Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ACSA-252: Switch SCA scan from maven to srcclr #691

Merged
merged 15 commits into from
Jul 31, 2024
23 changes: 15 additions & 8 deletions .github/actions/veracode/action.yml
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Original file line number Diff line number Diff line change
Expand Up @@ -4,20 +4,27 @@ inputs:
srcclr-api-token:
description: "Agent API Token"
required: true
srcclr-install-default-options:
description: Default options for Source Clear scan
required: false
default: '-DskipTests -Dmaven.javadoc.skip=true'
srcclr-install-options:
description: Additional options for Source Clear scan
gionn marked this conversation as resolved.
Show resolved Hide resolved
srcclr-project-ext:
description: "Veracode project name extension"
dsibilio marked this conversation as resolved.
Show resolved Hide resolved
required: false
runs:
using: "composite"
steps:
- name: "Install srcclr CLI tool"
shell: bash
run: |
# Install srcclr CLI tool (Veracode) as per https://docs.veracode.com/r/t_sc_cli_agent
curl -sSL 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xdf7dd7a50b746dd4' | sudo gpg --dearmor -o /usr/share/keyrings/veracode-sca-archive.gpg
echo 'deb [signed-by=/usr/share/keyrings/veracode-sca-archive.gpg] https://download.sourceclear.com/ubuntu stable/' | sudo tee /etc/apt/sources.list.d/veracode-sca.list
sudo apt-get update
sudo apt-get install srcclr
mstrankowski marked this conversation as resolved.
Show resolved Hide resolved
- name: "Add Veracode project name extension"
shell: bash
if: srcclr-project-ext != ''
run: |
echo "SRCCLR_SCM_URI=${{ github.server_url }}/${{ github.repository }}/${{ inputs.srcclr-project-ext }}" >> $GITHUB_ENV
mstrankowski marked this conversation as resolved.
Show resolved Hide resolved
- name: "Run scanning"
run: ${{ github.action_path }}/source_clear.sh
shell: bash
env:
SRCCLR_API_TOKEN: ${{ inputs.srcclr-api-token }}
SRCCLR_INSTALL_DEFAULT_OPTIONS: ${{ inputs.srcclr-install-default-options }}
SRCCLR_INSTALL_OPTIONS: ${{ inputs.srcclr-install-options }}
5 changes: 1 addition & 4 deletions .github/actions/veracode/source_clear.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,7 @@ echo "=========================== Starting SourceClear Script ==================
PS4="\[\e[35m\]+ \[\e[m\]"
set +e -v -x

mvn -B -q clean install \
dsibilio marked this conversation as resolved.
Show resolved Hide resolved
${SRCCLR_INSTALL_DEFAULT_OPTIONS} ${SRCCLR_INSTALL_OPTIONS} \
com.srcclr:srcclr-maven-plugin:scan \
-Dcom.srcclr.apiToken=${SRCCLR_API_TOKEN} > scan.log
srcclr scan > scan.log
gionn marked this conversation as resolved.
Show resolved Hide resolved
gionn marked this conversation as resolved.
Show resolved Hide resolved

SUCCESS=$? # this will read exit code of the previous command

Expand Down
5 changes: 4 additions & 1 deletion docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -1537,12 +1537,15 @@ Validates Maven dependency graph versions to ensure all target includes artifact

Runs Veracode Source Clear Scan

To add custom maven execution instructions, for skipping test modules etc., use https://docs.veracode.com/r/Java_Scan_Directives#custom_maven_exec
scan directive in srcclr.yml file of the scanned repository.

```yaml
- uses: Alfresco/alfresco-build-tools/.github/actions/veracode@ref
#continue-on-error: true # uncomment this line to prevent the Veracode scan step from failing the whole build
with:
srcclr-api-token: ${{ secrets.SRCCLR_API_TOKEN }}
srcclr-install-options: '-DskipTestModules' # optional, additional maven options
srcclr-project-ext: '' # optional, sets Veracode project extension
dsibilio marked this conversation as resolved.
Show resolved Hide resolved
```

### github cache cleanup
Expand Down
2 changes: 1 addition & 1 deletion version.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
v5.34.0
v6.0.0
Loading