From 0f1b395fb0f91660863e0e501503f2b86372fba6 Mon Sep 17 00:00:00 2001 From: Shivendu Verma <126680569+shivenduverma-sap@users.noreply.github.com> Date: Thu, 16 Nov 2023 17:15:53 +0100 Subject: [PATCH 1/9] Update mend.config --- .github/workflows/mend.config | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/.github/workflows/mend.config b/.github/workflows/mend.config index 6b00ade..cb72ae4 100644 --- a/.github/workflows/mend.config +++ b/.github/workflows/mend.config @@ -2,7 +2,8 @@ # WhiteSource Unified-Agent configuration file for GO # GENERAL SCAN MODE: Package Managers only #################################################################### - +#Configuration Reference: https://docs.mend.io/bundle/unified_agent/page/unified_agent_configuration_parameters.html#General + # !!! Important for WhiteSource "DIST - *" Products: # Please set # checkPolicies=false @@ -21,25 +22,30 @@ failErrorLevel=ALL # failBuildOnPolicyViolation: # If the flag is true, the Unified Agent exit code will be the result of the policy check. # If the flag is false, the Unified Agent exit code will be the result of the scan. -forceUpdate.failBuildOnPolicyViolation=false +forceUpdate.failBuildOnPolicyViolation=true # offline parameter is important and need to be false offline=false # ignoreSourceFiles parameter is important and need to be true # IMPORTANT: This parameter is going to be deprecated in future # and will be replaced by a new parameter, fileSystemScan. -ignoreSourceFiles=true +# ignoreSourceFiles=true # fileSystemScan parameter is important and need to be false as a # replacement for ignoreSourceFiles=true and overrides the # soon-to-be-deprecated ignoreSourceFiles. -fileSystemScan=false +# To scan source files, we need to enable it. +fileSystemScan=true # resolveAllDependencies is important and need to be false resolveAllDependencies=false #wss.connectionTimeoutMinutes=60 # URL to your WhiteSource server. # wss.url=https://sap.whitesourcesoftware.com/agent - + +#################################################################### +# GO Configuration +#################################################################### + # resolveDependencies parameter is important and need to be true #if you are using 'modules' as a dependency manager, then the go.resolveDependencies is set to false. #For any other dependency manager, this value is set to true. @@ -47,7 +53,8 @@ resolveAllDependencies=false go.resolveDependencies=true #defaut value for ignoreSourceFiles is set to false # ignoreSourceFiles parameter is important and need to be true -go.ignoreSourceFiles=true +# To scan source files, we need to disable it. +go.ignoreSourceFiles=false go.collectDependenciesAtRuntime=false # dependencyManager: Determines the Go dependency manager to use when scanning a Go project. # Valid values are 'dep', 'godep', 'vndr', 'gogradle', 'glide', 'govendor', 'gopm' and 'vgo' @@ -61,8 +68,9 @@ go.collectDependenciesAtRuntime=false #Please comment these below 4 lines that has 'go.modules' prefix if you are not using the 'modules' dependency manager. # Default value is true. If set to true, it resolves Go Modules dependencies. go.modules.resolveDependencies=true -#default value is true. If set to true, this will ignore Go source files during the scan. -#go.modules.ignoreSourceFiles=true +#default value is true. If set to true, this will ignore Go source files during the scan. +#To scan source files, we need to disable it. +go.modules.ignoreSourceFiles=false #default value is true. If set to true, removes duplicate dependencies during Go Modules dependency resolution. #go.modules.removeDuplicateDependencies=false #default value is false. if set to true, scans Go Modules project test dependencies. From 6a5e180a978c56d9c852cc08efb6a9cfbf638384 Mon Sep 17 00:00:00 2001 From: Shivendu Verma <126680569+shivenduverma-sap@users.noreply.github.com> Date: Thu, 16 Nov 2023 17:17:08 +0100 Subject: [PATCH 2/9] Update mend_scan.yaml --- .github/workflows/mend_scan.yaml | 89 +++++++++++++++++++++++++++++++- 1 file changed, 87 insertions(+), 2 deletions(-) diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml index ce6a0cd..2d436be 100644 --- a/.github/workflows/mend_scan.yaml +++ b/.github/workflows/mend_scan.yaml @@ -3,7 +3,20 @@ name: Mend Security Scan on: schedule: - cron: '20 0 * * 0' - + push: + branches: + - feature/test-mend + workflow_dispatch: + inputs: + logLevel: + description: 'Log level' + required: true + default: 'debug' + type: choice + options: + - info + - warning + - debug jobs: mend-scan: runs-on: ubuntu-latest @@ -22,7 +35,10 @@ jobs: uses: actions/setup-go@v4 with: go-version-file: '${{ github.workspace }}/go.mod' - + - name: 'Setup jq' + uses: dcarbone/install-jq-action@v2.1.0 + with: + version: '1.7' - name: Download Mend Universal Agent run: curl https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o ./wss-unified-agent.jar @@ -34,4 +50,73 @@ jobs: WSS_URL: ${{ secrets.MEND_URL }} API_KEY: ${{ secrets.MEND_API_TOKEN }} CONFIG_FILE: './.github/workflows/mend.config' + + - name: Generate Report + env: + USER_KEY: ${{ secrets.MEND_API_USER_KEY }} + PROJECT_TOKEN: ${{ secrets.MEND_PROJECT_TOKEN_MPAS_PRODUCT_CONTR }} + API_KEY: ${{ secrets.MEND_API_ORG_TOKEN }} + EMAIL: ${{ secrets.MEND_API_EMAIL }} + run: | + data=$(cat <52 | select(.==true)'| wc -l ) + + function print { + printf "############################################\n$1\n############################################\n" + } + + print "HIGH/CRITICAL SECURITY VULNERABILITIES: ${security_vulnerability_no}" + if [[ $security_vulnerability_no -gt 0 ]] + then + echo "${security_vulnerability}" | jq -r .retVal[] + fi + + print "MAJOR UPDATES AVAILABLE: ${major_updates_pending_no}" + if [[ $major_updates_pending_no -gt 0 ]] + then + echo "${major_updates_pending}" | jq -r .retVal[] + fi + + print "LICENSE REQUIRES REVIEW: ${requires_review_no}" "Visit the Mend UI and add correct license" + if [[ $requires_review_no -gt 0 ]] + then + echo "${requires_review}" | jq -r .retVal[] + fi + + print "LICENSE RISK HIGH: ${high_license_risk_no}" + if [[ high_license_risk_no -gt 0 ]] + then + echo "Visit the Mend UI and check High Risk Licenses. Understand Risk Score: https://docs.mend.io/bundle/sca_user_guide/page/understanding_risk_score_attribution_and_license_analysis.html" + fi + + if [[ $security_vulnerability_no -gt 0 ]] || [[ $major_updates_pending_no -gt 0 ]] || [[ $requires_review_no -gt 0 ]] || [[ high_license_risk_no -gt 0 ]] + then + exit 1 + fi From a421ed730bd4e115b9521cb9aef64ceab3c17fcc Mon Sep 17 00:00:00 2001 From: Shivendu Verma <126680569+shivenduverma-sap@users.noreply.github.com> Date: Thu, 16 Nov 2023 18:04:28 +0100 Subject: [PATCH 3/9] Update mend.config --- .github/workflows/mend.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mend.config b/.github/workflows/mend.config index cb72ae4..0257927 100644 --- a/.github/workflows/mend.config +++ b/.github/workflows/mend.config @@ -74,7 +74,7 @@ go.modules.ignoreSourceFiles=false #default value is true. If set to true, removes duplicate dependencies during Go Modules dependency resolution. #go.modules.removeDuplicateDependencies=false #default value is false. if set to true, scans Go Modules project test dependencies. -#go.modules.includeTestDependencies=true +go.modules.includeTestDependencies=true ###################### From c47e5179572c12da5f1658a698ed2ad9368e1eee Mon Sep 17 00:00:00 2001 From: Shivendu Verma <126680569+shivenduverma-sap@users.noreply.github.com> Date: Thu, 16 Nov 2023 18:27:26 +0100 Subject: [PATCH 4/9] Update mend_scan.yaml --- .github/workflows/mend_scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml index 2d436be..03e3dce 100644 --- a/.github/workflows/mend_scan.yaml +++ b/.github/workflows/mend_scan.yaml @@ -5,7 +5,7 @@ on: - cron: '20 0 * * 0' push: branches: - - feature/test-mend + - main workflow_dispatch: inputs: logLevel: From 6f738893ef28752625e605d29da36b0f79fbb539 Mon Sep 17 00:00:00 2001 From: Shivendu Verma <126680569+shivenduverma-sap@users.noreply.github.com> Date: Fri, 17 Nov 2023 16:59:59 +0100 Subject: [PATCH 5/9] Update mend_scan.yaml --- .github/workflows/mend_scan.yaml | 69 +++++++++++++++++++++++--------- 1 file changed, 51 insertions(+), 18 deletions(-) diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml index 03e3dce..6353cf4 100644 --- a/.github/workflows/mend_scan.yaml +++ b/.github/workflows/mend_scan.yaml @@ -5,7 +5,7 @@ on: - cron: '20 0 * * 0' push: branches: - - main + - feature/test-mend workflow_dispatch: inputs: logLevel: @@ -58,10 +58,10 @@ jobs: API_KEY: ${{ secrets.MEND_API_ORG_TOKEN }} EMAIL: ${{ secrets.MEND_API_EMAIL }} run: | - data=$(cat <52 | select(.