Development (#9)

* edit SonarQube workflow * edit SonarQube workflow * edit SonarQube workflow * edit SonarQube workflow * edit SonarQube workflow * edit SonarQube workflow * add sonar-project.properties file + edit SonarQube workflow * edit SonarQube workflow * edit SonarQube workflow * Revert "edit SonarQube workflow" This reverts commit 47207bc. * edit SonarQube workflow * edit SonarQube workflow * edit SonarQube workflow * edit SonarQube workflow * edit SonarQube workflow * edit SonarQube workflow * edit SonarQube workflow * edit SonarQube workflow * edit SonarQube workflow + add docker-compose file * edit SonarQube workflow + edit docker-compose file * edit SonarQube workflow + edit docker-compose file * edit SonarQube workflow * edit SonarQube workflow * edit SonarQube workflow * edit SonarQube workflow + edit docker-compose file * edit SonarQube workflow + edit docker-compose file * edit docker-compose file * remove version attribute from the docker-compose.yml * increase seconds in the sleep attribute * edit workflow, docker-compose and Jenkinsfile files + add Dockerfile * improve CodeQL Scan * improve OWASP Dependency Check workflow * edit OWASP Dependency Check workflow * edit OWASP Dependency Check workflow * edit OWASP Dependency Check workflow * edit OWASP Dependency Check workflow * edit OWASP Dependency Check workflow * edit Semgrep SAST workflow * edit Semgrep SAST workflow * edit Semgrep SAST workflow * edit Semgrep SAST workflow * add SonarCloud workflow + add Quality Gate in the Jenkinsfile * edit the SonarCloud workflow * edit the SonarCloud workflow
meleksabit · Sep 19, 2024 · 08681b8 · 08681b8
1 parent ea3d76c
commit 08681b8
Show file tree

Hide file tree

Showing 9 changed files with 324 additions and 128 deletions.
diff --git a/.github/workflows/scan-with-codeql.yml b/.github/workflows/scan-with-codeql.yml
@@ -1,47 +1,50 @@
-# Name of the GitHub Actions workflow
-name: CodeQL Analysis for JavaScript
+name: JavaScript CodeQL Analysis
 
-# Define when the workflow should be triggered
 on:
-  push:
+  pull_request:
     branches:
-      - development # Trigger when code is pushed to the 'development' branch
-      - main # Trigger when code is pushed to the 'main' branch
+      - development
+      - main
 
-# Define the jobs to be executed within the workflow
 jobs:
-  build:
-    name: Scan JavaScript code with CodeQL
-    runs-on: [ 'ubuntu-latest' ] # Use the latest version of Ubuntu
+  analyze:
+    name: Analyze JavaScript code with CodeQL
+    runs-on: ubuntu-latest
+    needs: init
     permissions:
       actions: read
       contents: read
       security-events: write
-    strategy:
-        fail-fast: false
-        matrix:
-          language: [ 'javascript' ]
-          # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ]
-          # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both
-          # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
-          # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-        # Action to check out the code from the repository
-        # This step fetches the codebase from the GitHub repository
+        if: github.event.pull_request.head.sha == github.event.pull_request.base.sha
 
       - name: Initialize CodeQL
+        id: initialize-codeql
         uses: github/codeql-action/init@v3
         with:
           languages: javascript
-        # Action to initialize the CodeQL environment
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
+        if: github.event.pull_request.head.sha == github.event.pull_request.base.sha
         with:
-          # Specify a category to distinguish between multiple analyses
-          # for the same tool and ref. If you don't use `category` in your workflow,
-          # GitHub will generate a default category name for you
-          category: "Scan-JavaScript-code-with-CodeQL"
-
+          category: "JavaScript CodeQL Analysis"
+
+  init:
+    name: Initialize CodeQL environment
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        id: initialize-codeql
+        uses: github/codeql-action/init@v3
+        with:
+          languages: javascript
+
+    outputs:
+      needs: initialize-codeql
+      codeql-version: ${{ steps.initialize-codeql.outputs.codeql-version }}
diff --git a/.github/workflows/scan-with-owasp-dependency-check.yml b/.github/workflows/scan-with-owasp-dependency-check.yml
@@ -1,19 +1,24 @@
 # Name of the GitHub Actions workflow
 name: Scan with OWASP Dependency Check
 
+# Define environment variables
+env:
+  PROJECT_NAME: Mutillidae
+  OUTPUT_DIR: .
+
 # Define when the workflow should be triggered
 on:
   push:
     branches:
-      - development # Trigger when code is pushed to the 'development' branch
-      - main # Trigger when code is pushed to the 'main' branch
+      - development
+      - main
 
 # Define the job(s) to be executed within the workflow
 jobs:
   depchecktest:
     name: Scan with OWASP Dependency Check
-
-    runs-on: [ 'ubuntu-latest' ] # Use the latest version of Ubuntu
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
 
