From 4d822efba279fd74c1483cb26404aadf0587a87a Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 5 Apr 2023 16:34:56 +0900 Subject: [PATCH 01/40] Test Synopsys GHA with Black Duck and prcomment --- .github/workflows/synopsys-blackduck.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 1b6e571b..7b1ace55 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -34,7 +34,7 @@ jobs: # multiple parameters blackduck_scan_failure_severities: "BLOCKER" #blackduck_scan_failure_severities: "BLOCKER,CRITICAL,TRIVIAL" - #blackduck_automation_prcomment: true + blackduck_automation_prcomment: true # Optional parameter, but usually specified - the location of the Synopsys Bridge software # The Synopsys Bridge software distribution is platform specific - this must match the host OS # of your runner. For example in this case, we are using the latest version for Linux. From 8255add5c62f494bb1a4c2c8452561dbff96960a Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 5 Apr 2023 16:36:45 +0900 Subject: [PATCH 02/40] Test Synopsys GHA with Black Duck and prcomment. Attempt-2 --- .github/workflows/synopsys-blackduck.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 7b1ace55..92597dbf 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -2,7 +2,7 @@ name: Synopsys Security Testing for Black Duck on: push: - branches: [ master, main ] + branches: [ master, main, demo-dev ] pull_request: branches: [ master, main ] From 38da8e8267293df3765df2a8430b92f223e620f4 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 5 Apr 2023 16:43:04 +0900 Subject: [PATCH 03/40] Commit for Synopsys GHA pull request test --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 52642169..249500a7 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +# Target Project for Synopsys Github Actions Test + # Java Sec Code From cc500108495ff904b0d82b6e5eb100ec86bee46f Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 6 Apr 2023 14:57:24 +0900 Subject: [PATCH 04/40] Enabled prcomment and auto fix for testing --- .github/workflows/synopsys-blackduck.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 92597dbf..b540afe0 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -27,12 +27,12 @@ jobs: github_token: ${{ secrets.MY_GITHUB_TOKEN }} # Optional parameter. By default, create fix pull requests if vulnerabilities are reported # Passing false will disable fix pull request creation - blackduck_automation_fixpr: false + blackduck_automation_fixpr: true # Optional parameter. The values could be. ALL|NONE|BLOCKER|CRITICAL|MAJOR|MINOR|OK|TRIVIAL|UNSPECIFIED # Single parameter #blackduck_scan_failure_severities: "ALL" # multiple parameters - blackduck_scan_failure_severities: "BLOCKER" + blackduck_scan_failure_severities: "NONE" #blackduck_scan_failure_severities: "BLOCKER,CRITICAL,TRIVIAL" blackduck_automation_prcomment: true # Optional parameter, but usually specified - the location of the Synopsys Bridge software From 36ffe8bc55c6fb8d0e1be2f7bde9ea938b976fbc Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 6 Apr 2023 16:07:37 +0900 Subject: [PATCH 05/40] Modified printed string for test --- src/main/java/org/joychou/RMI/Server.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/joychou/RMI/Server.java b/src/main/java/org/joychou/RMI/Server.java index 3cf6b653..00f72604 100644 --- a/src/main/java/org/joychou/RMI/Server.java +++ b/src/main/java/org/joychou/RMI/Server.java @@ -20,7 +20,7 @@ public static void main(String args[]) { LocateRegistry.createRegistry(1099); Registry registry = LocateRegistry.getRegistry(); registry.bind("Hello", stub); - System.out.println("绑定1099端口成功"); + System.out.println("绑定1099端口成功. It is probably saying successful creation of registory."); } catch (Exception e) { System.err.println("Server exception: " + e.toString()); e.printStackTrace(); From e4ef9d72955d7603bf52e14349afc6f107d5ae7e Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 6 Apr 2023 16:54:34 +0900 Subject: [PATCH 06/40] Update synopsys-blackduck.yml --- .github/workflows/synopsys-blackduck.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index b540afe0..0d161ac7 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -5,7 +5,7 @@ on: branches: [ master, main, demo-dev ] pull_request: - branches: [ master, main ] + branches: [ master, main, demo-dev ] jobs: build: From 68d9c8221e94943f7ccbfa972b79aa09a71c3346 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Mon, 10 Apr 2023 20:03:43 +0900 Subject: [PATCH 07/40] Update synopsys-blackduck.yml --- .github/workflows/synopsys-blackduck.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 0d161ac7..f883909b 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -39,3 +39,4 @@ jobs: # The Synopsys Bridge software distribution is platform specific - this must match the host OS # of your runner. For example in this case, we are using the latest version for Linux. #bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} + github_repository_branch.name: "demo-dev" From d64fe767b4bda95539f650b2e974f898c8523f51 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Mon, 10 Apr 2023 20:16:14 +0900 Subject: [PATCH 08/40] Update synopsys-blackduck.yml --- .github/workflows/synopsys-blackduck.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index f883909b..0d161ac7 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -39,4 +39,3 @@ jobs: # The Synopsys Bridge software distribution is platform specific - this must match the host OS # of your runner. For example in this case, we are using the latest version for Linux. #bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} - github_repository_branch.name: "demo-dev" From 6049c4dcf8f7c19826b6101148463a9b93ef95cb Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 12 Apr 2023 14:16:27 +0900 Subject: [PATCH 09/40] Update synopsys-blackduck.yml --- .github/workflows/synopsys-blackduck.