==true)'| wc -l ) - + requires_review_no=$(echo "${requires_review}" |jq -r .additionalData.totalItems ) + high_license_risk_no=$(echo "${high_license_risk}" | jq -r '.retVal[].riskScore.riskScore | select( . != null ) > 52 | select(.==true)'| wc -l ) + function print { printf "############################################\n$1\n############################################\n" } - + + function restricted_license { + declare -a sap_restricted_licenses=("LGPL" "GPL" "Affero%20GPL" "MPL" "CDDL" "EPL") + ret_val="" + issue_count=0 + for key in "${!sap_restricted_licenses[@]}"; do + api_resp=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?search=license%3Aequals%3A${sap_restricted_licenses[$key]}" \ + --header 'Content-Type: application/json' --silent \ + --header "Authorization: Bearer ${login_token}") + + api_resp_no=$(echo "${api_resp}" | jq .additionalData.totalItems ) + issue_count=$((issue_count+api_resp_no)) + + if [[ $api_resp_no -gt 0 ]] + then + val=$(echo "${api_resp}" | jq -r .retVal[] ) + ret_val="$ret_val$val" + fi + done + print "RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY: ${issue_count}" + if [[ issue_count -gt 0 ]] + then + echo "${ret_val}" | jq . + fi + + return $issue_count + } + print "HIGH/CRITICAL SECURITY VULNERABILITIES: ${security_vulnerability_no}" if [[ $security_vulnerability_no -gt 0 ]] then echo "${security_vulnerability}" | jq -r .retVal[] fi - + print "MAJOR UPDATES AVAILABLE: ${major_updates_pending_no}" if [[ $major_updates_pending_no -gt 0 ]] then echo "${major_updates_pending}" | jq -r .retVal[] fi - + print "LICENSE REQUIRES REVIEW: ${requires_review_no}" "Visit the Mend UI and add correct license" if [[ $requires_review_no -gt 0 ]] then echo "${requires_review}" | jq -r .retVal[] fi - + print "LICENSE RISK HIGH: ${high_license_risk_no}" if [[ high_license_risk_no -gt 0 ]] then echo "Visit the Mend UI and check High Risk Licenses. Understand Risk Score: https://docs.mend.io/bundle/sca_user_guide/page/understanding_risk_score_attribution_and_license_analysis.html" fi - - if [[ $security_vulnerability_no -gt 0 ]] || [[ $major_updates_pending_no -gt 0 ]] || [[ $requires_review_no -gt 0 ]] || [[ high_license_risk_no -gt 0 ]] + + restricted_license + + if [[ $security_vulnerability_no -gt 0 ]] || [[ $major_updates_pending_no -gt 0 ]] || [[ $requires_review_no -gt 0 ]] || [[ high_license_risk_no -gt 0 ]] || [[ violations -gt 0 ]] then exit 1 fi - From 5a5a3c41623094010ec95f5b1209ce51e72a765c Mon Sep 17 00:00:00 2001 From: Shivendu Verma <126680569+shivenduverma-sap@users.noreply.github.com> Date: Fri, 17 Nov 2023 17:01:45 +0100 Subject: [PATCH 6/9] Update mend_scan.yaml --- .github/workflows/mend_scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml index 6353cf4..13a6377 100644 --- a/.github/workflows/mend_scan.yaml +++ b/.github/workflows/mend_scan.yaml @@ -58,7 +58,7 @@ jobs: API_KEY: ${{ secrets.MEND_API_ORG_TOKEN }} EMAIL: ${{ secrets.MEND_API_EMAIL }} run: | - data=$(cat < Date: Fri, 17 Nov 2023 17:04:43 +0100 Subject: [PATCH 7/9] Update mend_scan.yaml --- .github/workflows/mend_scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml index 13a6377..9bb3678 100644 --- a/.github/workflows/mend_scan.yaml +++ b/.github/workflows/mend_scan.yaml @@ -5,7 +5,7 @@ on: - cron: '20 0 * * 0' push: branches: - - feature/test-mend + - main workflow_dispatch: inputs: logLevel: From 565f68c73258a07e04fd992137d26db2f7506a1c Mon Sep 17 00:00:00 2001 From: Shivendu Verma <126680569+shivenduverma-sap@users.noreply.github.com> Date: Thu, 23 Nov 2023 09:58:37 +0100 Subject: [PATCH 8/9] Update mend_scan.yaml --- .github/workflows/mend_scan.yaml | 53 ++++++++++++++++++++++++++------ 1 file changed, 43 