (#418) * chore: add commit to manually published image tag (#422) * chore: use github_sha variable as in other repos * chore: Switch to wolfi to fix critical vulnerability (#421) * chore: Switch to wolfi to fix critical vulnerability * nl * fix nl * fix * fix * Fix manual * needs' * make more clear * toolchains * Fix * fix: Fix job dependencies and commit hash input for scheduled scans (#424) * fix: Improve commit hash input logic for CI versioning * fix: Resolve job dependencies for scheduled scans * fix: use numeric uid (#425) * fix: Fix CVE-2024-38816 vulnerability (#426) * fix: Fix CVE-2024-38816 vulnerability * comment * chore: bump joda-time:joda-time from 2.12.7 to 2.13.0 (#427) * fix: Upgrade spring (#428) * fix: Upgrade spring * gradle.properties * chore: bump chainguard/wolfi-base in /local-rest-scorer (#429) Bumps [chainguard/wolfi-base](https://github.com/chainguard-images/images) from `0f1d816` to `b06d453`. - [Commits](https://github.com/chainguard-images/images/commits) --- updated-dependencies: - dependency-name: chainguard/wolfi-base dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump chainguard/wolfi-base in /local-rest-scorer (#430) Bumps [chainguard/wolfi-base](https://github.com/chainguard-images/images) from `b06d453` to `7574456`. - [Commits](https://github.com/chainguard-images/images/commits) --- updated-dependencies: - dependency-name: chainguard/wolfi-base dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Upgrade Spring 3.3.4 (#432) * feat: Migrate image registry from GAR to AWS ECR (#431) * eat: Migrate image registry from GAR to AWS ECR * fix * chore: Disable release publishing to MLOps ECR (#433) --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Rupeekshan Maheswaran <63111541+Rupeekshan@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sivakajan Sivaparan <51718908+Sivakajan-tech@users.noreply.github.com>
h2oai · Sep 30, 2024 · 81f7746 · 81f7746
1 parent 5684c60
commit 81f7746
Show file tree

Hide file tree

Showing 15 changed files with 398 additions and 331 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -21,3 +21,13 @@ updates:
     labels:
       - "type/update"
       - "area/chore"
+
+  - package-ecosystem: "docker"
+    directory: "local-rest-scorer/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "chore"
+    labels:
+      - "type/update"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -12,21 +12,66 @@ on:
     tags: [ 'v[0-9]+.[0-9]+.[0-9]+' ]
 
 jobs:
-  code_quality_check:
-    uses: ./.github/workflows/code-quality-check.yml
-    secrets: inherit
+  changed_files:
+    runs-on: ubuntu-latest
+    outputs:
+      modified: ${{ steps.changes.outputs.src }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: dorny/paths-filter@v3
+        id: changes
+        with:
+          filters: |
+            src:
+              - .github/workflows/**
+              - aws-lambda-scorer/**
+              - aws-sagemaker-hosted-scorer/**     
+              - aws-sagemaker-hosted-scorer-cpp/**
+              - common/**                          
+              - config/**
+              - gcp-cloud-run/**                   
+              - gcp-vertex-ai-mojo-scorer/**
+              - gradle/**
+              - hive-mojo-scorer/** 
+              - kdb-mojo-scorer/**
+              - local-rest-scorer/** 
+              - sql-jdbc-scorer/**
+              - build.gradle
+              - gradlew 
+              - gradle.properties
 
   setup_env:
     uses: ./.github/workflows/setup-environment.yml
 
+  code_quality_check:
+    needs:
+      - changed_files
+      - setup_env
+    uses: ./.github/workflows/code-quality-check.yml
+    secrets: inherit
+    with:
+        if: ${{ needs.setup_env.outputs.bypass_changed_files == 'true' || needs.changed_files.outputs.modified == 'true' }}
+
   build_image:
+    uses: ./.github/workflows/image-build.yml
     needs:
+      - changed_files
       - setup_env
       - code_quality_check
-    uses: ./.github/workflows/image-build.yml
     secrets: inherit
     with:
       component_version: ${{ needs.setup_env.outputs.component_version }}
+      if: ${{ needs.setup_env.outputs.bypass_changed_files == 'true' || needs.changed_files.outputs.modified == 'true' }}
+    # The `! failure()` condition runs when the parent jobs completed successfully or were skipped.
+    if: ${{ ! failure() }}
+
+  security_scan:
+      name: Security Scan
+      uses: ./.github/workflows/component-scan.yml
+      needs: build_image
+      secrets: inherit
 
   publish_latest_from_dev_branch:
     if: ${{ startsWith(github.ref, 'refs/heads/main') }}

diff --git a/.github/workflows/code-quality-check.yml b/.github/workflows/code-quality-check.yml
@@ -2,10 +2,16 @@ name: Code Analysis
 
 on:
   workflow_call:
+    inputs:
+      if:
+        description: Whether to run the workflow (workaround for required status checks issue)
+        type: boolean
+        default: true
 
