ACS-9044 POC - Remove excluded files from alfresco.war before Veracod…

…e SAST
Alfresco · Dec 18, 2024 · 958e51a · 958e51a
1 parent 4a45858
commit 958e51a
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 1 deletion.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -83,12 +83,14 @@ jobs:
         run: |
           bash ./scripts/ci/init.sh
           bash ./scripts/ci/build.sh
+      - name: "Remove excluded files"
+        run: bash ./scripts/ci/remove-sast-exclusions.sh
       - name: "Run SAST Scan"
         uses: veracode/[email protected]
         with:
           vid: '${{ secrets.VERACODE_API_ID }}'
           vkey: '${{ secrets.VERACODE_API_KEY }}'
-          file: "distribution/target/alfresco.war"
+          file: "distribution/target/alfresco-reduced.war"
           fail_build: true
           project_name: acs-packaging-acs
           issue_details: true

diff --git a/scripts/ci/SAST-exclusion-list.txt b/scripts/ci/SAST-exclusion-list.txt
@@ -0,0 +1 @@
+spring-security*
diff --git a/scripts/ci/remove-sast-exclusions.sh b/scripts/ci/remove-sast-exclusions.sh
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+echo "=========================== Excluding Files from Veracode SAST ==========================="
+set -ex
+pushd "$(dirname "${BASH_SOURCE[0]}")/../../"
+
+# Copy alfresco.war file
+/bin/cp -f ./distribution/target/alfresco.war ./distribution/target/alfresco-reduced.war
+
+# Remove files to be excluded from Veracode SAST
+exclusions="./scripts/ci/SAST-exclusion-list.txt"
+if [ -e $exclusions ]
+then
+    while read -r line
+    do
+      echo "Removing WEB-INF/lib/$line"
+      zip -d ./packaging/war/target/alfresco-reduced.war "WEB-INF/lib/$line" || true
+    done < "$exclusions"
+else
+    echo "No files to be excluded from SAST"
+fi
+
+popd
+set +ex
+echo "=========================== Finishing Excluding Files from Veracode SAST =========================="