insertions(+), 10 deletions(-) diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml index 9bb3678..c2573b0 100644 --- a/.github/workflows/mend_scan.yaml +++ b/.github/workflows/mend_scan.yaml @@ -6,6 +6,9 @@ on: push: branches: - main + pull_request: + branches: + - main workflow_dispatch: inputs: logLevel: @@ -20,7 +23,8 @@ on: jobs: mend-scan: runs-on: ubuntu-latest - + permissions: + pull-requests: write steps: - name: Checkout Code uses: actions/checkout@v4 @@ -57,6 +61,7 @@ jobs: PROJECT_TOKEN: ${{ secrets.MEND_PROJECT_TOKEN_MPAS_PRODUCT_CONTR }} API_KEY: ${{ secrets.MEND_API_ORG_TOKEN }} EMAIL: ${{ secrets.MEND_API_EMAIL }} + id: report run: | data=$(cat < 52 | select(.==true)'| wc -l ) function print { - printf "############################################\n$1\n############################################\n" + printf "############################################\n$1\n############################################\nMend Scan Tool: https://sap.whitesourcesoftware.com/Wss/WSS.html#!login \n" } function restricted_license { @@ -114,13 +119,8 @@ jobs: ret_val="$ret_val$val" fi done - print "RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY: ${issue_count}" - if [[ issue_count -gt 0 ]] - then - echo "${ret_val}" | jq . - fi - - return $issue_count + export VIOLATIONS_VERBOSE="${ret_val}" + export VIOLATIONS="${issue_count}" } print "HIGH/CRITICAL SECURITY VULNERABILITIES: ${security_vulnerability_no}" @@ -149,7 +149,40 @@ jobs: restricted_license + print "RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY: ${VIOLATIONS}" + if [[ $VIOLATIONS -gt 0 ]] + then + echo "${VIOLATIONS_VERBOSE}" | jq . + fi + + echo "security_vulnerability_no=$security_vulnerability_no" >> $GITHUB_OUTPUT + echo "major_updates_pending_no=$major_updates_pending_no" >> $GITHUB_OUTPUT + echo "requires_review_no=$requires_review_no" >> $GITHUB_OUTPUT + echo "high_license_risk_no=$high_license_risk_no" >> $GITHUB_OUTPUT + echo "violations=$VIOLATIONS" >> $GITHUB_OUTPUT + if [[ $security_vulnerability_no -gt 0 ]] || [[ $major_updates_pending_no -gt 0 ]] || [[ $requires_review_no -gt 0 ]] || [[ high_license_risk_no -gt 0 ]] || [[ violations -gt 0 ]] then - exit 1 + echo "status=x" >> $GITHUB_OUTPUT + else + echo "status=white_check_mark" >> $GITHUB_OUTPUT fi + + - name: Comment Mend Status on PR + uses: thollander/actions-comment-pull-request@v2.4.3 + with: + message: | + # Mend Scan Summary: :${{ steps.report.outputs.status }}: + | VIOLATION DESCRIPTION | NUMBER OF VIOLATIONS | + | -------------------------------------------- | --------------------------- | + | HIGH/CRITICAL SECURITY VULNERABILITIES | ${{ steps.report.outputs.security_vulnerability_no }} | + | MAJOR UPDATES AVAILABLE | ${{ steps.report.outputs.major_updates_pending_no }} | + | LICENSE REQUIRES REVIEW | ${{ steps.report.outputs.requires_review_no }} | + | LICENSE RISK HIGH | ${{ steps.report.outputs.high_license_risk_no }} | + | RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY | ${{ steps.report.outputs.VIOLATIONS }} | + + [Detailed Logs: mend-scan-> Generate Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) + [Mend UI](https://sap.whitesourcesoftware.com/Wss/WSS.html#!login) + comment_tag: tag_mend_scan + + From d795fb93f146c2e078bc3cd517bfb1464cea172d Mon Sep 17 00:00:00 2001 From: Shivendu Verma <126680569+shivenduverma-sap@users.noreply.github.com> Date: Thu, 23 Nov 2023 10:21:13 +0100 Subject: [PATCH 9/9] Add Repo name --- .github/workflows/mend_scan.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml index c2573b0..903b721 100644 --- a/.github/workflows/mend_scan.yaml +++ b/.github/workflows/mend_scan.yaml @@ -172,7 +172,8 @@ jobs: uses: thollander/actions-comment-pull-request@v2.4.3 with: message: | - # Mend Scan Summary: :${{ steps.report.outputs.status }}: + ## Mend Scan Summary: :${{ steps.report.outputs.status }}: + ### Repository: ${{ github.repository }} | VIOLATION DESCRIPTION | NUMBER OF VIOLATIONS | | -------------------------------------------- | --------------------------- | | HIGH/CRITICAL SECURITY VULNERABILITIES | ${{ steps.report.outputs.security_vulnerability_no }} |