Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Reports to Mend Scans #586

Merged
merged 10 commits into from
Nov 23, 2023
Merged

Add Reports to Mend Scans #586

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
6bfe727
Update mend.config
shivenduverma-sap Nov 16, 2023
95d481d
Update mend_scan.yaml
shivenduverma-sap Nov 16, 2023
a692398
Update mend.config
shivenduverma-sap Nov 16, 2023
030f769
Update mend_scan.yaml
shivenduverma-sap Nov 16, 2023
3d13eb3
Update mend_scan.yaml
shivenduverma-sap Nov 17, 2023
c89f8aa
Update mend_scan.yaml
shivenduverma-sap Nov 17, 2023
5a625fb
Update mend_scan.yaml
shivenduverma-sap Nov 23, 2023
7b4b666
Update mend_scan.yaml
shivenduverma-sap Nov 23, 2023
8a4174c
Merge branch 'main' into feature/test-mend
shivenduverma-sap Nov 23, 2023
c793dff
Add Repo name
shivenduverma-sap Nov 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 17 additions & 10 deletions .github/workflows/mend.config
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
# WhiteSource Unified-Agent configuration file for GO
# GENERAL SCAN MODE: Package Managers only
####################################################################

#Configuration Reference: https://docs.mend.io/bundle/unified_agent/page/unified_agent_configuration_parameters.html#General

# !!! Important for WhiteSource "DIST - *" Products:
# Please set
# checkPolicies=false
Expand All @@ -21,33 +22,38 @@ failErrorLevel=ALL
# failBuildOnPolicyViolation:
# If the flag is true, the Unified Agent exit code will be the result of the policy check.
# If the flag is false, the Unified Agent exit code will be the result of the scan.
forceUpdate.failBuildOnPolicyViolation=false
forceUpdate.failBuildOnPolicyViolation=true
# offline parameter is important and need to be false
offline=false

# ignoreSourceFiles parameter is important and need to be true
# IMPORTANT: This parameter is going to be deprecated in future
# and will be replaced by a new parameter, fileSystemScan.
ignoreSourceFiles=true
# ignoreSourceFiles=true
# fileSystemScan parameter is important and need to be false as a
# replacement for ignoreSourceFiles=true and overrides the
# soon-to-be-deprecated ignoreSourceFiles.
fileSystemScan=false
# soon-to-be-deprecated ignoreSourceFiles. To scan source files, we need to enable it.
fileSystemScan=true
# resolveAllDependencies is important and need to be false
resolveAllDependencies=false

#wss.connectionTimeoutMinutes=60
# URL to your WhiteSource server.
# wss.url=https://sap.whitesourcesoftware.com/agent


####################################################################
# GO Configuration
####################################################################

# resolveDependencies parameter is important and need to be true
#if you are using 'modules' as a dependency manager, then the go.resolveDependencies is set to false.
#For any other dependency manager, this value is set to true.

go.resolveDependencies=true
#defaut value for ignoreSourceFiles is set to false
# ignoreSourceFiles parameter is important and need to be true
go.ignoreSourceFiles=true
# To scan source files, we need to disable it.
go.ignoreSourceFiles=false
go.collectDependenciesAtRuntime=false
# dependencyManager: Determines the Go dependency manager to use when scanning a Go project.
# Valid values are 'dep', 'godep', 'vndr', 'gogradle', 'glide', 'govendor', 'gopm' and 'vgo'
Expand All @@ -61,12 +67,13 @@ go.collectDependenciesAtRuntime=false
#Please comment these below 4 lines that has 'go.modules' prefix if you are not using the 'modules' dependency manager.
# Default value is true. If set to true, it resolves Go Modules dependencies.
go.modules.resolveDependencies=true
#default value is true. If set to true, this will ignore Go source files during the scan.
#go.modules.ignoreSourceFiles=true
#default value is true. If set to true, this will ignore Go source files during the scan.
#To scan source files, we need to disable it.
go.modules.ignoreSourceFiles=false
#default value is true. If set to true, removes duplicate dependencies during Go Modules dependency resolution.
#go.modules.removeDuplicateDependencies=false
#default value is false. if set to true, scans Go Modules project test dependencies.
#go.modules.includeTestDependencies=true
go.modules.includeTestDependencies=true
######################


