-
Notifications
You must be signed in to change notification settings - Fork 69
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add FINOS Security Actions (#693) * add security scanning action * add dependecycheck * add renovate.json + change analyze to aggregate * change action to also trigger on PR Co-authored-by: Maurizio Pillitu <maoo@finos.org> * Add renovate.json (#696) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Fix security scanning issues Fix a security scanning reported issue in PresentationMLParser.java Update semgrep config to ignore files in template and example folders Use dashboardapproval feature from renovate bot * Remove check on push action, keep it only for pull request Ignore two issues detected in the code * Ignore false positive CVE and non-fix-version CVE Co-authored-by: Juan Estrella <juan.estrella@finos.org> Co-authored-by: Maurizio Pillitu <maoo@finos.org> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
- Loading branch information
1 parent
2245c64
commit 15cf3ad
Showing
10 changed files
with
141 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
{ | ||
"dependencyDashboardApproval": true | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
name: CVE Scanning for Gradle | ||
|
||
on: | ||
schedule: | ||
- cron: '0 8,18 * * 1-5' | ||
pull_request: | ||
branches: [ main ] | ||
paths: | ||
- '**/build.gradle' | ||
- 'allow-list.xml' | ||
- '.github/workflows/cve-scanning-gradle.yml' | ||
|
||
jobs: | ||
scan: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
- name: Set up JDK 11 | ||
uses: actions/setup-java@v3 | ||
with: | ||
java-version: '8' | ||
distribution: 'adopt' | ||
- name: Build with Gradle | ||
run: ./gradlew build | ||
- name: CVEs | ||
run: ./gradlew dependencyCheckAggregate | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
name: Static code analysis | ||
|
||
on: [pull_request] | ||
|
||
jobs: | ||
semgrep: | ||
name: run-semgrep | ||
runs-on: ubuntu-20.04 | ||
container: | ||
image: returntocorp/semgrep | ||
steps: | ||
- uses: actions/checkout@v3 | ||
- run: semgrep scan --error --config auto | ||
env: | ||
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# Common large paths | ||
symphony-bdk-examples/ | ||
templates/ | ||
|
||
# Common test paths | ||
test/ | ||
|
||
# Semgrep rules folder | ||
.semgrep | ||
|
||
|
||
# generic.secrets.security.detected-aws-session-token.detected-aws-session-token | ||
# AWS Session Token detected | ||
# Details: https://sg.run/DoRW | ||
|
||
# 30┆ final String appSessionToken = ...; | ||
# ⋮┆---------------------------------------- | ||
# 40┆ final String appSessionToken = ...; | ||
symphony-bdk-core/src/main/java/com/symphony/bdk/core/auth/impl/AbstractOboAuthenticator.java | ||
|
||
# problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1 | ||
# Detects direct creations of SSLConnectionSocketFactories that don't disallow SSL v2, SSL v3, | ||
# and TLS v1. SSLSocketFactory can be used to validate the identity of the HTTPS server | ||
# against a list of trusted certificates. These protocols are deprecated due to POODLE, man in | ||
# the middle attacks, and other vulnerabilities. | ||
# Details: https://sg.run/l25E | ||
|
||
# 240┆ SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext); | ||
symphony-bdk-http/symphony-bdk-http-jersey2/src/main/java/com/symphony/bdk/http/jersey2/ApiClientBuilderJersey2.java |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> | ||
<suppress> | ||
<notes><![CDATA[ | ||
Testing false positive, transitive dependency from mockserver-netty | ||
]]></notes> | ||
<gav>org.apache.commons:commons-text:1.9</gav> | ||
<cve>CVE-2022-42889</cve> | ||
</suppress> | ||
<suppress> | ||
<notes><![CDATA[ | ||
No fix available | ||
]]></notes> | ||
<gav>org.yaml:snakeyaml:1.30</gav> | ||
<cve>CVE-2022-25857</cve> | ||
<cve>CVE-2022-38751</cve> | ||
<cve>CVE-2022-38749</cve> | ||
<cve>CVE-2022-38752</cve> | ||
<cve>CVE-2022-41854</cve> | ||
<cve>CVE-2022-38750</cve> | ||
<cve>CVE-2022-1471</cve> | ||
</suppress> | ||
<suppress> | ||
<notes><![CDATA[ | ||
No fix available | ||
]]></notes> | ||
<gav>org.yaml:snakeyaml:1.31</gav> | ||
<cve>CVE-2022-38751</cve> | ||
<cve>CVE-2022-38752</cve> | ||
<cve>CVE-2022-41854</cve> | ||
<cve>CVE-2022-1471</cve> | ||
</suppress> | ||
<suppress> | ||
<notes><![CDATA[ | ||
Testing false positives by suppressing a CVE | ||
https://github.com/jeremylong/DependencyCheck/issues/4528 (Do not use deprecated method) | ||
]]></notes> | ||
<gav>org.springframework.security:spring-security-crypto:5.7.5</gav> | ||
<cve>CVE-2020-5408</cve> | ||
</suppress> | ||
<suppress> | ||
<notes><![CDATA[ | ||
Testing false positives by suppressing a CVE | ||
https://github.com/spring-projects/spring-framework/issues/24434 (Do not expose HttpInvoker) | ||
]]></notes> | ||
<gav>org.springframework:spring-web:5.3.24</gav> | ||
<cve>CVE-2016-1000027</cve> | ||
</suppress> | ||
</suppressions> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
{ | ||
"$schema": "https://docs.renovatebot.com/renovate-schema.json", | ||
"extends": [ | ||
"config:base", | ||
":dependencyDashboardApproval" | ||
], | ||
"prHourlyLimit": 1 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters