From 5c3c1027bf187d577d1c5def615bf9ba6a67955c Mon Sep 17 00:00:00 2001 From: saxenakshitiz Date: Tue, 27 Jun 2023 12:43:47 +0530 Subject: [PATCH] chore: move to trivy based image scan, removed snyk --- .github/workflows/merge-publish.yml | 18 +----- .github/workflows/pr-build.yml | 93 ++++++++++++++++++----------- .github/workflows/pr-test.yml | 22 +++---- .github/workflows/publish.yml | 28 +++------ build.gradle.kts | 8 +++ 5 files changed, 86 insertions(+), 83 deletions(-) diff --git a/.github/workflows/merge-publish.yml b/.github/workflows/merge-publish.yml index 3da3a05c..3ac8ad42 100644 --- a/.github/workflows/merge-publish.yml +++ b/.github/workflows/merge-publish.yml @@ -7,30 +7,18 @@ on: jobs: merge-publish: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - name: Check out code - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v3 with: ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} fetch-depth: 0 - - name: create checksum file - uses: hypertrace/github-actions/checksum@main - - - name: Cache packages - uses: actions/cache@v2 - with: - path: ~/.gradle - key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }} - restore-keys: | - gradle-packages-${{ runner.os }}-${{ github.job }} - gradle-packages-${{ runner.os }} - - name: Login to Docker Hub - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: username: ${{ secrets.DOCKERHUB_READ_USER }} password: ${{ secrets.DOCKERHUB_READ_TOKEN }} diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index 0c5fb298..e42ea291 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -9,30 +9,18 @@ on: jobs: build: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - name: Check out code - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v3 with: ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} fetch-depth: 0 - - name: create checksum file - uses: hypertrace/github-actions/checksum@main - - - name: Cache packages - uses: actions/cache@v2 - with: - path: ~/.gradle - key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }} - restore-keys: | - gradle-packages-${{ runner.os }}-${{ github.job }} - gradle-packages-${{ runner.os }} - - name: Login to Docker Hub - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: username: ${{ secrets.DOCKERHUB_READ_USER }} password: ${{ secrets.DOCKERHUB_READ_TOKEN }} @@ -54,11 +42,65 @@ jobs: DOCKLE_HOST: "unix:///var/run/docker.sock" continue-on-error: true + - name: Run Trivy vulnerability scanner for ingester + uses: hypertrace/github-actions/trivy-image-scan@main + with: + image: hypertrace/hypertrace-ingester + output-mode: github + + - name: Run Trivy vulnerability scanner for span-normalizer + uses: hypertrace/github-actions/trivy-image-scan@main + with: + image: hypertrace/span-normalizer + output-mode: github + + - name: Run Trivy vulnerability scanner for raw-spans-grouper + uses: hypertrace/github-actions/trivy-image-scan@main + with: + image: hypertrace/raw-spans-grouper + output-mode: github + + - name: Run Trivy vulnerability scanner for trace-enricher + uses: hypertrace/github-actions/trivy-image-scan@main + with: + image: hypertrace/hypertrace-trace-enricher + output-mode: github + + - name: Run Trivy vulnerability scanner for view creator + uses: hypertrace/github-actions/trivy-image-scan@main + with: + image: hypertrace/hypertrace-view-creator + output-mode: github + + - name: Run Trivy vulnerability scanner for view-generator + uses: hypertrace/github-actions/trivy-image-scan@main + with: + image: hypertrace/hypertrace-view-generator + output-mode: github + + - name: Run Trivy vulnerability scanner for metrics generator + uses: hypertrace/github-actions/trivy-image-scan@main + with: + image: hypertrace/hypertrace-metrics-generator + output-mode: github + + - name: Run Trivy vulnerability scanner for metrics processor + uses: hypertrace/github-actions/trivy-image-scan@main + with: + image: hypertrace/hypertrace-metrics-processor + output-mode: github + + - name: Run Trivy vulnerability scanner for metrics exporter + uses: hypertrace/github-actions/trivy-image-scan@main + with: + image: hypertrace/hypertrace-metrics-exporter + output-mode: github + validate-helm-charts: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v3 with: ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -66,20 +108,3 @@ jobs: - name: validate charts uses: hypertrace/github-actions/validate-charts@main - - snyk-scan: - runs-on: ubuntu-20.04 - steps: - # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - - name: Check out code - uses: actions/checkout@v2.3.4 - with: - ref: ${{github.event.pull_request.head.ref}} - repository: ${{github.event.pull_request.head.repo.full_name}} - fetch-depth: 0 - - name: Setup snyk - uses: snyk/actions/setup@0.3.0 - - name: Snyk test - run: snyk test --all-sub-projects --org=hypertrace --severity-threshold=low --policy-path=.snyk --configuration-matching='^runtimeClasspath$' --remote-repo-url='${{ github.server_url }}/${{ github.repository }}.git' - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml index 312a352c..bbb4bcfe 100644 --- a/.github/workflows/pr-test.yml +++ b/.github/workflows/pr-test.yml @@ -7,26 +7,14 @@ on: jobs: test: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - name: Check out code - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v3 with: fetch-depth: 0 - - name: create checksum file - uses: hypertrace/github-actions/checksum@main - - - name: Cache packages - uses: actions/cache@v2 - with: - path: ~/.gradle - key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }} - restore-keys: | - gradle-packages-${{ runner.os }}-${{ github.job }} - gradle-packages-${{ runner.os }} - - name: Unit test uses: hypertrace/github-actions/gradle@main with: @@ -67,3 +55,9 @@ jobs: with: github_token: ${{ secrets.GITHUB_TOKEN }} files: ./**/build/test-results/**/*.xml + + dependency-check: + runs-on: ubuntu-22.04 + steps: + - name: Dependency Check + uses: hypertrace/github-actions/dependency-check@main diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 394a9a98..cf3c3ccb 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -8,28 +8,16 @@ on: jobs: publish-artifacts: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - name: Check out code - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v3 with: fetch-depth: 0 - - name: create checksum file - uses: hypertrace/github-actions/checksum@main - - - name: Cache packages - uses: actions/cache@v2 - with: - path: ~/.gradle - key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }} - restore-keys: | - gradle-packages-${{ runner.os }}-${{ github.job }} - gradle-packages-${{ runner.os }} - - name: Login to Docker Hub - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: username: ${{ secrets.DOCKERHUB_READ_USER }} password: ${{ secrets.DOCKERHUB_READ_TOKEN }} @@ -47,11 +35,11 @@ jobs: publish-helm-charts: needs: publish-artifacts - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - name: Checkout Repository - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v3 with: fetch-depth: 0 @@ -62,12 +50,12 @@ jobs: helm-gcs-repository: ${{ secrets.HELM_GCS_REPOSITORY }} publish-release-notes: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v2.3.4 + - uses: actions/checkout@v3 with: fetch-depth: 0 - uses: hypertrace/github-actions/release-notes@main with: github-token: ${{ secrets.GITHUB_TOKEN }} - \ No newline at end of file + diff --git a/build.gradle.kts b/build.gradle.kts index 61577382..dcb02247 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -5,6 +5,7 @@ plugins { id("org.hypertrace.jacoco-report-plugin") version "0.2.0" apply false id("org.hypertrace.integration-test-plugin") version "0.2.0" apply false id("org.hypertrace.code-style-plugin") version "1.1.1" apply false + id("org.owasp.dependencycheck") version "8.2.1" } subprojects { @@ -23,3 +24,10 @@ subprojects { } } } + +dependencyCheck { + format = org.owasp.dependencycheck.reporting.ReportGenerator.Format.ALL.toString() + suppressionFile = "owasp-suppressions.xml" + scanConfigurations.add("runtimeClasspath") + failBuildOnCVSS = 3.0F +}