Skip to content

Commit

Permalink
Run vulnerability scan on latest release version
Browse files Browse the repository at this point in the history
Previously the scan ran on the current state of the codebase. This fails
to identify vulnerabilities in dependencies for the latest release
version if those dependencies have already been updated in the
development codebase. The gating factor for whether a new release is
required should be whether the previous release contains
vulnerabilities.

This change runs the scheduled vulnerability scan on the latest release
tag. It also adds vulnerability scanning to pull request builds. This is
purely informational. A scan failure does not fail the pull request
build.

Signed-off-by: Mark S. Lewis <[email protected]>
  • Loading branch information
bestbeforetoday committed Oct 14, 2024
1 parent bb8cd6b commit d804a02
Show file tree
Hide file tree
Showing 5 changed files with 61 additions and 25 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/pull_request.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ jobs:
test:
uses: ./.github/workflows/test.yml

scan:
uses: ./.github/workflows/scan.yml

pull-request:
needs: test
name: Pull request success
Expand Down
10 changes: 2 additions & 8 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,7 @@ jobs:
with:
distribution: 'temurin'
java-version: '11'
cache: 'gradle'
- name: Validate Gradle wrapper
uses: gradle/actions/wrapper-validation@v3
- uses: gradle/actions/setup-gradle@v3
- uses: gradle/actions/setup-gradle@v4
- name: Push to registry ${{ matrix.publish_target }}
run: |
set -xev
Expand Down Expand Up @@ -69,10 +66,7 @@ jobs:
with:
distribution: 'temurin'
java-version: '11'
cache: 'gradle'
- name: Validate Gradle wrapper
uses: gradle/actions/wrapper-validation@v3
- uses: gradle/actions/setup-gradle@v3
- uses: gradle/actions/setup-gradle@v4
- name: Build the dependencies needed for the image
run: ./gradlew :fabric-chaincode-docker:copyAllDeps
- name: Set up QEMU
Expand Down
33 changes: 33 additions & 0 deletions .github/workflows/scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: "Scheduled vulnerability scan"

on:
workflow_call:
inputs:
ref:
description: Branch, tag or SHA to scan.
type: string
required: false
default: ""

permissions:
contents: read

jobs:
osv-scanner:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
- uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 11
- uses: gradle/actions/setup-gradle@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: stable
cache: false
- name: Scan
run: make scan
24 changes: 16 additions & 8 deletions .github/workflows/scheduled-scan.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
name: "Scheduled vulnerability scan"

on:
pull_request:
branches:
- main
schedule:
- cron: "20 3 * * *"
workflow_dispatch:
Expand All @@ -9,13 +12,18 @@ permissions:
contents: read

jobs:
osv-scanner:
latest-release-version:
name: Get latest release tag
runs-on: ubuntu-latest
outputs:
tag_name: ${{ steps.tag-name.outputs.value }}
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: stable
- name: Scan
run: make scan
- id: tag-name
run: echo "value=$(curl --location --silent --fail "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest" | jq --raw-output '.tag_name')" >> "${GITHUB_OUTPUT}"

scan:
name: Scan ${{ needs.latest-release-version.outputs.tag_name }}
needs: latest-release-version
uses: ./.github/workflows/scan.yml
with:
ref: ${{ needs.latest-release-version.outputs.tag_name }}
16 changes: 7 additions & 9 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ name: Test
on:
workflow_call:
inputs:
checkout-ref:
ref:
default: ''
required: false
type: string
Expand All @@ -18,14 +18,12 @@ jobs:
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.checkout-ref }}
ref: ${{ inputs.ref }}
- uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 11
- name: Validate Gradle wrapper
uses: gradle/actions/wrapper-validation@v3
- uses: gradle/actions/setup-gradle@v3
- uses: gradle/actions/setup-gradle@v4
- name: Build and Unit test
run: ./gradlew :fabric-chaincode-shim:build

Expand All @@ -34,11 +32,12 @@ jobs:
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.checkout-ref }}
ref: ${{ inputs.ref }}
- uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 11
- uses: gradle/actions/setup-gradle@v4
- name: Populate chaincode with latest java-version
run: |
./gradlew -I $GITHUB_WORKSPACE/fabric-chaincode-integration-test/chaincodebootstrap.gradle -PchaincodeRepoDir=$GITHUB_WORKSPACE/fabric-chaincode-integration-test/src/contracts/fabric-shim-api/repository publishShimPublicationToFabricRepository
Expand All @@ -58,7 +57,6 @@ jobs:
run: |
peer version
weft --version
- uses: gradle/actions/setup-gradle@v3
- name: Integration Tests
run: ./gradlew :fabric-chaincode-integration-test:build

Expand All @@ -67,11 +65,11 @@ jobs:
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.checkout-ref }}
ref: ${{ inputs.ref }}
- uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 11
- uses: gradle/actions/setup-gradle@v3
- uses: gradle/actions/setup-gradle@v4
- name: Build Docker image
run: ./gradlew :fabric-chaincode-docker:buildImage

0 comments on commit d804a02

Please sign in to comment.