 jobs:
   code_quality_check:
     name: Linters
+    if: ${{ inputs.if }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout

diff --git a/.github/workflows/component-scan.yml b/.github/workflows/component-scan.yml
@@ -0,0 +1,243 @@
+name: Security Scan
+
+on:
+  workflow_call:
+
+env:
+  CODE_OWNERS: '<@U047W9ULVQ9>'
+
+jobs:
+  trivy_scan:
+    name: Trivy Scan
+    runs-on: ubuntu-latest
+    outputs:
+      job: ${{ steps.publish.outputs.job }}
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: image
+          path: /tmp
+
+      - name: Load image
+        run: docker load -i /tmp/image.tar
+
+      - name: Scan all the vulnerabilities and generate JSON report
+        if: always()
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          image-ref: image:latest
+          format: 'json'
+          vuln-type: 'os,library'
+          output: 'trivy-results.json'
+
+      - name: Save vulnerabilities report in tabular format
+        if: always()
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          image-ref: trivy-results.json
+          scan-type: convert
+          vuln-type: ''
+          format: 'table'
+          output: 'trivy-results.txt'
+
+      - name: Display vulnerabilities report
+        if: always()
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          image-ref: trivy-results.json
+          scan-type: convert
+          vuln-type: ''
+
+      - name: Fail on high and critical vulnerabilities
+        if: always()
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          image-ref: trivy-results.json
+          scan-type: convert
+          exit-code: '1'
+          vuln-type: ''
+          severity: 'HIGH,CRITICAL'
+
+      - name: Publish scan report
+        if: always()
+        id: publish
+        run: |
+          api_url="https://api.github.com/repos/h2oai/${{ github.event.repository.name }}/actions/runs/${{ github.run_id }}/jobs"
+          job_id=$(curl -s -H "Authorization: token ${{ github.token }}" "$api_url" | jq -r '.jobs[] | select(.name == "Security Scan / Trivy Scan") | .id')
+          job_url_suffix="/actions/runs/${{ github.run_id }}/job/$job_id#step:7:17"
+          echo "job=${job_url_suffix}" >> $GITHUB_OUTPUT
+
+      - name: Upload report for notifications
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-results
+          path: trivy-results.txt
+
+  prisma_scan:
+    name: Prisma Scan
+    runs-on: ubuntu-latest
+    outputs:
+      job: ${{ steps.publish.outputs.job }}
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: image
+          path: /tmp
+
+      - name: Load image
+        run: docker load -i /tmp/image.tar
+
+      - name: VPN Connection
+        uses: Twingate/github-action@V1.1
+        with:
+          service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
+
+      - name: Prisma Cloud image scan
+        uses: PaloAltoNetworks/prisma-cloud-scan@v1.6.7
+        with:
+          pcc_console_url: http://mr-0xz1.h2o.local:8081/
+          pcc_user: ${{ secrets.PCC_USER }}
+          pcc_pass: ${{ secrets.PCC_PASS }}
+          image_name: image:latest
+          results_file: pcc_scan_results.json
+
+      - name: Upload report for notifications
+        uses: actions/upload-artifact@v4
+        with:
+          name: prisma-results
+          path: pcc_scan_results.json
+
+      - name: Verify report results
+        run: |
+          high=$(jq '.results[0].vulnerabilityDistribution.high' pcc_scan_results.json)
+          critical=$(jq '.results[0].vulnerabilityDistribution.critical' pcc_scan_results.json)
+          if [[ $high -gt 0 || $critical -gt 0 ]]; then
+            exit 1
+          fi
+          echo "No high or critical vulnerabilities found."
+
+      - name: Publish scan report
+        if: always()
+        id: publish
+        run: |
+          api_url="https://api.github.com/repos/h2oai/${{ github.event.repository.name }}/actions/runs/${{ github.run_id }}/jobs"
+          job_id=$(curl -s -H "Authorization: token ${{ github.token }}" "$api_url" | jq -r '.jobs[] | select(.name == "Security Scan / Prisma Scan") | .id')
+          job_url_suffix="/actions/runs/${{ github.run_id }}/job/$job_id#step:5:18"
+          echo "job=${job_url_suffix}" >> $GITHUB_OUTPUT
+
+  notify:
+    name: Notify
+    needs:
+      - trivy_scan
+      - prisma_scan
+    if: failure()
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          pattern: '*-results'
+          merge-multiple: true
+
+      - name: Summarize the criticality count
+        run: |
+          trivy_total=0
+          trivy_low=0
+          trivy_medium=0
+          trivy_high=0
+          trivy_critical=0          
+          while IFS= read -r line; do
+            if [[ $line =~ Total:\ ([0-9]+)\ \(UNKNOWN:\ [0-9]+,\ LOW:\ ([0-9]+),\ MEDIUM:\ ([0-9]+),\ HIGH:\ ([0-9]+),\ CRITICAL:\ ([0-9]+)\) ]]; then
+              trivy_total=$((trivy_total + ${BASH_REMATCH[1]}))
+              trivy_low=$((trivy_low + ${BASH_REMATCH[2]}))