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 0d161ac7..7118d4d6 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -2,10 +2,10 @@ name: Synopsys Security Testing for Black Duck on: push: - branches: [ master, main, demo-dev ] + branches: [ master ] pull_request: - branches: [ master, main, demo-dev ] + branches: [ master ] jobs: build: @@ -27,13 +27,13 @@ jobs: github_token: ${{ secrets.MY_GITHUB_TOKEN }} # Optional parameter. By default, create fix pull requests if vulnerabilities are reported # Passing false will disable fix pull request creation - blackduck_automation_fixpr: true + blackduck_automation_fixpr: false # Optional parameter. The values could be. ALL|NONE|BLOCKER|CRITICAL|MAJOR|MINOR|OK|TRIVIAL|UNSPECIFIED # Single parameter #blackduck_scan_failure_severities: "ALL" # multiple parameters - blackduck_scan_failure_severities: "NONE" - #blackduck_scan_failure_severities: "BLOCKER,CRITICAL,TRIVIAL" + #blackduck_scan_failure_severities: "NONE" + blackduck_scan_failure_severities: "BLOCKER,CRITICAL" blackduck_automation_prcomment: true # Optional parameter, but usually specified - the location of the Synopsys Bridge software # The Synopsys Bridge software distribution is platform specific - this must match the host OS From 87853f384adaf2dbad09d4789caa96f51b711d0f Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 12 Apr 2023 14:42:56 +0900 Subject: [PATCH 10/40] Change to capital for token to see if it works --- .github/workflows/synopsys-blackduck.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 7118d4d6..16ea4650 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -24,7 +24,7 @@ jobs: blackduck_scan_full: true # Required parameter if blackduck_automation_fixpr is enabled # Make sure GITHUB_TOKEN have appropriate permissions - github_token: ${{ secrets.MY_GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} # Optional parameter. By default, create fix pull requests if vulnerabilities are reported # Passing false will disable fix pull request creation blackduck_automation_fixpr: false From e0637efb4f7f8cd0a6ff479b166afc69d30d826b Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 12 Apr 2023 15:34:50 +0900 Subject: [PATCH 11/40] Switch to self-hosted bc BD PR comment requires it --- .github/workflows/synopsys-blackduck.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 16ea4650..6209a34f 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -9,7 +9,7 @@ on: jobs: build: - runs-on: ubuntu-latest + runs-on: [self-hosted] steps: - name: Checkout uses: actions/checkout@v3 From 63167a3330ed9f1df11cb7cac7681381ebdb177e Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 13 Apr 2023 16:25:33 +0900 Subject: [PATCH 12/40] Synopsys GHA PR comment test --- .github/workflows/synopsys-blackduck.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 6209a34f..39c0e68b 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -7,6 +7,9 @@ on: pull_request: branches: [ master ] + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + jobs: build: runs-on: [self-hosted] @@ -14,17 +17,16 @@ jobs: - name: Checkout uses: actions/checkout@v3 - name: Synopsys Action - uses: synopsys-sig/synopsys-action@v1.1.0 + uses: synopsys-sig/synopsys-action@main with: blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} blackduck_url: ${{ secrets.BLACKDUCK_URL }} - - # Optional parameter. By default, pushes will initiate a full "intelligent" scan and pull requests - # will initiate a rapid scan. - blackduck_scan_full: true # Required parameter if blackduck_automation_fixpr is enabled # Make sure GITHUB_TOKEN have appropriate permissions GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} + # Optional parameter. By default, pushes will initiate a full "intelligent" scan and pull requests + # will initiate a rapid scan. + blackduck_scan_full: true # Optional parameter. By default, create fix pull requests if vulnerabilities are reported # Passing false will disable fix pull request creation blackduck_automation_fixpr: false @@ -32,7 +34,6 @@ jobs: # Single parameter #blackduck_scan_failure_severities: "ALL" # multiple parameters - #blackduck_scan_failure_severities: "NONE" blackduck_scan_failure_severities: "BLOCKER,CRITICAL" blackduck_automation_prcomment: true # Optional parameter, but usually specified - the location of the Synopsys Bridge software From 6ac53408797a88f85c40d81dd72df83aaa402161 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 13 Apr 2023 16:48:43 +0900 Subject: [PATCH 13/40] Trying PR comment with rapid scan --- .github/workflows/synopsys-blackduck.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 39c0e68b..1e4af17c 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -26,7 +26,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} # Optional parameter. By default, pushes will initiate a full "intelligent" scan and pull requests # will initiate a rapid scan. - blackduck_scan_full: true + blackduck_scan_full: false # Optional parameter. By default, create fix pull requests if vulnerabilities are reported # Passing false will disable fix pull request creation blackduck_automation_fixpr: false From bce69ba7f428901edb6e97822d3509aa38ebc352 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 13 Apr 2023 19:51:31 +0900 Subject: [PATCH 14/40] Try BD full scan --- .github/workflows/synopsys-blackduck.