ACSA-252: Switch SCA scan from maven to srcclr #691
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 3 commits
July 18, 2024 21:14
Still needs some work when we get information about setting maven options to skip test modules in scans. Waiting on veracode feedback on this
dsibilio
reviewed
Jul 19, 2024
There was a problem hiding this comment.
Personally I wouldn't merge this until:
- we test it on a repository that relies on a
srcclr.ymlfile to exclude provided dependencies, and verify the findings make sense - we test it on a repository that has test modules to skip (e.g.: https://github.com/Alfresco/alfresco-transform-service/blob/b4e2855a8fb808104d40520061c310d74649e399/.github/workflows/ci.yml#L58 and https://github.com/Alfresco/hxinsight-connector)
- we introduce more customization options if necessary (allow arguments override / passthrough for the srcclr command via action inputs)
dsibilio
reviewed
Jul 19, 2024
gionn
reviewed
Jul 19, 2024
added 3 commits
July 24, 2024 15:54
Action needs to be migrated on repositories using srcclr-install-options, to change it into custom_maven_exec scan directive in srcclr.yml instructions
mstrankowski
commented
Jul 24, 2024
mstrankowski
commented
Jul 24, 2024
gionn
reviewed
Jul 24, 2024
dsibilio
reviewed
Jul 25, 2024
dsibilio
reviewed
Jul 25, 2024
added 3 commits
July 25, 2024 18:52
Add readme descriptions that should help with usage
gionn
previously approved these changes
Jul 26, 2024
We don't want to display the report to all github users that aren't authorised.
added 2 commits
July 26, 2024 18:53
Works for both regular pushes and PRs, tested on testing branch stemming from alfresco-enterprise-repo/7.4.N
mstrankowski
commented
Jul 30, 2024
There was a problem hiding this comment.
dsibilio
reviewed
Jul 31, 2024
dsibilio
approved these changes
Jul 31, 2024
There was a problem hiding this comment.
Great work! LGTM.
IMO it would be great to have an issue or a Confluence page where we document the trickiest parts of migrating from build-tools 5.x to 6.x due to this change.
E.g.: how to deal with test modules, custom Maven commands, and whatever else may not be immediately apparent from this PR
gionn
approved these changes
Jul 31, 2024
mstrankowski
deleted the
feature/ACSA-252_replace_veracode_plugin_with_cli
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Checklist
Description
Veracode is moving away from maven/gradle plugins and into their CLI tool "srcclr", we can also use the new tools ability to automatically create different projects in Veracode and link them to different application versions (despite same agent-based scan being set). So giving 1 additional input parameter on this action, project extension, should allow for neat linking of ACS_EXT_MASTER, ACS_EXT_MASTER_7_4, ACS_EXT_MASTER_7_3, ACS_EXT_MASTER_7_2 etc. with agent-based scan results from their branches without much manual work - just link the project to app in veracode and set the default branch for the project.
Still needs some work when we get information about setting maven options to skip test modules in scans. Waiting on veracode feedback on this.