From 747ab23a6ff72a182bdcd19bd38c67b6ae3d0541 Mon Sep 17 00:00:00 2001 From: Shaun Hare Date: Thu, 9 May 2024 09:26:47 +0100 Subject: [PATCH 01/11] amended pom and added ci cd workflows --- .github/workflows/cd.yaml | 54 ++++++++++++++++++++++++++++++ .github/workflows/ci.yaml | 17 ++++++++++ .github/workflows/maven_build.yaml | 19 +++++++++++ .github/workflows/security.yaml | 39 +++++++++++++++++++++ pom.xml | 11 +++--- 5 files changed, 135 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/cd.yaml create mode 100644 .github/workflows/ci.yaml create mode 100644 .github/workflows/maven_build.yaml create mode 100644 .github/workflows/security.yaml diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml new file mode 100644 index 0000000..a9ff7cd --- /dev/null +++ b/.github/workflows/cd.yaml @@ -0,0 +1,54 @@ +name: CD + +on: + push: + branches: + - main + +jobs: + release-please: + name: Release + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + outputs: + tag_name: ${{ steps.release.outputs.tag_name }} + release_created: ${{ steps.release.outputs.release_created }} + steps: + - uses: google-github-actions/release-please-action@v4 + id: release + with: + release-type: maven + + call-build-maven: + needs: release-please + name: build with Maven + uses: ./.github/workflows/maven_build.yaml + + publish: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + needs: + - release-please + - call-build-maven + steps: + - name: checkout code + uses: actions/checkout@v4 + + - name: Set up JDK 11 + uses: actions/setup-java@v4 + with: + java-version: '11' + distribution: 'corretto' + cache: 'maven' + + - name: Publish to GitHub Packages Apache Maven + if: ${{needs.release-please.outputs.release_created}} + run: mvn --batch-mode deploy + env: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + + \ No newline at end of file diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..72604eb --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,17 @@ +name: CI + +on: + pull_request: + +jobs: + security: + name: Security + uses: ./.github/workflows/security.yaml + secrets: inherit + + build-maven: + name: build with Maven + uses: ./.github/workflows/maven_build.yaml + needs: security + + diff --git a/.github/workflows/maven_build.yaml b/.github/workflows/maven_build.yaml new file mode 100644 index 0000000..72d2b9f --- /dev/null +++ b/.github/workflows/maven_build.yaml @@ -0,0 +1,19 @@ +name: Maven Build + +on: + workflow_call: + +permissions: + contents: read + packages: write + +jobs: + build: + name: build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - run: mvn -B -P github package + + \ No newline at end of file diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml new file mode 100644 index 0000000..e3cb84b --- /dev/null +++ b/.github/workflows/security.yaml @@ -0,0 +1,39 @@ +name: Security Scan + +on: + workflow_call: + inputs: + severity-threshold: + description: "Severity threshold" + required: false + default: "high" + type: string + secrets: + SNYK_TOKEN: + description: "Snyk token" + required: true + schedule: + # Weekly on Monday at 00:00 UTC + - cron: 0 0 * * 1 + +permissions: + contents: read + packages: read + +jobs: + scan: + name: scan + runs-on: ubuntu-latest + steps: + + - uses: actions/checkout@v4 + - uses: snyk/actions/setup@master + - uses: actions/setup-java@v4 + with: + distribution: "corretto" + java-version: "11" + cache: maven + + - run: snyk test --severity-threshold=${{ inputs.severity-threshold || 'high' }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} \ No newline at end of file diff --git a/pom.xml b/pom.xml index 2b47e00..29bc5d4 100644 --- a/pom.xml +++ b/pom.xml @@ -12,7 +12,7 @@ 1.13.0 UTF-8 3.8.1 - https://nexus.olcs.dev-dvsacloud.uk/repository/maven-releases + https://maven.pkg.github.com/dvsa/vol-app-security-lib @@ -46,11 +46,12 @@ - + - maven-releases - ${nexus.releases} + github + GitHub dvsa Apache Maven Packages + ${github.url} - + From 9f9b6683a67824e2cc79d0c129a3feddbffbffd4 Mon Sep 17 00:00:00 2001 From: Shaun Hare Date: Sat, 11 May 2024 09:54:02 +0100 Subject: [PATCH 02/11] tweaked workflows --- .github/workflows/cd.yaml | 13 +++++-------- .github/workflows/ci.yaml | 4 +++- .github/workflows/maven.yaml | 25 +++++++++++++++++++++++++ .github/workflows/maven_build.yaml | 19 ------------------- 4 files changed, 33 insertions(+), 28 deletions(-) create mode 100644 .github/workflows/maven.yaml delete mode 100644 .github/workflows/maven_build.yaml diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml index a9ff7cd..3cca501 100644 --- a/.github/workflows/cd.yaml +++ b/.github/workflows/cd.yaml @@ -20,20 +20,16 @@ jobs: id: release with: release-type: maven - - call-build-maven: - needs: release-please - name: build with Maven - uses: ./.github/workflows/maven_build.yaml + publish: + if: ${{needs.release-please.outputs.release_created}} runs-on: ubuntu-latest permissions: contents: read packages: write needs: - release-please - - call-build-maven steps: - name: checkout code uses: actions/checkout@v4 @@ -46,8 +42,9 @@ jobs: cache: 'maven' - name: Publish to GitHub Packages Apache Maven - if: ${{needs.release-please.outputs.release_created}} - run: mvn --batch-mode deploy + uses: ./.github/workflows/maven.yaml + with: + maven-goal: deploy env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 72604eb..670cca0 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -11,7 +11,9 @@ jobs: build-maven: name: build with Maven - uses: ./.github/workflows/maven_build.yaml + uses: ./.github/workflows/maven.yaml + with: + maven-goal: 'package' needs: security diff --git a/.github/workflows/maven.yaml b/.github/workflows/maven.yaml new file mode 100644 index 0000000..87f4ff6 --- /dev/null +++ b/.github/workflows/maven.yaml @@ -0,0 +1,25 @@ +name: Maven + +on: + workflow_call: + inputs: + maven-goal: + description: 'Maven goal to run' + required: true + default: 'package' + type: string + +permissions: + contents: read + + +jobs: + build: + name: build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - run: mvn -B -P github ${{ inputs.maven-goal}} + + \ No newline at end of file diff --git a/.github/workflows/maven_build.yaml b/.github/workflows/maven_build.yaml deleted file mode 100644 index 72d2b9f..0000000 --- a/.github/workflows/maven_build.yaml +++ /dev/null @@ -1,19 +0,0 @@ -name: Maven Build - -on: - workflow_call: - -permissions: - contents: read - packages: write - -jobs: - build: - name: build - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - run: mvn -B -P github package - - \ No newline at end of file From b54c51a59dddf45732d7c45c3f3a9f17a22f2a53 Mon Sep 17 00:00:00 2001 From: Shaun Hare Date: Sat, 11 May 2024 09:58:22 +0100 Subject: [PATCH 03/11] amended ignore --- .github/workflows/.snyk | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 .github/workflows/.snyk diff --git a/.github/workflows/.snyk b/.github/workflows/.snyk new file mode 100644 index 0000000..6d729a3 --- /dev/null +++ b/.github/workflows/.snyk @@ -0,0 +1,10 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +# ignores vulnerabilities until expiry date; change duration by modifying expiry date +ignore: + SNYK-JAVA-ORGJDOM-1311147: + - '*': + reason: None Given + expires: 2024-06-10T08:57:50.668Z + created: 2024-05-11T08:57:50.670Z +patch: {} From ee994afb9d8af61632a86019968b02dc63b876a1 Mon Sep 17 00:00:00 2001 From: Shaun Hare Date: Sat, 11 May 2024 10:03:01 +0100 Subject: [PATCH 04/11] moved .snyk --- .github/workflows/.snyk | 10 ---------- 1 file changed, 10 deletions(-) delete mode 100644 .github/workflows/.snyk diff --git a/.github/workflows/.snyk b/.github/workflows/.snyk deleted file mode 100644 index 6d729a3..0000000 --- a/.github/workflows/.snyk +++ /dev/null @@ -1,10 +0,0 @@ -# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. -version: v1.25.0 -# ignores vulnerabilities until expiry date; change duration by modifying expiry date -ignore: - SNYK-JAVA-ORGJDOM-1311147: - - '*': - reason: None Given - expires: 2024-06-10T08:57:50.668Z - created: 2024-05-11T08:57:50.670Z -patch: {} From a65f973053f85819d91b3c63fecda94e8e1b4721 Mon Sep 17 00:00:00 2001 From: Shaun Hare Date: Sat, 11 May 2024 10:03:40 +0100 Subject: [PATCH 05/11] moved .snyk --- .snyk | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 .snyk diff --git a/.snyk b/.snyk new file mode 100644 index 0000000..6d729a3 --- /dev/null +++ b/.snyk @@ -0,0 +1,10 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +# ignores vulnerabilities until expiry date; change duration by modifying expiry date +ignore: + SNYK-JAVA-ORGJDOM-1311147: + - '*': + reason: None Given + expires: 2024-06-10T08:57:50.668Z + created: 2024-05-11T08:57:50.670Z +patch: {} From 437db8324aea4199e4c28ed3f0cea6de6fdfa7f6 Mon Sep 17 00:00:00 2001 From: Stefan Ranoszek Date: Mon, 13 May 2024 15:22:42 +0100 Subject: [PATCH 06/11] chore : try different path name --- .github/workflows/cd.