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 1e4af17c..58685446 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -26,7 +26,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} # Optional parameter. By default, pushes will initiate a full "intelligent" scan and pull requests # will initiate a rapid scan. - blackduck_scan_full: false + blackduck_scan_full: true # Optional parameter. By default, create fix pull requests if vulnerabilities are reported # Passing false will disable fix pull request creation blackduck_automation_fixpr: false @@ -40,3 +40,5 @@ jobs: # The Synopsys Bridge software distribution is platform specific - this must match the host OS # of your runner. For example in this case, we are using the latest version for Linux. #bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} + env: + BLACKDUCK_PROJECT_NAME: ${{ var.BLACKDUCK_PROJECT }} From 4c4232c736ba07b3ccc8d3b784f75b818567e9ec Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 13 Apr 2023 19:53:00 +0900 Subject: [PATCH 15/40] Try BD full scan 2 --- .github/workflows/synopsys-blackduck.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 58685446..6961978f 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -41,4 +41,4 @@ jobs: # of your runner. For example in this case, we are using the latest version for Linux. #bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} env: - BLACKDUCK_PROJECT_NAME: ${{ var.BLACKDUCK_PROJECT }} + BLACKDUCK_PROJECT_NAME: ${{ vars.BLACKDUCK_PROJECT }} From 3f560c8c21405c1a5404b3276487a014fd360890 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 13 Apr 2023 20:02:14 +0900 Subject: [PATCH 16/40] Try BD full scan 3 --- .github/workflows/synopsys-blackduck.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 6961978f..6e886455 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -41,4 +41,4 @@ jobs: # of your runner. For example in this case, we are using the latest version for Linux. #bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} env: - BLACKDUCK_PROJECT_NAME: ${{ vars.BLACKDUCK_PROJECT }} + DETECT_PROJECT_NAME: ${{ vars.BLACKDUCK_PROJECT }} From ddf53f91bbc0406d428e5406f500dda4b7117e3c Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 14 Apr 2023 14:41:37 +0900 Subject: [PATCH 17/40] Switch to Rapid Full Scan --- .github/workflows/synopsys-blackduck.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 6e886455..46ee35c0 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -42,3 +42,4 @@ jobs: #bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} env: DETECT_PROJECT_NAME: ${{ vars.BLACKDUCK_PROJECT }} + DETECT_PROJECT_VERSION_NAME: ${{ GITHUB_JOB }} From d4324e79c2cee1303df444dc1fbfbedcb79452eb Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 14 Apr 2023 14:44:16 +0900 Subject: [PATCH 18/40] Switch to Rapid Full Scan attempt 2 --- .github/workflows/synopsys-blackduck.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 46ee35c0..130fe60e 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -42,4 +42,4 @@ jobs: #bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} env: DETECT_PROJECT_NAME: ${{ vars.BLACKDUCK_PROJECT }} - DETECT_PROJECT_VERSION_NAME: ${{ GITHUB_JOB }} + DETECT_PROJECT_VERSION_NAME: ${{ vars.GITHUB_JOB }} From 8d0fed528933cd3bb78043d6f8364056c8a7b967 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 14 Apr 2023 15:00:14 +0900 Subject: [PATCH 19/40] Switch to Rapid Full Scan attempt 2 --- .github/workflows/synopsys-blackduck.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 130fe60e..102a8f18 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -41,5 +41,6 @@ jobs: # of your runner. For example in this case, we are using the latest version for Linux. #bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} env: - DETECT_PROJECT_NAME: ${{ vars.BLACKDUCK_PROJECT }} - DETECT_PROJECT_VERSION_NAME: ${{ vars.GITHUB_JOB }} + #DETECT_PROJECT_NAME: ${{ vars.BLACKDUCK_PROJECT }} + #DETECT_PROJECT_VERSION_NAME: ${{ vars.GITHUB_JOB }} + DETECT_BLACKDUCK_RAPID_COMPARE_MODE: BOM_COMPARE_STRICT \ No newline at end of file From 534dae60833a27c33913aff87cebe8a2dd0bb336 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 14 Apr 2023 15:10:22 +0900 Subject: [PATCH 20/40] Set default to Scan failure sverities --- .github/workflows/synopsys-blackduck.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 102a8f18..75f9c00f 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -34,7 +34,7 @@ jobs: # Single parameter #blackduck_scan_failure_severities: "ALL" # multiple parameters - blackduck_scan_failure_severities: "BLOCKER,CRITICAL" + #blackduck_scan_failure_severities: "BLOCKER,CRITICAL" blackduck_automation_prcomment: true # Optional parameter, but usually specified - the location of the Synopsys Bridge software # The Synopsys Bridge software distribution is platform specific - this must match the host OS From 0642e107e9dc16f799334973cd41297417cf3f38 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 14 Apr 2023 15:30:46 +0900 Subject: [PATCH 21/40] Add more java code to see if vulns are detected --- .../ForwardNullExample.java | 15 +++++++++++++++ .../synopsys-action-demo/HelloWorld.java | 8 ++++++++ .../NullReturnsExample.java | 18 ++++++++++++++++++ .../ReverseNullExample.java | 18 ++++++++++++++++++ 4 files changed, 59 insertions(+) create mode 100644 src/main/java/org/joychou/synopsys-action-demo/ForwardNullExample.java create mode 100644 src/main/java/org/joychou/synopsys-action-demo/HelloWorld.java create mode 100644 src/main/java/org/joychou/synopsys-action-demo/NullReturnsExample.java create mode 100644 src/main/java/org/joychou/synopsys-action-demo/ReverseNullExample.java diff --git a/src/main/java/org/joychou/synopsys-action-demo/ForwardNullExample.java b/src/main/java/org/joychou/synopsys-action-demo/ForwardNullExample.java new file mode 100644 index 00000000..9615ce06 --- /dev/null +++ b/src/main/java/org/joychou/synopsys-action-demo/ForwardNullExample.java @@ -0,0 +1,15 @@ +public class ForwardNullExample { + public static Object callA() { + // This causes a FORWARD_NULL defect report + return testA(null); + } + + public static Object callB() { + // No defect report + return testA(new Object()); + } + + public static String testA(Object o) { + return o.toString(); + } +} diff --git a/src/main/java/org/joychou/synopsys-action-demo/HelloWorld.java b/src/main/java/org/joychou/synopsys-action-demo/HelloWorld.java new file mode 100644 index 00000000..a9d0517a --- /dev/null +++ b/src/main/java/org/joychou/synopsys-action-demo/HelloWorld.java @@ -0,0 +1,8 @@ +public class HelloWorld { + public static void main(String[] args) { + //String secret = "It's a secret to everybody."; + //try { javax.crypto.spec.SecretKeySpec keyspec = new javax.crypto.spec.SecretKeySpec(secret.getBytes("UTF-8"), "AES"); } + //catch (Exception e) { System.out.println("Something went wrong."); } + System.out.println("Hello World!"); + } +} diff --git a/src/main/java/org/joychou/synopsys-action-demo/NullReturnsExample.java b/src/main/java/org/joychou/synopsys-action-demo/NullReturnsExample.java new file mode 100644 index 00000000..1957efae --- /dev/null +++ b/src/main/java/org/joychou/synopsys-action-demo/NullReturnsExample.java @@ -0,0 +1,18 @@ +public class NullReturnsExample { + static int count = 0; + + public static Object returnA() { + return null; + } + public static Object returnB() { + return new Object(); + } + public static void testA() { + // This demonstrates a very straightforward null-return bug + returnA().toString(); + } + public static void testB() { + // no bug here + returnB().toString(); + } +} diff --git a/src/main/java/org/joychou/synopsys-action-demo/ReverseNullExample.java b/src/main/java/org/joychou/synopsys-action-demo/ReverseNullExample.java new file mode 100644 index 00000000..c842b1a9 --- /dev/null +++ b/src/main/java/org/joychou/synopsys-action-demo/ReverseNullExample.java @@ -0,0 +1,18 @@ +public class ReverseNullExample { + public static Object callA(Object o) { + return "hi"; + } + public static Object callB(Object o) { + return o.toString(); + } + + public static String testA(Object o) { + // callB dereferences o, making the later check a bug + // if this were callA, no bug would be reported here. + System.out.println(callB(o)); + if( o == null ) { + System.out.println("It's null"); + } + return "done"; + } +} From c72cb7040e1baa50b97a8629ce9a907139595a52 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Sat, 15 Apr 2023 10:08:40 +0900 Subject: [PATCH 22/40] Switch to Rapid scan --- .github/workflows/synopsys-blackduck.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 75f9c00f..d7472af1 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -26,7 +26,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} # Optional parameter. By default, pushes will initiate a full "intelligent" scan and pull requests # will initiate a rapid scan. - blackduck_scan_full: true + blackduck_scan_full: false # Optional parameter. By default, create fix pull requests if vulnerabilities are reported # Passing false will disable fix pull request creation blackduck_automation_fixpr: false @@ -43,4 +43,4 @@ jobs: env: #DETECT_PROJECT_NAME: ${{ vars.BLACKDUCK_PROJECT }} #DETECT_PROJECT_VERSION_NAME: ${{ vars.GITHUB_JOB }} - DETECT_BLACKDUCK_RAPID_COMPARE_MODE: BOM_COMPARE_STRICT \ No newline at end of file + DETECT_BLACKDUCK_RAPID_COMPARE_MODE: BOM_COMPARE_STRICT From bd5f62a5f7095a8cdc32695b37da76a75a6c1187 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Sat, 15 Apr 2023 10:32:21 +0900 Subject: [PATCH 23/40] Switch to full scan --- .github/workflows/synopsys-blackduck.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index d7472af1..232ee18d 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -26,7 +26,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} # Optional parameter. By default, pushes will initiate a full "intelligent" scan and pull requests # will initiate a rapid scan. - blackduck_scan_full: false + blackduck_scan_full: true # Optional parameter. By default, create fix pull requests if vulnerabilities are reported # Passing false will disable fix pull request creation blackduck_automation_fixpr: false @@ -41,6 +41,6 @@ jobs: # of your runner. For example in this case, we are using the latest version for Linux. #bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} env: - #DETECT_PROJECT_NAME: ${{ vars.BLACKDUCK_PROJECT }} - #DETECT_PROJECT_VERSION_NAME: ${{ vars.GITHUB_JOB }} - DETECT_BLACKDUCK_RAPID_COMPARE_MODE: BOM_COMPARE_STRICT + DETECT_PROJECT_NAME: ${{ vars.BLACKDUCK_PROJECT }} + DETECT_PROJECT_VERSION_NAME: ${{ vars.GITHUB_JOB }} + #DETECT_BLACKDUCK_RAPID_COMPARE_MODE: BOM_COMPARE_STRICT From 30c331da98249648559b5dea124e74a27d97ee2c Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Sat, 15 Apr 2023 14:23:15 +0900 Subject: [PATCH 24/40] Workaround Black Duck full scan SCM related check --- .github/workflows/synopsys-blackduck.