Add FINOS Security Actions #693
Conversation
update deps
…ony-bdk-java into security-scanning
|
Hi @yinan-symphony I added the Renovate bot I mentioned in the PR on my fork. You can see the results here TheJuanAndOnly99#3. |
|
|
||
| on: | ||
| push: | ||
| paths: |
There was a problem hiding this comment.
I would prefer this action to run on every push/pull_request if it lasts a reasonable duration. WDYT?
There was a problem hiding this comment.
Also, the documentation mentions "dependencyCheckUpdate" task to update NVD from NIST. Do we need to add it to be sure the NVD is uptodate?
There was a problem hiding this comment.
Hi @symphony-soufiane fair question. I think for a GitHub action it is not needed as the action does not cache any build artifacts.
As for the action to run on every push/pull/request. It seems it takes around ~6 min to complete. I have added the change to the action if you want to go ahead with it.
| - name: Build with Gradle | ||
| run: ./gradlew build | ||
| - name: CVEs | ||
| run: ./gradlew dependencyCheckAnalyze |
There was a problem hiding this comment.
I think that 'dependencyCheckAggregate' should be used rather to scan all modules.
Running locally dependencyCheckAnalyze showed in the report "Dependencies Scanned: 0 (0 unique)" while with 'dependencyCheckAggregate' I can see 'Dependencies Scanned: 151 (151 unique)'
There was a problem hiding this comment.
yes, in multi-module project, Aggregate should be the one to use.
There was a problem hiding this comment.
Thanks @symphony-soufiane and @yinan-symphony! I've changed it in the PR. As you can see there are a few CVEs. Can you please take a look. If they are safe to ignore you can use the allow-list.xml file to do so.
sure, thx ! we will have a look |
@TheJuanAndOnly99 could you please configure the Renovate to set |
|
@yinan-symphony I have added a renovate.json file to the PR with the |
|
@TheJuanAndOnly99 thank you for your contribute, could you please create a new PR to |
* Add FINOS Security Actions (#693) * add security scanning action * add dependecycheck * add renovate.json + change analyze to aggregate * change action to also trigger on PR Co-authored-by: Maurizio Pillitu <maoo@finos.org> * Add renovate.json (#696) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Fix security scanning issues Fix a security scanning reported issue in PresentationMLParser.java Update semgrep config to ignore files in template and example folders Use dashboardapproval feature from renovate bot * Remove check on push action, keep it only for pull request Ignore two issues detected in the code * Ignore false positive CVE and non-fix-version CVE Co-authored-by: Juan Estrella <juan.estrella@finos.org> Co-authored-by: Maurizio Pillitu <maoo@finos.org> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR adds 2 GitHub actions that perform a CVE and static code scan.
With the CVE scanning I could use some help as we are a bit unfamiliar with Gradle. The scan is passing but I am not sure if dependencyCheckAnalyze task is taking in consideration all project sub-modules. Could you please point me in the right direction here?
As far as the static code scan goes there were also many findings. Please also take a look at these as we believe this tool does a good job at pointing out any potential vulnerabilities. If you need to bypass any you can do so (like I did here).
Additional steps that would greatly improve the security posture of this project:
Eager to hear your thoughts on it, and happy to adjust the aim based on your feedback.