chore: move to trivy based image scan, removed snyk

hypertrace · Jun 27, 2023 · 5c3c102 · 5c3c102
1 parent 6b3081e
commit 5c3c102
Show file tree

Hide file tree

Showing 5 changed files with 86 additions and 83 deletions.
diff --git a/.github/workflows/merge-publish.yml b/.github/workflows/merge-publish.yml
@@ -7,30 +7,18 @@ on:
 
 jobs:
   merge-publish:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
        # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
           fetch-depth: 0
 
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
-
       - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_READ_USER }}
           password: ${{ secrets.DOCKERHUB_READ_TOKEN }}

diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml
@@ -9,30 +9,18 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
        # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
           fetch-depth: 0
 
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
-
       - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_READ_USER }}
           password: ${{ secrets.DOCKERHUB_READ_TOKEN }}
@@ -54,32 +42,69 @@ jobs:
           DOCKLE_HOST: "unix:///var/run/docker.sock"
         continue-on-error: true
 
+      - name: Run Trivy vulnerability scanner for ingester
+        uses: hypertrace/github-actions/trivy-image-scan@main
+        with:
+          image: hypertrace/hypertrace-ingester
+          output-mode: github
+
+      - name: Run Trivy vulnerability scanner for span-normalizer
+        uses: hypertrace/github-actions/trivy-image-scan@main
+        with:
+          image: hypertrace/span-normalizer
+          output-mode: github
+
+      - name: Run Trivy vulnerability scanner for raw-spans-grouper
+        uses: hypertrace/github-actions/trivy-image-scan@main
+        with:
+          image: hypertrace/raw-spans-grouper
+          output-mode: github
+
+      - name: Run Trivy vulnerability scanner for trace-enricher
+        uses: hypertrace/github-actions/trivy-image-scan@main
+        with:
+          image: hypertrace/hypertrace-trace-enricher
+          output-mode: github
+
+      - name: Run Trivy vulnerability scanner for view creator
+        uses: hypertrace/github-actions/trivy-image-scan@main
+        with:
+          image: hypertrace/hypertrace-view-creator
+          output-mode: github
+
+      - name: Run Trivy vulnerability scanner for view-generator
+        uses: hypertrace/github-actions/trivy-image-scan@main
+        with:
+          image: hypertrace/hypertrace-view-generator
+          output-mode: github
+
+      - name: Run Trivy vulnerability scanner for metrics generator
+        uses: hypertrace/github-actions/trivy-image-scan@main
+        with:
+          image: hypertrace/hypertrace-metrics-generator
+          output-mode: github
+
+      - name: Run Trivy vulnerability scanner for metrics processor
+        uses: hypertrace/github-actions/trivy-image-scan@main
+        with:
+          image: hypertrace/hypertrace-metrics-processor
+          output-mode: github
+
+      - name: Run Trivy vulnerability scanner for metrics exporter
+        uses: hypertrace/github-actions/trivy-image-scan@main
+        with:
+          image: hypertrace/hypertrace-metrics-exporter
+          output-mode: github
+
   validate-helm-charts:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
           fetch-depth: 0
 
       - name: validate charts
         uses: hypertrace/github-actions/validate-charts@main
-
-  snyk-scan:
-    runs-on: ubuntu-20.04
-    steps:
-    # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
-      - name: Check out code
-        uses: actions/[email protected]
-        with:
-          ref: ${{github.event.pull_request.head.ref}}
-          repository: ${{github.event.pull_request.head.repo.full_name}}
-          fetch-depth: 0
-      - name: Setup snyk
-        uses: snyk/actions/[email protected]
-      - name: Snyk test
-        run: snyk test --all-sub-projects --org=hypertrace --severity-threshold=low --policy-path=.snyk --configuration-matching='^runtimeClasspath$' --remote-repo-url='${{ github.server_url }}/${{ github.repository }}.git'
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml
@@ -7,26 +7,14 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
        # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
-
       - name: Unit test
         uses: hypertrace/github-actions/gradle@main
         with: 
@@ -67,3 +55,9 @@ jobs:
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           files: ./**/build/test-results/**/*.xml
+
+  dependency-check:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Dependency Check
+        uses: hypertrace/github-actions/dependency-check@main
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -8,28 +8,16 @@ on:
 
 jobs:
   publish-artifacts:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
-            
       - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_READ_USER }}
           password: ${{ secrets.DOCKERHUB_READ_TOKEN }}
@@ -47,11 +35,11 @@ jobs:
 
   publish-helm-charts:
     needs: publish-artifacts
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
        # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Checkout Repository
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
@@ -62,12 +50,12 @@ jobs:
           helm-gcs-repository: ${{ secrets.HELM_GCS_REPOSITORY }}
 
   publish-release-notes:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v2.3.4
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - uses: hypertrace/github-actions/release-notes@main
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
-
+
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -5,6 +5,7 @@ plugins {
   id("org.hypertrace.jacoco-report-plugin") version "0.2.0" apply false
   id("org.hypertrace.integration-test-plugin") version "0.2.0" apply false
   id("org.hypertrace.code-style-plugin") version "1.1.1" apply false
+  id("org.owasp.dependencycheck") version "8.2.1"
 }
 
 subprojects {
@@ -23,3 +24,10 @@ subprojects {
     }
   }
 }
+
+dependencyCheck {
+  format = org.owasp.dependencycheck.reporting.ReportGenerator.Format.ALL.toString()
+  suppressionFile = "owasp-suppressions.xml"
+  scanConfigurations.add("runtimeClasspath")
+  failBuildOnCVSS = 3.0F
+}