Expand Down
156 changes: 154 additions & 2 deletions .github/workflows/mend_scan.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,28 @@ name: Mend Security Scan
on:
schedule:
- cron: '0 0 * * 0'

push:
branches:
- main
pull_request:
branches:
- main
workflow_dispatch:
inputs:
logLevel:
description: 'Log level'
required: true
default: 'debug'
type: choice
options:
- info
- warning
- debug
jobs:
mend-scan:
runs-on: ubuntu-latest

permissions:
pull-requests: write
steps:
- name: Checkout Code
uses: actions/checkout@v4
Expand All @@ -23,6 +40,11 @@ jobs:
with:
go-version-file: '${{ github.workspace }}/go.mod'

- name: 'Setup jq'
uses: dcarbone/install-jq-action@v2.1.0
with:
version: '1.7'

- name: Download Mend Universal Agent
run: curl https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o ./wss-unified-agent.jar

Expand All @@ -34,4 +56,134 @@ jobs:
WSS_URL: ${{ secrets.MEND_URL }}
API_KEY: ${{ secrets.MEND_API_TOKEN }}
CONFIG_FILE: './.github/workflows/mend.config'

- name: Generate Report
env:
USER_KEY: ${{ secrets.MEND_API_USER_KEY }}
PROJECT_TOKEN: ${{ secrets.MEND_PROJECT_TOKEN_OCM }}
API_KEY: ${{ secrets.MEND_API_ORG_TOKEN }}
EMAIL: ${{ secrets.MEND_API_EMAIL }}
id: report
run: |
data=$(cat <<EOF
{
"email": "${EMAIL}",
"orgToken": "${API_KEY}",
"userKey": "${USER_KEY}"
}
EOF
)

login_token=$(curl -X POST 'https://api-sap.whitesourcesoftware.com/api/v2.0/login' \
--header 'Content-Type: application/json' --silent \
--data "${data}" | jq -r .retVal.jwtToken )

security_vulnerability=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/alerts/security?search=status%3Aequals%3AACTIVE%3Bscore%3Abetween%3A6%2C10%3B" \
--header 'Content-Type: application/json' --silent \
--header "Authorization: Bearer ${login_token}")

major_updates_pending=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/alerts/legal?search=status%3Aequals%3AACTIVE%3BavailableVersionType%3Aequals%3AMAJOR" \
--header 'Content-Type: application/json' --silent \
--header "Authorization: Bearer ${login_token}" )

requires_review=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?search=license%3Aequals%3ARequires%20Review" \
--header 'Content-Type: application/json' --silent \
--header "Authorization: Bearer ${login_token}")

high_license_risk=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?pageSize=1000" \
--header 'Content-Type: application/json' --silent \
--header "Authorization: Bearer ${login_token}")

security_vulnerability_no=$(echo "${security_vulnerability}" | jq .additionalData.totalItems )
major_updates_pending_no=$(echo "${major_updates_pending}" | jq -r .additionalData.totalItems )
requires_review_no=$(echo "${requires_review}" |jq -r .additionalData.totalItems )
high_license_risk_no=$(echo "${high_license_risk}" | jq -r '.retVal[].riskScore.riskScore | select( . != null ) > 52 | select(.==true)'| wc -l )

function print {
printf "############################################\n$1\n############################################\nMend Scan Tool: https://sap.whitesourcesoftware.com/Wss/WSS.html#!login \n"
}

function restricted_license {
declare -a sap_restricted_licenses=("LGPL" "GPL" "Affero%20GPL" "MPL" "CDDL" "EPL")
ret_val=""
issue_count=0
for key in "${!sap_restricted_licenses[@]}"; do
api_resp=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?search=license%3Aequals%3A${sap_restricted_licenses[$key]}" \
--header 'Content-Type: application/json' --silent \
--header "Authorization: Bearer ${login_token}")

api_resp_no=$(echo "${api_resp}" | jq .additionalData.totalItems )
issue_count=$((issue_count+api_resp_no))

if [[ $api_resp_no -gt 0 ]]
then
val=$(echo "${api_resp}" | jq -r .retVal[] )
ret_val="$ret_val$val"
fi
done
export VIOLATIONS_VERBOSE="${ret_val}"
export VIOLATIONS="${issue_count}"
}

print "HIGH/CRITICAL SECURITY VULNERABILITIES: ${security_vulnerability_no}"
if [[ $security_vulnerability_no -gt 0 ]]
then
echo "${security_vulnerability}" | jq -r .retVal[]
fi

print "MAJOR UPDATES AVAILABLE: ${major_updates_pending_no}"
if [[ $major_updates_pending_no -gt 0 ]]
then
echo "${major_updates_pending}" | jq -r .retVal[]
fi

print "LICENSE REQUIRES REVIEW: ${requires_review_no}" "Visit the Mend UI and add correct license"
if [[ $requires_review_no -gt 0 ]]
then
echo "${requires_review}" | jq -r .retVal[]
fi

print "LICENSE RISK HIGH: ${high_license_risk_no}"
if [[ high_license_risk_no -gt 0 ]]
then
echo "Visit the Mend UI and check High Risk Licenses. Understand Risk Score: https://docs.mend.io/bundle/sca_user_guide/page/understanding_risk_score_attribution_and_license_analysis.html"
fi

restricted_license

print "RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY: ${VIOLATIONS}"
if [[ $VIOLATIONS -gt 0 ]]
then
echo "${VIOLATIONS_VERBOSE}" | jq .
fi

echo "security_vulnerability_no=$security_vulnerability_no" >> $GITHUB_OUTPUT
echo "major_updates_pending_no=$major_updates_pending_no" >> $GITHUB_OUTPUT
echo "requires_review_no=$requires_review_no" >> $GITHUB_OUTPUT
echo "high_license_risk_no=$high_license_risk_no" >> $GITHUB_OUTPUT
echo "violations=$VIOLATIONS" >> $GITHUB_OUTPUT

if [[ $security_vulnerability_no -gt 0 ]] || [[ $major_updates_pending_no -gt 0 ]] || [[ $requires_review_no -gt 0 ]] || [[ high_license_risk_no -gt 0 ]] || [[ violations -gt 0 ]]
then
echo "status=x" >> $GITHUB_OUTPUT
else
echo "status=white_check_mark" >> $GITHUB_OUTPUT
fi

- name: Comment Mend Status on PR
uses: thollander/actions-comment-pull-request@v2.4.3
with:
message: |
## Mend Scan Summary: :${{ steps.report.outputs.status }}:
### Repository: ${{ github.repository }}
| VIOLATION DESCRIPTION | NUMBER OF VIOLATIONS |
| -------------------------------------------- | --------------------------- |
| HIGH/CRITICAL SECURITY VULNERABILITIES | ${{ steps.report.outputs.security_vulnerability_no }} |
| MAJOR UPDATES AVAILABLE | ${{ steps.report.outputs.major_updates_pending_no }} |
| LICENSE REQUIRES REVIEW | ${{ steps.report.outputs.requires_review_no }} |
| LICENSE RISK HIGH | ${{ steps.report.outputs.high_license_risk_no }} |
| RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY | ${{ steps.report.outputs.VIOLATIONS }} |

[Detailed Logs: mend-scan-> Generate Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
[Mend UI](https://sap.whitesourcesoftware.com/Wss/WSS.html#!login)
comment_tag: tag_mend_scan
Loading