ACSA-252: Switch SCA scan from maven to srcclr

.github/actions/veracode/action.yml

@@ -4,20 +4,35 @@ inputs:
   srcclr-api-token:
     description: "Agent API Token"
     required: true
-  srcclr-install-default-options:
-    description: Default options for Source Clear scan
-    required: false
-    default: '-DskipTests -Dmaven.javadoc.skip=true'
-  srcclr-install-options:
-    description: Additional options for Source Clear scan
+  srcclr-project-ext:
+    description: "Direct scan results to Veracode project named: <default project name>/<srcclr-project-ext>"
     required: false
 runs:
   using: "composite"
   steps:
+    - name: "Install srcclr CLI tool"
+      shell: bash
+      run: |
+        # Install srcclr CLI tool (Veracode) as per https://docs.veracode.com/r/t_sc_cli_agent
+        curl -sSL 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xdf7dd7a50b746dd4' | sudo gpg --dearmor -o /usr/share/keyrings/veracode-sca-archive.gpg
+        echo 'deb [signed-by=/usr/share/keyrings/veracode-sca-archive.gpg] https://download.sourceclear.com/ubuntu stable/' | sudo tee /etc/apt/sources.list.d/veracode-sca.list
+        sudo apt-get update
+        sudo apt-get install srcclr
+    - name: "Set target project URI, with extension if provided"
+      shell: bash
+      run: |
+        SRCCLR_SCM_URI="${{ github.server_url }}/${{ github.repository }}"
+
+        if [ -n "${{ inputs.srcclr-project-ext }}" ]; then
+          SRCCLR_SCM_URI="$SRCCLR_SCM_URI/${{ inputs.srcclr-project-ext }}"
+        fi
+
+        echo "SRCCLR_SCM_URI=$SRCCLR_SCM_URI" >> $GITHUB_ENV
     - name: "Run scanning"
       run: ${{ github.action_path }}/source_clear.sh
       shell: bash
       env:
         SRCCLR_API_TOKEN: ${{ inputs.srcclr-api-token }}
-        SRCCLR_INSTALL_DEFAULT_OPTIONS: ${{ inputs.srcclr-install-default-options }}
-        SRCCLR_INSTALL_OPTIONS: ${{ inputs.srcclr-install-options }}
+        SRCCLR_SCM_REF: ${{ github.event_name == 'pull_request' && github.ref || github.ref_name }}
+        SRCCLR_SCM_REF_TYPE: ${{ github.event_name == 'pull_request' && 'tag' || 'branch' }}
+        SRCCLR_SCM_REV: ${{ github.sha }}

.github/actions/veracode/source_clear.sh

@@ -4,14 +4,15 @@ echo "=========================== Starting SourceClear Script ==================
 PS4="\[\e[35m\]+ \[\e[m\]"
 set +e -v -x
 
-mvn -B -q clean install \
-    ${SRCCLR_INSTALL_DEFAULT_OPTIONS} ${SRCCLR_INSTALL_OPTIONS} \
-    com.srcclr:srcclr-maven-plugin:scan \
-    -Dcom.srcclr.apiToken=${SRCCLR_API_TOKEN} > scan.log
+srcclr scan \
+  --scm-uri="$SRCCLR_SCM_URI" \
+  --scm-ref="$SRCCLR_SCM_REF" \
+  --scm-ref-type="$SRCCLR_SCM_REF_TYPE" \
+  --scm-rev="$SRCCLR_SCM_REV" > scan.log
 
 SUCCESS=$?   # this will read exit code of the previous command
 
-grep -e 'Full Report Details' -e 'Failed' scan.log
+grep -e 'Full Report Details' scan.log
 
 set +vex
 echo "=========================== Finishing SourceClear Script =========================="

docs/README.md

@@ -1537,12 +1537,21 @@ Validates Maven dependency graph versions to ensure all target includes artifact
 
 Runs Veracode Source Clear Scan
 
+To add custom maven execution instructions, for skipping test modules etc., use [custom_maven_command](https://docs.veracode.com/r/Java_Scan_Directives#custom_maven_command)
+scan directive in srcclr.yml file of the scanned repository.
+
+When monitoring multiple versions of the same project in Veracode, optional input srcclr-project-ext can be used to direct scan results to a specific Veracode project instead of the default one.
+For example: ACS_EXT_MASTER Veracode application has an Alfresco/alfresco-enterprise-repo agent-based scans linked to itself through a Veracode project named Alfresco/alfresco-enterprise-repo, in order to include recent agent-based scan results in the promoted scan.
+When supporting an older version of ACS_EXT_MASTER like ACS_EXT_MASTER_7_4, we can set this input value to '7.4.N' on branch "release/7.4.N" of Alfresco/alfresco-enterprise-repo, to direct this branch's agent-based scan results to a project named Alfresco/alfresco-enterprise-repo/7.4.N instead.
+If that project doesn't exist, it will be created automatically. You can then set the default branch for the created project (release/7.4.N) and link it to an application (ACS_EXT_MASTER_7_4) in Veracode.
+This way, the agent-based scan results will be added in the latest promoted scan of ACS_EXT_MASTER_7_4 Veracode application.
+
 ```yaml
       - uses: Alfresco/alfresco-build-tools/.github/actions/veracode@ref
         #continue-on-error: true # uncomment this line to prevent the Veracode scan step from failing the whole build
         with:
           srcclr-api-token: ${{ secrets.SRCCLR_API_TOKEN }}
-          srcclr-install-options: '-DskipTestModules' # optional, additional maven options
+          srcclr-project-ext: '' # optional, allows for directing scan results to Veracode project named: <default project name>/<srcclr-project-ext>
 ```
 
 ### github cache cleanup

version.txt

@@ -1 +1 @@
-v5.35.0
+v6.0.0