-
Notifications
You must be signed in to change notification settings - Fork 12
277 lines (221 loc) · 9.15 KB
/
compliance.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
name: Compliance
on:
# Run compliance jobs for pull requests, to make sure there are no issues before merging
pull_request:
# Re-run compliance jobs in main, to make sure there are no issues from the merge
push:
branches:
- main
# Use the release:publish event to generate compliance reports for releases
# This lines up with the packaging workflow, so reports will be published when packages are published
release:
types:
- published
# Allow manual triggering of the compliance jobs
workflow_dispatch:
# Use latest supported language versions for compliance jobs
env:
JAVA_VERSION: "21"
JAVA_DISTRIBUTION: "zulu"
PYTHON_VERSION: "3.12"
NODE_VERSION: "22"
jobs:
platform_compliance:
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Java
uses: actions/setup-java@v4
with:
distribution: ${{ env.JAVA_DISTRIBUTION }}
java-version: ${{ env.JAVA_VERSION }}
cache: gradle
- name: License check
run: ./gradlew checkLicense
# Use a cache to save downloading the whole NVD on every build
# Dependency check will automatically look for updates and download the delta
- name: NVD restore cache (Java Platform)
id: cacheRestore
uses: actions/cache/restore@v4
with:
key: nvd-cache-java-platform
path: ./build/compliance-cache/nvd_java_platform
- name: OWASP recreate cache
if: steps.cacheRestore.outputs.cache-hit != 'true'
env:
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
# In case of problems with this job, try enabling / disabling the remote cache
NVD_DATAFEED: "https://dependency-check.github.io/DependencyCheck_Builder/nvd_cache/"
run: ./gradlew dependencyCheckUpdate
- name: OWASP dependency check
env:
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
# In case of problems with this job, try enabling / disabling the remote cache
NVD_DATAFEED: "https://dependency-check.github.io/DependencyCheck_Builder/nvd_cache/"
run: ./gradlew dependencyCheckAggregate
- name: NVD save cache (Java Platform)
if: always()
uses: actions/cache/save@v4
with:
key: nvd-cache-java-platform
path: ./build/compliance-cache/nvd_java_platform
# Always save the reports - they are especially needed when the checks have failed!
- name: Store compliance reports
uses: actions/upload-artifact@v4
if: always()
with:
name: compliance-reports-java
path: build/compliance/**
python_runtime_compliance:
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: PIP Upgrade
run: python -m pip install --upgrade pip
# Make sure to check compliance on both core and plugin dependencies
- name: Install dependencies
run: |
cd tracdap-runtime/python
pip install -r requirements.txt
pip install -r requirements_plugins.txt
- name: License check
run: |
# Source license excpetions
. dev/compliance/license-config-python.sh
mkdir -p build/compliance/python-runtime-licenses
cd tracdap-runtime/python
pip-licenses --format=json --ignore-packages $IGNORE_LICENSE > ../../build/compliance/python-runtime-licenses/python-runtime-licenses.json
pip-licenses --format=html --ignore-packages $IGNORE_LICENSE > ../../build/compliance/python-runtime-licenses/python-runtime-licenses.html
pip-licenses --allow-only="$ALLOWED_LICENSES" --ignore-packages $IGNORE_LICENSE
# CVE-2019-8341 (safety id: 70612) is a vulnerability in the latest version of Jinja2, no fix is available
# It is only pulled in as a dependency of safety check itself, it is not a dependency of the dist wheels
- name: Safety check
run: |
mkdir -p build/compliance/python-runtime-safety
cd tracdap-runtime/python
safety check --ignore 70612 --output text > ../../build/compliance/python-runtime-safety/python-runtime-safety-report.txt
safety check --ignore 70612 --output json > ../../build/compliance/python-runtime-safety/python-runtime-safety-report.json
# Always save the reports - they are especially needed when the checks have failed!
- name: Store compliance reports
uses: actions/upload-artifact@v4
if: always()
with:
name: compliance-reports-python
path: build/compliance/**
web_api_compliance:
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: npm
cache-dependency-path: tracdap-api/packages/web/package-lock.json
- name: Install dependencies
run: |
cd tracdap-api/packages/web
npm install
- name: License check
run: |
cd tracdap-api/packages/web
npm run compliance-licenses
- name: NPM audit
run: |
mkdir -p build/compliance/web-api-npm-audit
cd tracdap-api/packages/web
npm run compliance-audit
# Use a cache to save downloading global compliance data on every build (e.g. NVD)
# Compliance tasks will automatically look for updates and download deltas
- name: NVD restore cache (Web API)
uses: actions/cache/restore@v4
with:
key: nvd-cache-web-api
path: ./build/compliance-cache/nvd_web_api
# ODC version must be forced because the NodeJS wrapper breaks for versions >= 10.0.0
- name: OWASP dependency check
env:
NVD_DATAFEED: "https://dependency-check.github.io/DependencyCheck_Builder/nvd_cache/"
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
run: |
mkdir -p build/compliance
cd tracdap-api/packages/web
mkdir -p ./dependency-check-bin/latest
if [ -n "${NVD_API_KEY}" ]; then
npm run compliance-owasp -- --nvdDatafeed "${NVD_DATAFEED}" --nvdApiKey "${NVD_API_KEY}"
else
npm run compliance-owasp -- --nvdDatafeed "${NVD_DATAFEED}"
fi
- name: NVD save cache (Web API)
if: always()
uses: actions/cache/save@v4
with:
key: nvd-cache-web-api
path: ./build/compliance-cache/nvd_web_api
# Always save the reports - they are especially needed when the checks have failed!
- name: Store compliance reports
uses: actions/upload-artifact@v4
if: always()
with:
name: compliance-reports-web
path: build/compliance/**
publish_to_github:
if: ${{ github.event_name == 'release' && github.event.action == 'published' }}
runs-on: ubuntu-latest
needs:
- platform_compliance
- python_runtime_compliance
- web_api_compliance
steps:
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get TRAC version
id: tracdap-version
run: |
tracdap_version=`dev/version.sh`
echo "tracdap_version = ${tracdap_version}"
echo "tracdap_version=${tracdap_version}" >> $GITHUB_OUTPUT
- name: Fetch Java compliance report artifacts
uses: actions/download-artifact@v4
with:
name: compliance-reports-java
path: tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}
- name: Fetch Python compliance report artifacts
uses: actions/download-artifact@v4
with:
name: compliance-reports-python
path: tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}
- name: Fetch web API compliance report artifacts
uses: actions/download-artifact@v4
with:
name: compliance-reports-web
path: tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}
- name: Build compliance reports tarball
run: zip -r tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}.zip tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}/
- name: Publish compliance reports
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release upload $RELEASE_TAG tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}.zip