+              trivy_medium=$((trivy_medium + ${BASH_REMATCH[3]}))
+              trivy_high=$((trivy_high + ${BASH_REMATCH[4]}))
+              trivy_critical=$((trivy_critical + ${BASH_REMATCH[5]}))
+            fi
+          done < "trivy-results.txt"          
+          echo "TRIVY_SUMMARY='Total: $trivy_total (LOW: $trivy_low, MEDIUM: $trivy_medium, HIGH: $trivy_high, CRITICAL: $trivy_critical)'" >> $GITHUB_ENV
+
+          prisma_total=$(jq '.results[0].vulnerabilityDistribution.total' pcc_scan_results.json)
+          prisma_low=$(jq '.results[0].vulnerabilityDistribution.low' pcc_scan_results.json)
+          prisma_medium=$(jq '.results[0].vulnerabilityDistribution.medium' pcc_scan_results.json)
+          prisma_high=$(jq '.results[0].vulnerabilityDistribution.high' pcc_scan_results.json)
+          prisma_critical=$(jq '.results[0].vulnerabilityDistribution.critical' pcc_scan_results.json)
+          echo "PRISMA_SUMMARY='Total: $prisma_total (LOW: $prisma_low, MEDIUM: $prisma_medium, HIGH: $prisma_high, CRITICAL: $prisma_critical)'" >> $GITHUB_ENV
+
+      - name: Comment the results to the PR
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ github.token }}
+          script: |
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            })
+            const botComment = comments.find(comment => {
+              return comment.user.type === 'Bot' && comment.body.includes('#### Vulnerabilities have been detected')
+            })
+
+            const output = `#### Vulnerabilities have been detected.
+
+            \`\`\`
+            Trivy: ${process.env.TRIVY_SUMMARY}
+            Prisma: ${process.env.PRISMA_SUMMARY}
+            \`\`\`
+
+            @${{ github.actor }}, please review the following reports: [**Trivy**](https://github.com/h2oai/${{ github.event.repository.name }}${{ needs.trivy_scan.outputs.job }}), [**Prisma**](https://github.com/h2oai/${{ github.event.repository.name }}${{ needs.prisma_scan.outputs.job }})`;
+
+            if (botComment) {
+              github.rest.issues.updateComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              comment_id: botComment.id,
+              body: output
+            })
+            } else {
+              github.rest.issues.createComment({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: output
+              })
+            }
+
+      - name: Send Notification to Slack
+        if: ${{ startsWith(github.ref, 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/') }}
+        uses: slackapi/slack-github-action@v1.27.0
+        with:
+          channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
+          payload: |
+            {
+              "text": "Trivy Vulnerability Report",
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "*Java MOJO Runtime* \n_Vulnerabilities have been detected on the `${{ github.ref_name }}` branch_"
+                  }
+                },
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "> *Trivy :: `${{ env.TRIVY_SUMMARY }}`*\n> *Prisma :: `${{ env.PRISMA_SUMMARY }}`*"
+                  }
+                },
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "${{ env.CODE_OWNERS }}, please review the following reports: <https://github.com/h2oai/${{ github.event.repository.name }}${{ needs.trivy_scan.outputs.job }}|_Trivy_>, <https://github.com/h2oai/${{ github.event.repository.name }}${{ needs.prisma_scan.outputs.job }}|_Prisma_>"
+                  }
+                }
+              ]
+            }
+        env:
+          SLACK_BOT_TOKEN: ${{ secrets.H2O_OPS_SLACK_BOT_TOKEN }}
diff --git a/.github/workflows/image-build.yml b/.github/workflows/image-build.yml
@@ -3,14 +3,19 @@ name: Build Images
 on:
   workflow_call:
     inputs:
+      if:
+        description: Whether to run the workflow (workaround for required status checks issue)
+        type: boolean
+        default: true
       component_version:
         description: Gradle component version
+        required: true
         type: string
-        default: true
 
 jobs:
   build:
     name: Build Image
+    if: ${{ inputs.if }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -25,13 +30,13 @@ jobs:
       - name: Setup Gradle
         uses: gradle/actions/setup-gradle@v4
 
-      - name: Build templates
-        run: |
-          ./gradlew --init-script init.gradle distributionZip
-
       - name: Build images with Gradle Wrapper
         run: |
-          ./gradlew -Pversion=${{inputs.component_version}} --init-script init.gradle jibBuildTar -Djib.to.image=image:latest -Djib.outputPaths.tar=/tmp/image.tar
+          ./gradlew :local-rest-scorer:build -Pversion=${{ inputs.component_version }} -x check  --init-script init.gradle
+          docker build -t image:latest -f local-rest-scorer/Dockerfile local-rest-scorer
+
+      - name: Save docker image
+        run:  docker save image:latest > /tmp/image.tar
 
       - name: Save image artifact
         uses: actions/upload-artifact@v4