Merge branch 'main' into infra/docker_for_macos

.github/workflows/build-and-test-backend.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches: [ "main" ]
   pull_request:
-    branches: [ "main" ]
+    branches: [ "main", "dev" ]
   workflow_dispatch:
   schedule:
     - cron: "0 3 * * *" # 3am every night

.github/workflows/build-and-test-frontend.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches: [ "main" ]
   pull_request:
-    branches: [ "main" ]
+    branches: [ "main", "dev" ]
   workflow_dispatch:
   schedule:
     - cron: "0 3 * * *" # 3am every night
@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-        
+
       - name: Install and Build Frontend
         uses: ./.github/actions/install-and-build-frontend
 

.github/workflows/codeql.yml

@@ -4,11 +4,7 @@
 # You may wish to alter this file to override the set of languages analyzed,
 # or to provide custom queries or build logic.
 #
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
+
 name: "[Analyse] CodeQL"
 
 on:
@@ -27,8 +23,8 @@ jobs:
     #   - https://gh.io/supported-runners-and-hardware-resources
     #   - https://gh.io/using-larger-runners
     # Consider using larger runners for possible analysis time improvements.
-    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
-    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+    runs-on: "ubuntu-latest"
+    timeout-minutes: 360
     permissions:
       actions: read
       contents: read
@@ -58,12 +54,13 @@ jobs:
         uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
-          # If you wish to specify custom queries, you can do so here or in a config file.
-          # By default, queries listed here will override any specified in a config file.
-          # Prefix the list here with "+" to use these queries and those in the config file.
 
-          # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-          # queries: security-extended,security-and-quality
+      # If you wish to specify custom queries, you can do so here or in a config file.
+      # By default, queries listed here will override any specified in a config file.
+      # Prefix the list here with "+" to use these queries and those in the config file.
+
+      # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+      # queries: security-extended,security-and-quality
 
       # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
       # If this step fails, then you should remove it and run the build manually (see below)
@@ -80,6 +77,15 @@ jobs:
       #     echo "Run, Build Application using script"
       #     ./location_of_script_within_repo/buildscript.sh
 
+      #      - name: Build backend
+      #        run: |
+      #          make back-build
+      #
+      #
+      #      - name: Build frontend
+      #        run: |
+      #          make front-build
+
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
         with:

.github/workflows/trivy-db.yml

@@ -34,12 +34,13 @@ jobs:
       - name: Run Trivy on Postgres image
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "postgres:15.6-alpine"
-          format: sarif
+          image-ref: "postgres:15.7-alpine"
+          format: "sarif"
           output: "postgres-trivy-results.sarif"
-          severity: "CRITICAL,HIGH"
+          severity: "LOW,MEDIUM,HIGH,CRITICAL"
 
       - name: Upload Postgres Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: "postgres-trivy-results.sarif"
+          category: "trivy-db"

.github/workflows/trivy.yml

@@ -30,55 +30,34 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+      - name: Run Trivy on OS
+        uses: aquasecurity/trivy-action@master
         with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v1
-
-      - name: Get frontend version
-        uses: avides/[email protected]
-        id: frontend_version
+          scan-type: "fs"
+          ignore-unfixed: true
+          format: "sarif"
+          vuln-type: "os"
+          output: "trivy-results-os.sarif"
+          severity: "LOW,MEDIUM,HIGH,CRITICAL"
+
+      - name: Upload Trivy OS scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          file-to-check: frontend/package.json
-          only-return-version: true
-
-      - name: use-version-from-check
-        run: echo "The version we just got is ${{ steps.frontend_version.outputs.version }}"
+          sarif_file: "trivy-results-os.sarif"
+          category: "trivy-os"
 
-      - name: Build image
-        uses: docker/build-push-action@v4
-        env:
-          GITHUB_SHA: ${{ github.sha }}
-          VERSION: ${{ steps.frontend_version.outputs.version }}
-          ENV_PROFILE: "prod"
-        with:
-          context: .
-          builder: ${{ steps.buildx.outputs.name }}
-          file: infra/docker/app/DockerfileCI
-          push: true
-          tags: |
-            ghcr.io/mtes-mct/rapportnav2/rapportnav-app:${{ github.sha }}
-          build-args: |
-            VERSION=${{ env.VERSION }}
-            ENV_PROFILE=${{ env.ENV_PROFILE }}
-            GITHUB_SHA=${{ github.sha }}
-
-      - name: Run Trivy on Docker build
+      - name: Run Trivy on libraries
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "ghcr.io/mtes-mct/rapportnav2/rapportnav-app:${{ github.sha }}"
-          format: sarif
-          output: "trivy-results.sarif"
-          severity: "CRITICAL,HIGH"
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+          scan-type: "fs"
+          ignore-unfixed: true
+          format: "sarif"
+          vuln-type: "library"
+          output: "trivy-results-libs.sarif"
+          severity: "HIGH,CRITICAL"
+
+      - name: Upload Trivy Library scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: "trivy-results.sarif"
+          sarif_file: "trivy-results-libs.sarif"
+          category: "trivy-libs"

.gitlab-ci.yml

@@ -6,16 +6,17 @@ stages:
   - tag-image-prod
   - pre-deploy-prod
   - deploy-prod
+
 variables:
   #  Configuration spécifique projet
   PROJECT_NAME:
-    value: rapportnav-v2
+    value: "rapportnav-v2"
     description: "Nom du projet à déployer"
-  BDD_IAMGE:
-    value: postgres:15.6-alpine
+  BDD_IMAGE:
+    value: "postgres:15.7-alpine"
     description: "Image de la base de données"
   PROJECT_VERSION:
-    value: "1.2.0"
+    value: "1.6.7"
     description: "Version du projet à déployer"
   SERVER_ENV_INT:
     value: "int-rapportnav-appli01"
@@ -26,37 +27,40 @@ variables:
   PROXY_HOST: "172.27.229.197"
   PROXY_PORT: "8090"
   TAG_VERSION: $NEXUS_DOCKER_REPO/$PROJECT_NAME:$PROJECT_VERSION
+  DEPLOYEMENT_PATH: "../.gitlab-ci/templates"
 
-  #Anlayse Trivy
-  FAIL_TRIVY_CONDITION:
-    value: "--severity CRITICAL"
+  # Anlayse Trivy
+  FAIL_TRIVY_CONDITION_LIBRARY:
+    value: "--severity HIGH,CRITICAL"
+    description: "Détermine la commande à passer à Trivy pour bloquer ou non le job. --severity CRITICAL fait échouer le job si Trivy remonte des anomalies critiques."
+  FAIL_TRIVY_CONDITION_OS:
+    value: "--severity LOW,MEDIUM,HIGH,CRITICAL"
     description: "Détermine la commande à passer à Trivy pour bloquer ou non le job. --severity CRITICAL fait échouer le job si Trivy remonte des anomalies critiques."
 
-  #Analyse Sonar
+  # Analyse Sonar
   FAIL_SONAR_CONDITION:
-    value: "-Dsonar.qualitygate.wait=false"
+    value: "-Dsonar.qualitygate.wait=true"
     description: "Détermine la commande à passer au scanner Sonar pour bloquer ou non le job. -Dsonar.qualitygate.wait=true fait échouer le job si le quality gate Sonar n'est pas conforme."
 
-  #Analyse Dependency-check
+  # Analyse Dependency-check
   FAIL_DP_CHECK_LVL:
     value: "8"
     description: "Niveau de la criticité limite de l'analyse Dependency-Check"
 
 include:
-  - "/jobs-build-CI/build_projet_gradle.yml"
-  - "/jobs-build-CI/build_projet_npm.yml"
-  - "/jobs-build-CI/construction_image.yml"
+  - "/.gitlab-ci/jobs/build_projet_gradle.yml"
+  - "/.gitlab-ci/jobs/build_projet_npm.yml"
+  - "/.gitlab-ci/jobs/construction_image.yml"
   - project: 'num3-exploitation/chaine-ci/template-analyse-deploiement'
     ref: main
-    file: '/jobs/analyse_trivy.yml'
-  - project: 'num3-exploitation/chaine-ci/template-analyse-deploiement'
+    file: "/jobs/analyse_trivy.yml"
+  - project: "num3-exploitation/chaine-ci/template-analyse-deploiement"
     ref: main
     file: '/jobs/analyse_sonar.yml'
-  - "/jobs-build-CI/analyse_dependency-check.yml"
+  - "/.gitlab-ci/jobs/analyse_dependency-check.yml"
   - project: 'num3-exploitation/chaine-ci/template-analyse-deploiement'
     ref: main
-    file: '/jobs/deploiement_image_int.yml'
-  - project: 'num3-exploitation/chaine-ci/template-analyse-deploiement'
+    file: "/jobs/deploiement_image_int.yml"
+  - project: "num3-exploitation/chaine-ci/template-analyse-deploiement"
     ref: main
-    file: '/jobs/deploiement_image_prod.yml'
-
+    file: "/jobs/deploiement_image_prod.yml"

jobs-build-CI/construction_image.yml → .gitlab-ci/jobs/construction_image.yml

@@ -28,9 +28,7 @@ construction_image:
     - docker login $NEXUS_DOCKER_REPO -u $NEXUS_USER -p $NEXUS_PWD
     - docker image push --all-tags $NEXUS_DOCKER_REPO/$PROJECT_NAME
     - docker logout $NEXUS_DOCKER_REPO
-    - docker login $NEXUS_DOCKER_PROXY -u $NEXUS_USER -p $NEXUS_PWD
-    - docker pull $NEXUS_DOCKER_PROXY/$BDD_IAMGE
-    - docker logout $NEXUS_DOCKER_PROXY
+
   tags:
     - build
 

.gitlab-ci/templates/docker-compose.yml.j2

@@ -0,0 +1,43 @@
+version: "3.7"
+
+services:
+  app:
+    image: "{{ docker_image_path }}"
+    container_name: rapportnav_backend
+    environment:
+      - ENV_DB_URL=jdbc:postgresql://db:5432/{{ rapportnav_psql_db }}?user={{ rapportnav_psql_user }}&password={{ rapportnav_psql_pwd }}
+      - SPRING_PROFILES_ACTIVE=prod
+    ports:
+      - 80:80
+    # volumes:
+    #  - "${RAPPORTNAV_LOGS_FOLDER}:/home/rapportnav/logs"
+    depends_on:
+      - db
+    restart: always
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "1024m"
+
+  db:
+    image: "{{ nexus_proxy }}/postgres:15.7-alpine"
+    volumes:
+      - db:/var/lib/postgresql/data
+    restart: always
+    ports:
+      - "5432:5432"
+    environment:
+      POSTGRES_DB: {{ rapportnav_psql_db }}
+      POSTGRES_USER: {{ rapportnav_psql_user }}
+      POSTGRES_PASSWORD: {{ rapportnav_psql_pwd }}
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 1s
+      timeout: 1s
+      retries: 30
+
+volumes:
+  db:
+    name: rapportnavdb
+
+

Makefile

@@ -59,7 +59,7 @@ back-build:
 	cd $(BACKEND_DIR) && ./gradlew clean build
 
 back-test:
-	cd $(BACKEND_DIR) && ./gradlew test --debug
+	cd $(BACKEND_DIR) && ./gradlew test
 
 back-start-local:
 	cd $(BACKEND_DIR) && ./gradlew bootRun --args='--spring.profiles.active=local --spring.config.additional-location=$(BACKEND_CONFIGURATION_FOLDER)'