     # Define permissions for specific actions
     permissions:
@@ -24,33 +29,21 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-        # Step: Checkout code
-        # Action to check out the code from the repository
-        # This step fetches the codebase from the GitHub repository
 
       - name: Scan with OWASP Dependency Check
+        id: owasp-dependency-check
         uses: dependency-check/Dependency-Check_Action@main
-        id: Depcheck
         with:
-          project: 'Mutillidae' # Project name for Dependency Check
-          path: '.' # Scan all files in the current directory
-          format: 'SARIF' # Output format for scan results
-          out: '.' # Output directory (default is the current directory)
+          project: $PROJECT_NAME
+          path: ${{ env.OUTPUT_DIR }}
+          format: SARIF
+          out: ${{ env.OUTPUT_DIR }}
           args: >
-            --enableRetired # Additional scan arguments for Dependency Check
+            --enableRetired
         continue-on-error: true
-        # Step: Scan with OWASP Dependency Check
-        # Action to run OWASP Dependency Check to scan dependencies
-        # It identifies vulnerabilities in project dependencies
 
       - name: Upload results from OWASP Dependency Check to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@main
         with:
-          sarif_file: dependency-check-report.sarif
-          # Step: Upload results to GitHub Code Scanning
-          # Action to upload the results of the OWASP Dependency Check scan in SARIF format
-          # This allows viewing and analyzing the scan results in the GitHub repository
+          sarif_file: ${{ env.OUTPUT_DIR }}/dependency-check-report.sarif
           category: "Scan-dependencies-code-with-OWASP-Dependency-Check"
-          # Specify a category to distinguish between multiple analyses
-          # for the same tool and ref. If you don't use `category` in your workflow,
-          # GitHub will generate a default category name for you
diff --git a/.github/workflows/scan-with-semgrep.yml b/.github/workflows/scan-with-semgrep.yml
@@ -1,73 +1,78 @@
-# Name of this GitHub Actions workflow.
 name: Scan Application Code with Semgrep SAST
 
 on:
-  # Trigger the workflow on the following events:
-
-  # Scan changed files in Pull Requests (diff-aware scanning).
   pull_request: {}
-
-  # Trigger the workflow on-demand through the GitHub Actions interface.
-  workflow_dispatch: {}
-
-  # Scan mainline branches (main and development) and report all findings.
+  workflow_dispatch:
+    inputs:
+      xss_config:
+        description: 'Path to Semgrep configuration file'
+        required: true
+      xss_output:
+        description: 'Path to Semgrep output file'
+        required: true
+      ci_config:
+        description: 'Path to Semgrep configuration file'
+        required: true
+      ci_output:
+        description: 'Path to Semgrep output file'
+        required: true
   push:
     branches: ["main", "development"]
 
 jobs:
   semgrep:
-    # User definable name of this GitHub Actions job.
     name: Scan Application Code with Semgrep SAST
-
-    # Specify the runner environment. Use the latest version of Ubuntu.
     runs-on: ubuntu-latest
-
-    # Define permissions for specific GitHub Actions.
     permissions:
-        actions: read          # Permission to read GitHub Actions.
-        contents: read         # Permission to read repository contents.
-        security-events: write # Permission to write security events.
-
+      actions: read
+      contents: read
+      security-events: write
     container:
-      # Use a Docker image with Semgrep installed. Do not change this.
-      image: returntocorp/semgrep
+      image: returntocorp/semgrep:latest
 
-    # Skip any Pull Request created by the Dependabot to avoid permission issues.
-    if: (github.actor != 'dependabot[bot]')
+    if: github.actor != 'dependabot[bot]'
 
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        # Step: Checkout code
-        # Action to check out the code from the repository.
-        # This step fetches the codebase from the GitHub repository.
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    # Step to set the environment variables dynamically based on the event
+    - name: Set Config and Output Paths
+      id: vars
+      run: |
+        if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+          echo "xss_config=${{ github.event.inputs.xss_config }}" >> $GITHUB_ENV
+          echo "xss_output=${{ github.event.inputs.xss_output }}" >> $GITHUB_ENV
+          echo "ci_config=${{ github.event.inputs.ci_config }}" >> $GITHUB_ENV
+          echo "ci_output=${{ github.event.inputs.ci_output }}" >> $GITHUB_ENV
+        else
+          echo "xss_config=.github/semgrep/xss-config.yml" >> $GITHUB_ENV
+          echo "xss_output=xss-output.sarif" >> $GITHUB_ENV
+          echo "ci_config=.github/semgrep/ci-config.yml" >> $GITHUB_ENV
+          echo "ci_output=ci-output.sarif" >> $GITHUB_ENV
+        fi
+      shell: bash
 
