ci: vulnerability scan tweaks (#198)

* ci: vulnerability scan tweaks Temporarily bump dependency-check to current release. I don't see a need to use a custom path for the nvd database, so turfed that complexity. Let it go to its default spot under ~/.m2/repository... Don't base github action cache on date, base it instead on deps and bb.edn. Use action/cache/restore and actions/cache/save to control caching. This should allow us to save nvd database for subsequent runs. Closes #197
clj-commons · Jul 2, 2024 · ea2033c · ea2033c
1 parent e5b2c7f
commit ea2033c
Show file tree

Hide file tree

Showing 5 changed files with 61 additions and 20 deletions.
diff --git a/.github/workflows/nvd_scanner.yml b/.github/workflows/nvd_scanner.yml
@@ -17,23 +17,68 @@ jobs:
     - name: Checkout
       uses: actions/checkout@v4
 
-    - name: Setup
-      uses: ./.github/workflows/shared-setup
+    - name: Setup Java
+      uses: actions/setup-java@v4
       with:
-        jdk: 11
+        distribution: 'temurin'
+        java-version: 21
 
-    - name: Get Date
-      id: get-date
+    - name: Install Clojure Tools
+      uses: DeLaGuardo/[email protected]
+      with:
+        cli: 'latest'
+        bb: 'latest'
+
+    - name: Generate Cache Key File
+      # go with bash instead of bb, we have not downloaded our deps yet
       run: |
-        echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
+        curl --fail -s \
+        https://clojars.org/api/artifacts/nvd-clojure | \
+        jq ".latest_release" | \
+        tee nvd_check_helper_project/nvd-clojure-version.txt
 
-    - name: Cache NVD Database
-      uses: actions/cache@v4
+    - name: Restore NVD DB & Clojure Deps Cache
+      # nvd caches its db under ~/.m2/repository/org/owasp so that it can
+      # conveniently be cached with deps
+      uses: actions/cache/restore@v4
       with:
-        path: /home/runner/.nvd-cache/
-        key: nvd-cache-we-are-happy-to-share-across-branches-${{ steps.get-date.outputs.date }}
+        path: |
+          ~/.m2/repository
+          ~/.deps.clj
+          ~/.gitlibs
+        # because we are using a RELEASE version of nvd-clojure
+        # we also include its version
+        key: |
+          nvd-${{ hashFiles(
+            'nvd_check_helper_project/nvd-clojure-version.txt',
+            'nvd_check_helper_project/deps.edn',
+            'nvd_check_helper_project/bb.edn',
+            'bb.edn') }}
+        restore-keys: |
+          nvd-
+
+    - name: Download Clojure deps
+      run: clojure -X:deps prep
+      working-directory: nvd_check_helper_project
 
     - name: Run NVD Scanner
       env:
         NVD_API_TOKEN: ${{ secrets.NVD_API_TOKEN }}
       run: bb nvd-scan
+
+    - name: Save NVD DB & Clojure Deps Cache
+      if: always() # always cache regardless of outcome of nvd scan
+      uses: actions/cache/save@v4
+      with:
+        path: |
+          ~/.m2/repository
+          ~/.deps.clj
+          ~/.gitlibs
+        # we tack on github.run_id to uniquely identify the cache
+        # the next cache restore will find the best (and most current) match
+        key: |
+          nvd-${{ hashFiles(
+            'nvd_check_helper_project/nvd-clojure-version.txt',
+            'nvd_check_helper_project/deps.edn',
+            'nvd_check_helper_project/bb.edn',
+            'bb.edn') }}-${{ github.run_id }}
diff --git a/bb.edn b/bb.edn
@@ -37,14 +37,11 @@
                   (status/line :warn "Do be sure there is a good reason to ugprade org.apache.maven.* deps") )}
          nvd-scan
          {:doc "Check for security vulnerabilities in dependencies"
-          :task (let [config (if (System/getenv "CI")
-                               "./github_actions_config.json" ;; to support CI caching
-                               "./local_config.json")]
-                  (status/line :detail "Using config: %s" config)
+          :task (let [cp (with-out-str (clojure "-Spath"))]
                   (clojure {:dir "./nvd_check_helper_project"}
                            "-J-Dclojure.main.report=stderr -M -m nvd.task.check"
-                           config
-                           (with-out-str (clojure "-Spath"))))}
+                           "./config.json"
+                           cp))}
          pubcheck
          {:doc "Run only publish checks (without publishing)"
           :task publish/pubcheck}

diff --git a/nvd_check_helper_project/local_config.json → nvd_check_helper_project/config.json b/nvd_check_helper_project/local_config.json → nvd_check_helper_project/config.json
diff --git a/nvd_check_helper_project/deps.edn b/nvd_check_helper_project/deps.edn
@@ -2,4 +2,6 @@
         ;; it is generally considered bad practice to use RELEASE, but we always want the latest
         ;; security tooling
         #_:clj-kondo/ignore
-        {:mvn/version "RELEASE"}}}
+        {:mvn/version "RELEASE"}
+        ;; temporarily try bumping transitive dep to current release
+        org.owasp/dependency-check-core {:mvn/version "10.0.0"}}}
diff --git a/nvd_check_helper_project/github_actions_config.json b/nvd_check_helper_project/github_actions_config.json