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml index 3cca501..abaf734 100644 --- a/.github/workflows/cd.yaml +++ b/.github/workflows/cd.yaml @@ -42,10 +42,10 @@ jobs: cache: 'maven' - name: Publish to GitHub Packages Apache Maven - uses: ./.github/workflows/maven.yaml + uses: ./.github/actions.yamal with: maven-goal: deploy env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - \ No newline at end of file + From 9b39a00008c4b43c7185eb833b62ffec02d42b80 Mon Sep 17 00:00:00 2001 From: Stefan Ranoszek Date: Thu, 16 May 2024 11:30:56 +0100 Subject: [PATCH 07/11] chore: amend readme as per comments --- README.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5ac0c67..2f839f2 100644 --- a/README.md +++ b/README.md @@ -12,4 +12,13 @@ Use the following command ```mvn clean install``` Use the following command ```mvn clean deploy``` ## To instantiate use the following -```ScannerMethods xx = new ScannerMethods();``` \ No newline at end of file +```ScannerMethods xx = new ScannerMethods();``` + +## Installation +Add the following Maven dependency to your project's `pom.xml` file: +```xml + + org.dvsa.testing.lib + zap-scanner-suite + LATEST + From d30845068a565a2cdca98af2e3d13fec9fc44e8f Mon Sep 17 00:00:00 2001 From: Stefan Ranoszek Date: Thu, 16 May 2024 11:33:50 +0100 Subject: [PATCH 08/11] chore: amend pom as per comments --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 29bc5d4..fd55caa 100644 --- a/pom.xml +++ b/pom.xml @@ -12,7 +12,7 @@ 1.13.0 UTF-8 3.8.1 - https://maven.pkg.github.com/dvsa/vol-app-security-lib + https://maven.pkg.github.com/dvsa/* @@ -49,7 +49,7 @@ - github + dvsa-github-packages GitHub dvsa Apache Maven Packages ${github.url} From 3f4814b23114e21adcca5913f3fc6bd37ab9c3ed Mon Sep 17 00:00:00 2001 From: Stefan Ranoszek Date: Fri, 17 May 2024 12:17:43 +0100 Subject: [PATCH 09/11] fix:Update pom.xml --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index fd55caa..1d43497 100644 --- a/pom.xml +++ b/pom.xml @@ -12,7 +12,7 @@ 1.13.0 UTF-8 3.8.1 - https://maven.pkg.github.com/dvsa/* + https://maven.pkg.github.com/dvsa/vol-app-security-lib From 0d124b8039a18a4dc88813920e1e2c7c5e6e9338 Mon Sep 17 00:00:00 2001 From: Stefan Ranoszek Date: Mon, 20 May 2024 08:59:41 +0100 Subject: [PATCH 10/11] fix:Update cd.yaml --- .github/workflows/cd.yaml | 43 +++++++++++++++++++++------------------ 1 file changed, 23 insertions(+), 20 deletions(-) diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml index abaf734..209f7ca 100644 --- a/.github/workflows/cd.yaml +++ b/.github/workflows/cd.yaml @@ -16,12 +16,11 @@ jobs: tag_name: ${{ steps.release.outputs.tag_name }} release_created: ${{ steps.release.outputs.release_created }} steps: - - uses: google-github-actions/release-please-action@v4 + - uses: googleapis/release-please-action@v4 id: release with: release-type: maven - - + publish: if: ${{needs.release-please.outputs.release_created}} runs-on: ubuntu-latest @@ -31,21 +30,25 @@ jobs: needs: - release-please steps: - - name: checkout code - uses: actions/checkout@v4 + - name: checkout code + uses: actions/checkout@v4 + + - name: Set up JDK 11 + uses: actions/setup-java@v4 + with: + java-version: '11' + distribution: 'corretto' + cache: 'maven' - - name: Set up JDK 11 - uses: actions/setup-java@v4 - with: - java-version: '11' - distribution: 'corretto' - cache: 'maven' - - - name: Publish to GitHub Packages Apache Maven - uses: ./.github/actions.yamal - with: - maven-goal: deploy - env: - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - - + push: + if: ${{needs.release-please.outputs.release_created}} + permissions: + contents: read + packages: write + + name: Publish to GitHub Packages Apache Maven + uses: ./.github/workflows/maven.yaml + secrets: inherit + with: + maven-goal: deploy + needs: release-please From 3362687b5c9e1802683f5c0c077b6fd49587734e Mon Sep 17 00:00:00 2001 From: Stefan Ranoszek Date: Mon, 20 May 2024 09:02:37 +0100 Subject: [PATCH 11/11] fix:Update maven.yaml --- .github/workflows/maven.yaml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/maven.yaml b/.github/workflows/maven.yaml index 87f4ff6..aaf487b 100644 --- a/.github/workflows/maven.yaml +++ b/.github/workflows/maven.yaml @@ -11,15 +11,20 @@ on: permissions: contents: read - + packages: write + jobs: build: name: build + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - + - uses: whelk-io/maven-settings-xml-action@v22 + with: + servers: '[{ "id":"dvsa-github-packages", "configuration": { "httpHeaders": { "property": { "name":"Authorization", "value":"Bearer ${{ secrets.GITHUB_TOKEN }}"} } } },{ "id":"github", "configuration": { "httpHeaders": { "property": { "name":"Authorization", "value":"Bearer ${{ secrets.GITHUB_TOKEN }}"} } } } ]' + - run: mvn -B -P github ${{ inputs.maven-goal}} - - \ No newline at end of file +