-      - name: Run Semgrep XSS Scan
-        run: semgrep --config p/xss --sarif --output=semgrep-xss-results.sarif
-        continue-on-error: true
-        # Execute Semgrep to scan the code for XSS (Cross-Site Scripting) vulnerabilities using the p/xss configuration.
-        # Save the results in SARIF format to semgrep-xss-results.sarif.
-        # Continue the workflow even if there are errors during the scan.
+    # Run Semgrep XSS Scan using the dynamically set environment variables
+    - name: Run Semgrep XSS Scan
+      run: semgrep --config "$xss_config" --sarif --output="$xss_output"
+      continue-on-error: true
 
-      - name: Run Semgrep High-Confidence SAST Scan
-        run: semgrep --config p/ci --sarif --output=semgrep-ci-results.sarif
-        continue-on-error: true
-        # Execute Semgrep to scan the code for XSS (Cross-Site Scripting) vulnerabilities using the p/xss configuration.
-        # Save the results in SARIF format to semgrep-xss-results.sarif.
-        # Continue the workflow even if there are errors during the scan.
+    # Run Semgrep High-Confidence SAST Scan using the dynamically set environment variables
+    - name: Run Semgrep High-Confidence SAST Scan
+      run: semgrep --config "$ci_config" --sarif --output="$ci_output"
+      continue-on-error: true
 
-      - name: Upload XSS SARIF file for GitHub Advanced Security Dashboard
-        uses: github/codeql-action/upload-sarif@main
-        with:
-          sarif_file: semgrep-xss-results.sarif
-          category: "Semgrep XSS Scan"
-        if: always()
-        # Upload the SARIF file with scan results to the GitHub Advanced Security Dashboard.
+    # Upload the XSS SARIF file
+    - name: Upload XSS SARIF file
+      uses: github/codeql-action/upload-sarif@main
+      with:
+        sarif_file: "$xss_output"
+        category: "Semgrep XSS Scan"
 
-      - name: Upload CI SARIF file for GitHub Advanced Security Dashboard
-        uses: github/codeql-action/upload-sarif@main
-        with:
-          sarif_file: semgrep-ci-results.sarif
-          category: "Semgrep High-Confidence SAST Scan"
-        if: always()
-        # Upload the SARIF file with scan results to the GitHub Advanced Security Dashboard.
+    # Upload the High-Confidence SAST SARIF file
+    - name: Upload CI SARIF file
+      uses: github/codeql-action/upload-sarif@main
+      with:
+        sarif_file: "$ci_output"
+        category: "Semgrep High-Confidence SAST Scan"
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
@@ -0,0 +1,32 @@
+name: SonarCloud Analysis
+
+on:
+  # Trigger analysis when pushing to your main branches, and when creating a pull request.
+  push:
+    branches:
+      - main
+      - master
+      - development
+      - 'releases/**'
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  sonar-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up JDK 17
+        uses: actions/setup-java@v4
+        with:
+            java-version: '17'
+            distribution: 'temurin'
+            java-package: 'jdk'
+
+      - name: SonarCloud Scan
+        uses: sonarsource/sonarcloud-github-action@v3 # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan
+        env:
+            SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
@@ -1,3 +1,5 @@
+name: SonarQube Analysis
+
 on:
   # Trigger analysis when pushing to your main branches, and when creating a pull request.
   push:
@@ -9,35 +11,31 @@ on:
   pull_request:
     types: [opened, synchronize, reopened]
 
-name: Mutillidae II SonarQube Workflow
-
 jobs:
-  sonarqube:
+  sonar-scan:
     runs-on: ubuntu-latest
-
+    
     steps:
-    - name: Checkout Code
-      uses: actions/checkout@v4
-      with:
-        # Disabling shallow clones is recommended for improving the relevancy of reporting
-        fetch-depth: 0
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Compose
+        run: sudo apt-get install docker-compose
+
+      - name: Build and Run SonarQube with Docker Compose
+        # Pass the SONAR_TOKEN from GitHub Secrets as an environment variable
+        env: 
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        run: docker-compose up -d sonar-server
 
-    - name: Set up JDK 11 (Required for SonarQube)
-      uses: actions/setup-java@v4
-      with:
-        java-version: '11'
-        distribution: 'temurin'
-        java-package: 'jdk'
+      - name: Wait for SonarQube to be ready
+        run: sleep 180  # Adjust this time if needed, depending on your server startup time
 
-    - name: SonarQube Scan
-      uses: sonarsource/[email protected] # Latest version of SonarQube scan action
-      env:
-        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # SonarQube authentication token
-        SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }} # SonarQube URL
+      - name: Run SonarScanner with the environment variable
+        env: 
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        run: docker-compose run sonar-scanner
 
-    - name: Report Quality Gate Status
-      if: always() # Ensure the status is reported even if the scan fails
-      uses: sonarsource/sonarqube-quality-gate-action@master
-      env:
-        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
+      - name: Tear down Docker Compose
+        if: always()
+        run: docker-compose down