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 232ee18d..8ba8b84c 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -43,4 +43,5 @@ jobs: env: DETECT_PROJECT_NAME: ${{ vars.BLACKDUCK_PROJECT }} DETECT_PROJECT_VERSION_NAME: ${{ vars.GITHUB_JOB }} + DETECT_EXCLUDED_DETECTOR_TYPES: GIT #DETECT_BLACKDUCK_RAPID_COMPARE_MODE: BOM_COMPARE_STRICT From 0f31213122ff324c5798040f78c7919e2f4155cc Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Sat, 15 Apr 2023 14:59:18 +0900 Subject: [PATCH 25/40] Test with SCM-Connected BD project --- .github/workflows/synopsys-blackduck.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 8ba8b84c..c59c32dc 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -42,6 +42,5 @@ jobs: #bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} env: DETECT_PROJECT_NAME: ${{ vars.BLACKDUCK_PROJECT }} - DETECT_PROJECT_VERSION_NAME: ${{ vars.GITHUB_JOB }} - DETECT_EXCLUDED_DETECTOR_TYPES: GIT + DETECT_PROJECT_VERSION_NAME: demo-dev #DETECT_BLACKDUCK_RAPID_COMPARE_MODE: BOM_COMPARE_STRICT From 32ec4df74e7d02c77ca0ad93e6494cc2f3876780 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Mon, 17 Apr 2023 08:52:37 +0900 Subject: [PATCH 26/40] Set --blackduck.trust.cert to true --- .github/workflows/synopsys-blackduck.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index c59c32dc..9c53b6e8 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -43,4 +43,5 @@ jobs: env: DETECT_PROJECT_NAME: ${{ vars.BLACKDUCK_PROJECT }} DETECT_PROJECT_VERSION_NAME: demo-dev + BLACKDUCK_TRUST_CERT: true #DETECT_BLACKDUCK_RAPID_COMPARE_MODE: BOM_COMPARE_STRICT From c4f462d60c22ebf88b56b356d7a857e8c27bf4c2 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Mon, 17 Apr 2023 09:12:59 +0900 Subject: [PATCH 27/40] Wait until receiving results to test PR comment --- .github/workflows/synopsys-blackduck.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 9c53b6e8..53a9c3ac 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -44,4 +44,5 @@ jobs: DETECT_PROJECT_NAME: ${{ vars.BLACKDUCK_PROJECT }} DETECT_PROJECT_VERSION_NAME: demo-dev BLACKDUCK_TRUST_CERT: true + DETECT_WAIT_FOR_RESULTS: ${{ vars.DETECT_WAIT_FOR_RESULTS }} #DETECT_BLACKDUCK_RAPID_COMPARE_MODE: BOM_COMPARE_STRICT From ed9d345596c3b50ce8a3d80066bfcd7eea503032 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Mon, 17 Apr 2023 09:18:51 +0900 Subject: [PATCH 28/40] Switch to rapid scan --- .github/workflows/synopsys-blackduck.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 53a9c3ac..1b121686 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -26,7 +26,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} # Optional parameter. By default, pushes will initiate a full "intelligent" scan and pull requests # will initiate a rapid scan. - blackduck_scan_full: true + blackduck_scan_full: false # Optional parameter. By default, create fix pull requests if vulnerabilities are reported # Passing false will disable fix pull request creation blackduck_automation_fixpr: false From 6250dee838fbd4ecf36809d137757a2dc316dac0 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 21 Apr 2023 12:26:36 +0900 Subject: [PATCH 29/40] Test with Rapid Scan to get Policy Violations --- .github/workflows/synopsys-blackduck.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 1b121686..b011f65f 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -44,5 +44,4 @@ jobs: DETECT_PROJECT_NAME: ${{ vars.BLACKDUCK_PROJECT }} DETECT_PROJECT_VERSION_NAME: demo-dev BLACKDUCK_TRUST_CERT: true - DETECT_WAIT_FOR_RESULTS: ${{ vars.DETECT_WAIT_FOR_RESULTS }} #DETECT_BLACKDUCK_RAPID_COMPARE_MODE: BOM_COMPARE_STRICT From 0af644908cd0345564b93afc16322b71eab6eda9 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 21 Apr 2023 14:24:16 +0900 Subject: [PATCH 30/40] Added Polaris but without PR automation --- ...ynopsys-blackduck.yml => synopsys-ast.yml} | 33 +++++++++++-------- 1 file changed, 20 insertions(+), 13 deletions(-) rename .github/workflows/{synopsys-blackduck.yml => synopsys-ast.yml} (55%) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-ast.yml similarity index 55% rename from .github/workflows/synopsys-blackduck.yml rename to .github/workflows/synopsys-ast.yml index b011f65f..1f95ebe3 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-ast.yml @@ -16,25 +16,15 @@ jobs: steps: - name: Checkout uses: actions/checkout@v3 - - name: Synopsys Action + - name: Synopsys Action Black Duck uses: synopsys-sig/synopsys-action@main with: + GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} + blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} blackduck_url: ${{ secrets.BLACKDUCK_URL }} - # Required parameter if blackduck_automation_fixpr is enabled - # Make sure GITHUB_TOKEN have appropriate permissions - GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} - # Optional parameter. By default, pushes will initiate a full "intelligent" scan and pull requests - # will initiate a rapid scan. blackduck_scan_full: false - # Optional parameter. By default, create fix pull requests if vulnerabilities are reported - # Passing false will disable fix pull request creation blackduck_automation_fixpr: false - # Optional parameter. The values could be. ALL|NONE|BLOCKER|CRITICAL|MAJOR|MINOR|OK|TRIVIAL|UNSPECIFIED - # Single parameter - #blackduck_scan_failure_severities: "ALL" - # multiple parameters - #blackduck_scan_failure_severities: "BLOCKER,CRITICAL" blackduck_automation_prcomment: true # Optional parameter, but usually specified - the location of the Synopsys Bridge software # The Synopsys Bridge software distribution is platform specific - this must match the host OS @@ -45,3 +35,20 @@ jobs: DETECT_PROJECT_VERSION_NAME: demo-dev BLACKDUCK_TRUST_CERT: true #DETECT_BLACKDUCK_RAPID_COMPARE_MODE: BOM_COMPARE_STRICT + - name: Synopsys Action Polaris + uses: synopsys-sig/synopsys-action@main + with: + GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} + + polaris_serverUrl: ${{ secrets.POLARIS_SERVER_URL }} + polaris_accessToken: ${{ secrets.POLARIS_ACCESS_TOKEN }} + polaris_application_name: ${{ POLARIS_APPLICATION_NAME }} + polaris_project_name: ${{ POLARIS_PROJECT_NAME }} + polaris_assessment_types: ${{ POLARIS_ASSESSMENT_TYPES }} + # Waiting for automation + #polaris_automation_fixpr: false + #polaris_automation_prcomment: true + # Optional parameter, but usually specified - the location of the Synopsys Bridge software + # The Synopsys Bridge software distribution is platform specific - this must match the host OS + # of your runner. For example in this case, we are using the latest version for Linux. + #bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} \ No newline at end of file From df97b0d5a25fa63f473e43eafa0ff2efddd8c6a6 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 21 Apr 2023 14:26:05 +0900 Subject: [PATCH 31/40] Fixed typo in Polaris params --- .github/workflows/synopsys-ast.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/synopsys-ast.yml b/.github/workflows/synopsys-ast.yml index 1f95ebe3..35edbb5e 100644 --- a/.github/workflows/synopsys-ast.yml +++ b/.github/workflows/synopsys-ast.yml @@ -42,9 +42,9 @@ jobs: polaris_serverUrl: ${{ secrets.POLARIS_SERVER_URL }} polaris_accessToken: ${{ secrets.POLARIS_ACCESS_TOKEN }} - polaris_application_name: ${{ POLARIS_APPLICATION_NAME }} - polaris_project_name: ${{ POLARIS_PROJECT_NAME }} - polaris_assessment_types: ${{ POLARIS_ASSESSMENT_TYPES }} + polaris_application_name: ${{ vars.POLARIS_APPLICATION_NAME }} + polaris_project_name: ${{ vars.POLARIS_PROJECT_NAME }} + polaris_assessment_types: ${{ vars.POLARIS_ASSESSMENT_TYPES }} # Waiting for automation #polaris_automation_fixpr: false #polaris_automation_prcomment: true From a352193f47e90f402b258f6f629816f9744ddece Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Tue, 25 Apr 2023 19:51:20 +0900 Subject: [PATCH 32/40] CI test with CNC --- .github/workflows/synopsys-ast.yml | 63 +++++++++++++++++++----------- 1 file changed, 40 insertions(+), 23 deletions(-) diff --git a/.github/workflows/synopsys-ast.yml b/.github/workflows/synopsys-ast.yml index 35edbb5e..faa0d0b4 100644 --- a/.github/workflows/synopsys-ast.yml +++ b/.github/workflows/synopsys-ast.yml @@ -16,39 +16,56 @@ jobs: steps: - name: Checkout uses: actions/checkout@v3 - - name: Synopsys Action Black Duck - uses: synopsys-sig/synopsys-action@main - with: - GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} + #- name: Synopsys Action Black Duck + # uses: synopsys-sig/synopsys-action@main + # with: + # GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} - blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} - blackduck_url: ${{ secrets.BLACKDUCK_URL }} - blackduck_scan_full: false - blackduck_automation_fixpr: false - blackduck_automation_prcomment: true + # blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} + # blackduck_url: ${{ secrets.BLACKDUCK_URL }} + # blackduck_scan_full: false + # blackduck_automation_fixpr: false + # blackduck_automation_prcomment: true # Optional parameter, but usually specified - the location of the Synopsys Bridge software # The Synopsys Bridge software distribution is platform specific - this must match the host OS # of your runner. For example in this case, we are using the latest version for Linux. #bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} - env: - DETECT_PROJECT_NAME: ${{ vars.BLACKDUCK_PROJECT }} - DETECT_PROJECT_VERSION_NAME: demo-dev - BLACKDUCK_TRUST_CERT: true + # env: + # DETECT_PROJECT_NAME: ${{ vars.BLACKDUCK_PROJECT }} + # DETECT_PROJECT_VERSION_NAME: demo-dev + # BLACKDUCK_TRUST_CERT: true #DETECT_BLACKDUCK_RAPID_COMPARE_MODE: BOM_COMPARE_STRICT - - name: Synopsys Action Polaris - uses: synopsys-sig/synopsys-action@main - with: - GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} + #- name: Synopsys Action Polaris + # uses: synopsys-sig/synopsys-action@main + # with: + # GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} - polaris_serverUrl: ${{ secrets.POLARIS_SERVER_URL }} - polaris_accessToken: ${{ secrets.POLARIS_ACCESS_TOKEN }} - polaris_application_name: ${{ vars.POLARIS_APPLICATION_NAME }} - polaris_project_name: ${{ vars.POLARIS_PROJECT_NAME }} - polaris_assessment_types: ${{ vars.POLARIS_ASSESSMENT_TYPES }} + # polaris_serverUrl: ${{ secrets.POLARIS_SERVER_URL }} + # polaris_accessToken: ${{ secrets.POLARIS_ACCESS_TOKEN }} + # polaris_application_name: ${{ vars.POLARIS_APPLICATION_NAME }} + # polaris_project_name: ${{ vars.POLARIS_PROJECT_NAME }} + # polaris_assessment_types: ${{ vars.POLARIS_ASSESSMENT_TYPES }} # Waiting for automation #polaris_automation_fixpr: false #polaris_automation_prcomment: true # Optional parameter, but usually specified - the location of the Synopsys Bridge software # The Synopsys Bridge software distribution is platform specific - this must match the host OS # of your runner. For example in this case, we are using the latest version for Linux. - #bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} \ No newline at end of file + #bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} + - name: Synopsys Action Coverity + uses: synopsys-sig/synopsys-action@main + with: + GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} + + coverity_url: ${{ secrets.COVERITY_URL }} + coverity_user: ${{ secrets.COVERITY_USER }} + coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }} + coverity_project_name: ${{ vars.COVERITY_PROJECT_NAME }} + coverity_stream_name: ${{ github.event.repository.name }} + # Optionally you may specify the ID number of a saved view to apply as a "break the build" policy. + # If any defects are found within this view when applied to the project, the build will be failed + # with an exit code. + #coverity_policy_view: 100001 + # Below fields are optional + #coverity_repository_name: ${{ secrets.COVERITY_REPOSITORY_NAME }} + #coverity_branch_name: ${{ secrets.COVERITY_BRANCH_NAME }} From 61ab314ce779a04b77850dc17adc252fc9ea41b3 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 26 Apr 2023 10:20:18 +0900 Subject: [PATCH 33/40] a few changes following a sample template --- .github/workflows/synopsys-ast.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/synopsys-ast.yml b/.github/workflows/synopsys-ast.yml index faa0d0b4..9b36df70 100644 --- a/.github/workflows/synopsys-ast.yml +++ b/.github/workflows/synopsys-ast.yml @@ -12,7 +12,7 @@ on: jobs: build: - runs-on: [self-hosted] + runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v3 @@ -53,15 +53,15 @@ jobs: # of your runner. For example in this case, we are using the latest version for Linux. #bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} - name: Synopsys Action Coverity - uses: synopsys-sig/synopsys-action@main + uses: synopsys-sig/synopsys-action@v1.1.0 with: - GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} + github_token: ${{ secrets.GITHUB_TOKEN }} coverity_url: ${{ secrets.COVERITY_URL }} coverity_user: ${{ secrets.COVERITY_USER }} coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }} coverity_project_name: ${{ vars.COVERITY_PROJECT_NAME }} - coverity_stream_name: ${{ github.event.repository.name }} + coverity_stream_name: ${{ github.event.repository.name }}-${{ github.base_ref }} # Optionally you may specify the ID number of a saved view to apply as a "break the build" policy. # If any defects are found within this view when applied to the project, the build will be failed # with an exit code. From 8b6b37bfa35eb2f6264c03da58766e4fd141aab9 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 26 Apr 2023 10:53:31 +0900 Subject: [PATCH 34/40] Added actions java to resolve dependency issues --- .github/workflows/synopsys-ast.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/synopsys-ast.yml b/.github/workflows/synopsys-ast.yml index 9b36df70..239a1554 100644 --- a/.github/workflows/synopsys-ast.yml +++ b/.github/workflows/synopsys-ast.yml @@ -16,6 +16,12 @@ jobs: steps: - name: Checkout uses: actions/checkout@v3 + - name: Setup Java JDK + uses: actions/setup-java@v3 + with: + java-version: 8 + distribution: microsoft + cache: maven #- name: Synopsys Action Black Duck # uses: synopsys-sig/synopsys-action@main # with: From c284a08b87d7bd30e087db7740f882dfe6afb65f Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 26 Apr 2023 10:54:55 +0900 Subject: [PATCH 35/40] Added actions java to resolve dependency issues attempt-2 --- .github/workflows/synopsys-ast.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/synopsys-ast.yml b/.github/workflows/synopsys-ast.yml index 239a1554..e32c5982 100644 --- a/.github/workflows/synopsys-ast.yml +++ b/.github/workflows/synopsys-ast.yml @@ -17,11 +17,11 @@ jobs: - name: Checkout uses: actions/checkout@v3 - name: Setup Java JDK - uses: actions/setup-java@v3 - with: - java-version: 8 - distribution: microsoft - cache: maven + uses: actions/setup-java@v3 + with: + java-version: 8 + distribution: microsoft + cache: maven #- name: Synopsys Action Black Duck # uses: synopsys-sig/synopsys-action@main # with: From 67bf1986b14ea20a515831c8ec94a0eddc8e4c78 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 26 Apr 2023 10:56:26 +0900 Subject: [PATCH 36/40] Added actions java and appont java 11 --- .github/workflows/synopsys-ast.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synopsys-ast.yml b/.github/workflows/synopsys-ast.yml index e32c5982..d797dcb3 100644 --- a/.github/workflows/synopsys-ast.yml +++ b/.github/workflows/synopsys-ast.yml @@ -19,7 +19,7 @@ jobs: - name: Setup Java JDK uses: actions/setup-java@v3 with: - java-version: 8 + java-version: 11 distribution: microsoft cache: maven #- name: Synopsys Action Black Duck From 1ec0f920762f2c0a388ee5b6cc46a886517cda91 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 26 Apr 2023 11:16:05 +0900 Subject: [PATCH 37/40] Added a step to resolve dependency to gzip --- .github/workflows/synopsys-ast.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/synopsys-ast.yml b/.github/workflows/synopsys-ast.yml index d797dcb3..b9e48c65 100644 --- a/.github/workflows/synopsys-ast.yml +++ b/.github/workflows/synopsys-ast.yml @@ -22,6 +22,10 @@ jobs: java-version: 11 distribution: microsoft cache: maven + - name: Install tools + run: | + sudo apt-get update + sudo apt-get install gzip #- name: Synopsys Action Black Duck # uses: synopsys-sig/synopsys-action@main # with: From 5a31dec5c30a541fe69d02da7a29ddebeba4a918 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 26 Apr 2023 12:27:55 +0900 Subject: [PATCH 38/40] Rever the change for atp-get gzip bc unncessesary --- .github/workflows/synopsys-ast.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/synopsys-ast.yml b/.github/workflows/synopsys-ast.yml index b9e48c65..d797dcb3 100644 --- a/.github/workflows/synopsys-ast.yml +++ b/.github/workflows/synopsys-ast.yml @@ -22,10 +22,6 @@ jobs: java-version: 11 distribution: microsoft cache: maven - - name: Install tools - run: | - sudo apt-get update - sudo apt-get install gzip #- name: Synopsys Action Black Duck # uses: synopsys-sig/synopsys-action@main # with: From fa1955e0173c8193191e4bfabb0502e35ad49930 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 28 Apr 2023 12:06:47 +0900 Subject: [PATCH 39/40] Polaris test --- .github/workflows/synopsys-ast.yml | 38 +++++++++++++++--------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/synopsys-ast.yml b/.github/workflows/synopsys-ast.yml index d797dcb3..0863d384 100644 --- a/.github/workflows/synopsys-ast.yml +++ b/.github/workflows/synopsys-ast.yml @@ -25,7 +25,7 @@ jobs: #- name: Synopsys Action Black Duck # uses: synopsys-sig/synopsys-action@main # with: - # GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} + # github_token: ${{ secrets.GITHUB_TOKEN }} # blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} # blackduck_url: ${{ secrets.BLACKDUCK_URL }} @@ -41,16 +41,16 @@ jobs: # DETECT_PROJECT_VERSION_NAME: demo-dev # BLACKDUCK_TRUST_CERT: true #DETECT_BLACKDUCK_RAPID_COMPARE_MODE: BOM_COMPARE_STRICT - #- name: Synopsys Action Polaris - # uses: synopsys-sig/synopsys-action@main - # with: - # GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} + - name: Synopsys Action Polaris + uses: synopsys-sig/synopsys-action@main + with: + github_token: ${{ secrets.GITHUB_TOKEN }} - # polaris_serverUrl: ${{ secrets.POLARIS_SERVER_URL }} - # polaris_accessToken: ${{ secrets.POLARIS_ACCESS_TOKEN }} - # polaris_application_name: ${{ vars.POLARIS_APPLICATION_NAME }} - # polaris_project_name: ${{ vars.POLARIS_PROJECT_NAME }} - # polaris_assessment_types: ${{ vars.POLARIS_ASSESSMENT_TYPES }} + polaris_serverUrl: ${{ secrets.POLARIS_SERVER_URL }} + polaris_accessToken: ${{ secrets.POLARIS_ACCESS_TOKEN }} + polaris_application_name: ${{ vars.POLARIS_APPLICATION_NAME }} + polaris_project_name: ${{ vars.POLARIS_PROJECT_NAME }} + polaris_assessment_types: ${{ vars.POLARIS_ASSESSMENT_TYPES }} # Waiting for automation #polaris_automation_fixpr: false #polaris_automation_prcomment: true @@ -58,16 +58,16 @@ jobs: # The Synopsys Bridge software distribution is platform specific - this must match the host OS # of your runner. For example in this case, we are using the latest version for Linux. #bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} - - name: Synopsys Action Coverity - uses: synopsys-sig/synopsys-action@v1.1.0 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} + #- name: Synopsys Action Coverity + # uses: synopsys-sig/synopsys-action@v1.1.0 + # with: + # github_token: ${{ secrets.GITHUB_TOKEN }} - coverity_url: ${{ secrets.COVERITY_URL }} - coverity_user: ${{ secrets.COVERITY_USER }} - coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }} - coverity_project_name: ${{ vars.COVERITY_PROJECT_NAME }} - coverity_stream_name: ${{ github.event.repository.name }}-${{ github.base_ref }} + # coverity_url: ${{ secrets.COVERITY_URL }} + # coverity_user: ${{ secrets.COVERITY_USER }} + # coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }} + # coverity_project_name: ${{ vars.COVERITY_PROJECT_NAME }} + # coverity_stream_name: ${{ github.event.repository.name }}-${{ github.base_ref }} # Optionally you may specify the ID number of a saved view to apply as a "break the build" policy. # If any defects are found within this view when applied to the project, the build will be failed # with an exit code. From cbdd57a689dfb5c3e92881058b4b95e8ccd6f58e Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Mon, 1 May 2023 09:49:10 +0900 Subject: [PATCH 40/40] Enabled BD scan with no project and version --- .github/workflows/synopsys-ast.yml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/synopsys-ast.yml b/.github/workflows/synopsys-ast.yml index 0863d384..1bdb9a78 100644 --- a/.github/workflows/synopsys-ast.yml +++ b/.github/workflows/synopsys-ast.yml @@ -22,24 +22,24 @@ jobs: java-version: 11 distribution: microsoft cache: maven - #- name: Synopsys Action Black Duck - # uses: synopsys-sig/synopsys-action@main - # with: - # github_token: ${{ secrets.GITHUB_TOKEN }} + - name: Synopsys Action Black Duck + uses: synopsys-sig/synopsys-action@v1.2.0 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} - # blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} - # blackduck_url: ${{ secrets.BLACKDUCK_URL }} - # blackduck_scan_full: false - # blackduck_automation_fixpr: false - # blackduck_automation_prcomment: true + blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} + blackduck_url: ${{ secrets.BLACKDUCK_URL }} + blackduck_scan_full: false + blackduck_automation_fixpr: false + blackduck_automation_prcomment: true # Optional parameter, but usually specified - the location of the Synopsys Bridge software # The Synopsys Bridge software distribution is platform specific - this must match the host OS # of your runner. For example in this case, we are using the latest version for Linux. #bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} - # env: + env: # DETECT_PROJECT_NAME: ${{ vars.BLACKDUCK_PROJECT }} # DETECT_PROJECT_VERSION_NAME: demo-dev - # BLACKDUCK_TRUST_CERT: true + BLACKDUCK_TRUST_CERT: true #DETECT_BLACKDUCK_RAPID_COMPARE_MODE: BOM_COMPARE_STRICT - name: Synopsys Action Polaris uses: synopsys-sig/synopsys-action@main