Whitesource

.github/workflows/gradle-whitesource.yml

@@ -0,0 +1,94 @@
+name: Java CI
+
+on:
+  push:
+    branches:
+      - 'master'
+    tags:
+      - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
+  pull_request:
+    branches:
+      - '**'
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up JDK 11
+      uses: actions/setup-java@v2
+      with:
+        distribution: zulu
+        java-version: '11'
+
+    - uses: actions/cache@v2
+      with:
+        path: |
+          ~/.gradle/caches
+          ~/.gradle/wrapper
+        key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*') }}
+        restore-keys: |
+          ${{ runner.os }}-gradle-
+
+    - name: Test with Gradle
+      run: ./gradlew clean test
+
+    - name: Build and analyze
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
+      run: ./gradlew build --info
+
+    - name: WhiteSource Unified Agent Scan
+      env:
+        WS_APIKEY: ${{secrets.APIKEY}}
+        WS_USERKEY: ${{secrets.USERKEY}}
+        WS_WSS_URL: https://app.whitesourcesoftware.com/agent
+        WS_PRODUCTNAME: ${{github.event.repository.name}}
+        WS_PROJECTNAME: ${{github.ref}}
+        WS_FILESYSTEMSCAN: false
+        WS_GENERATEPROJECTDETAILSJSON: true
+        WS_UPDATEINVENTORY: true #(defaults to true)
+        WS_enableImpactAnalysis: true
+        WS_resolveAllDependencies: false
+        WS_resolveDependencies: true
+        WS_aggregateModules: True
+
+
+      run: |
+        sudo apt-get install jq curl
+        echo Downloading WhiteSource Unified Agent
+        curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar
+        if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then
+          echo "Integrity Check Failed"
+        else
+          echo "Integrity Check Passed"
+          echo Starting WhiteSource Scan
+          java -jar wss-unified-agent.jar
+        fi
+        export WS_PROJECTTOKEN=$(jq -r '.projects | .[] | .projectToken' ./whitesource/scanProjectDetails.json)
+        export WS_URL=$(echo $WS_WSS_URL | awk -F "agent" '{print $1}')
+        #RiskReport-Example
+        curl --output ./whitesource/riskreport.pdf --request POST $WS_URL'/api/v1.3' --header 'Content-Type: application/json'  --data-raw '{"requestType":"getProjectRiskReport","userKey":"$WS_USERKEY","projectToken":"$WS_PROJECTTOKEN"}'
+        #InventoryReport-Example
+        curl --output ./whitesource/inventoryreport.xlsx --request POST $WS_URL'/api/v1.3' --header 'Content-Type: application/json'  --data-raw '{"requestType":"getProductInventoryReport","userKey":"$WS_USERKEY","projectToken":"$WS_PROJECTTOKEN"}'
+        #DueDiligenceReport-Example
+        curl --output ./whitesource/duediligencereport.pdf --request POST $WS_URL'/api/v1.3' --header 'Content-Type: application/json'  --data-raw '{"requestType":"getProjectDueDiligenceReport","userKey":"$WS_USERKEY","projectToken":"$WS_PROJECTTOKEN"}'
+        echo "*****************************"
+        ls -a ./whitesource
+        chmod +x ./Scripts/list-project-alerts.sh
+
+    - name: Archive Whitesource results
+      uses: actions/upload-artifact@v3
+      with:
+        name: Whitesource reports
+        path: ./whitesource
+
+
+
+    # - uses: azure/webapps-deploy@v2
+    #   with:
+    #     app-name: second-springboot-rachdemo
+    #     publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} 
+    #     package: 'build/libs/*.jar'

.github/workflows/gradle.yml

@@ -3,7 +3,7 @@ name: Java CI
 on:
   push:
     branches:
-      - '**'
+      - 'master'
     tags:
       - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
   pull_request:
@@ -22,6 +22,7 @@ jobs:
       with:
         distribution: zulu
         java-version: '11'
+
     - uses: actions/cache@v2
       with:
         path: |
@@ -30,5 +31,17 @@ jobs:
         key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*') }}
         restore-keys: |
           ${{ runner.os }}-gradle-
+
     - name: Test with Gradle
       run: ./gradlew clean test
+
+    - name: Build and analyze
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
+      run: ./gradlew build --info
+
+    - uses: azure/webapps-deploy@v2
+      with:
+        app-name: second-springboot-rachdemo
+        publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} 
+        package: 'build/libs/*.jar'

.gitignore

@@ -2,6 +2,7 @@
 /build/
 !gradle/wrapper/gradle-wrapper.jar
 *.db
+*.vscode
 
 ### STS ###
 .apt_generated

.whitesource

@@ -0,0 +1,21 @@
+{
+  "scanSettings": {
+    "configMode": "AUTO",
+    "configExternalURL": "",
+    "projectToken": "",
+    "baseBranches": []
+  },
+  "checkRunSettings": {
+    "vulnerableCheckRunConclusionLevel": "failure",
+    "displayMode": "diff"
+  },
+  "issueSettings": {
+    "minSeverityLevel": "LOW",
+    "issueType": "DEPENDENCY"
+  },
+  "remediateSettings": {
+    "workflowRules": {
+      "enabled": true
+    }
+  }
+}

Scripts/list-project-alerts.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+
+# Description:
+# This script uses WhiteSource's API to display (in the stdout) a list of
+# vulnerabilities affecting the last scanned project(s).
+# It is intended to be executed from the scan's working directory, either
+# independently or following a Unified Agent scan.
+
+# Prerequisites:
+# apt install jq curl
+# WS_GENERATEPROJECTDETAILSJSON: true
+# WS_USERKEY (admin assignment is required)
+# WS_WSS_URL
+# WS_UPDATEINVENTORY: true (defaults to true)
+
+# Known Limitations:
+# - CVSS Score Filtering
+#   The API response will be filtered by default based on the .cvss3_severity
+#   property. If a given vulnerability alert does not have a CVSS3 severity (i.e.
+#   the .vulnerability.cvss3_severity property is blank), that alert will not be
+#   included in the results. To use CVSS2 for filtering, change the jq condition
+#   below from `.vulnerability.cvss3_severity` to `.vulnerability.severity`.
+#   Note that when doing so, however, while the alert count will be accurate,
+#   some alerts might display a different severity than in the UI.
+#
+# - Inventory Update
+#   The scanProjectDetails.json file is only created when an inventory update has
+#   occurred, so this script won't work if WS_UPDATEINVENTORY is set to false.
+#   Moreover, if policy check is enabled (WS_CHECKPOLICIES), and a policy
+#   violation was found, the scan will be aborted without updating the inventory
+#   (and as a result, scanProjectDetails.json won't be created), so it is also
+#   required to enable WS_FORCEUPDATE.
+#   Note that WS_FORCEUPDATE enabled would result in exit code 0 even upon policy
+#   violation, so if you rely on the exit code (-2) for other tasks in your
+#   pipeline, make sure to also enable WS_FORCEUPDATE_FAILBUILDONPOLICYVIOLATION.
+
+WS_API_URL="$(echo "${WS_WSS_URL/agent/'api/v1.3'}")"
+PROJECT_DETAILS="./whitesource/scanProjectDetails.json"
+showColors=true
+
+if $showColors ; then
+    RD="\e[1;31m"
+    GN="\e[1;32m"
+    YW="\e[1;33m"
+    BL="\e[1;34m"
+    NC="\e[0m"
+fi
+
+declare -a projects=( $(cat $PROJECT_DETAILS | jq -r '.projects[] | (.projectToken + "," + .projectName)') )
+
+for project in "${projects[@]}"; do
+    IFS=, read projectToken projectName <<< "$project"
+    printf "\nWhiteSource Vulnerability Alerts for project: ${BL}%s${NC}\n" "$projectName"
+    apiRes="$(curl -s -X POST -H "Content-Type: application/json" -d '{ "requestType": "getProjectAlertsByType", "alertType": "SECURITY_VULNERABILITY", "userKey": "'"$WS_USERKEY"'", "projectToken": '"$projectToken"' }' $WS_API_URL)"
+
+    # High severity CVEs
+    cveH="$(echo "$apiRes" | jq -r '.alerts[] | select(.vulnerability.cvss3_severity=="high") | ("[H] " + .vulnerability.name + " - " + .library.filename)')"
+    cveCountH="$([ "${#cveH}" -gt 0 ] && echo "$cveH" | wc -l || echo 0)"
+
+    # Medium severity CVEs
+    cveM="$(echo "$apiRes" | jq -r '.alerts[] | select(.vulnerability.cvss3_severity=="medium") | ("[M] " + .vulnerability.name + " - " + .library.filename)')"
+    cveCountM="$([ "${#cveM}" -gt 0 ] && echo "$cveM" | wc -l || echo 0)"
+
+    # Low severity CVEs
+    cveL="$(echo "$apiRes" | jq -r '.alerts[] | select(.vulnerability.cvss3_severity=="low") | ("[L] " + .vulnerability.name + " - " + .library.filename)')"
+    cveCountL="$([ "${#cveL}" -gt 0 ] && echo "$cveL" | wc -l || echo 0)"
+
+    printf "Alerts: ${RD}$cveCountH High${NC}, ${YW}$cveCountM Medium${NC}, ${GN}$cveCountL Low${NC}\n\n"
+    printf "${RD}$cveH${NC}\n"
+    printf "${YW}$cveM${NC}\n"
+    printf "${GN}$cveL${NC}\n"
+    printf "\n"
+done

build.gradle

@@ -10,6 +10,10 @@ version = '0.0.1-SNAPSHOT'
 sourceCompatibility = '11'
 targetCompatibility = '11'
 
+jar {
+    enabled = false
+}
+
 spotless {
     java {
         target project.fileTree(project.rootDir) {
@@ -66,6 +70,7 @@ tasks.named('clean') {
     }
 }
 
+
 tasks.named('generateJava') {
     schemaPaths = ["${projectDir}/src/main/resources/schema"] // List of directories containing schema files
     packageName = 'io.spring.graphql' // The package name to use to generate sources

gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.4-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.4.2-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists