From bd8009ad017cf0fce216b2a3cf47fef07078032a Mon Sep 17 00:00:00 2001 From: "m.semalaiappan" Date: Mon, 19 Feb 2024 11:18:16 -0600 Subject: [PATCH 1/4] Security Vulnerability Check on Release Tags --- ...ty Vulnerability Check on Release Tags.yml | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 .github/workflows/Security Vulnerability Check on Release Tags.yml diff --git a/.github/workflows/Security Vulnerability Check on Release Tags.yml b/.github/workflows/Security Vulnerability Check on Release Tags.yml new file mode 100644 index 0000000000..35500d6b6a --- /dev/null +++ b/.github/workflows/Security Vulnerability Check on Release Tags.yml @@ -0,0 +1,57 @@ +# SPDX-License-Identifier: Apache-2.0 +# Licensed to the Ed-Fi Alliance under one or more agreements. +# The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0. +# See the LICENSE and NOTICES files in the project root for more information. + +name: Security Vulnerability Check on Release Tags + +on: + schedule: + - cron: '0 0 * * *' + pull_request: + branches: [main] + +env: + EDFI_ODS_IMP_TOKEN: ${{ secrets.REPO_DISPATCH_TOKEN }} + REPOSITORY_OWNER: ${{ GITHUB.REPOSITORY_OWNER }} +jobs: + Security-Vulnerability-Check-Each-Release-Tag: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + tag: ["v5.3-patch5","v6.1-patch3","v7.1-patch1"] + name: ${{ matrix.tag }} Security-Vulnerabilities Check + + steps: + - name: Checkout Ed-Fi-ODS + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4 + with: + repository: Ed-Fi-Alliance-OSS/Ed-Fi-ODS + path: Ed-Fi-ODS/ + ref: ${{ matrix.tag }} + - name: Execute vulnerability + working-directory: ./Ed-Fi-ODS/ + run: | + $slnFiles = Get-ChildItem -Path . -Filter "*.sln" -Recurse | Where-Object { $_.Name -ne "EdFi.ProjectTemplates.sln" } + + foreach ($file in $slnFiles) { + dotnet restore $file.FullName | Out-Null + dotnet list $file.FullName package --vulnerable 2>&1 | Tee-Object -FilePath "build.log" -Append | Out-Null + } + + # Analyze dotnet list package command log output + $logContent = Get-Content -Path "build.log" -Raw + + # Check for vulnerabilities in the log output + if ($logContent -match "critical|high|moderate") { + Write-Error "Security Vulnerabilities found" + exit 1 + } + shell: pwsh + - name: Upload vulnerability Artifacts + if: success() || failure() + uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + with: + name: vulnerability-report-${{ matrix.tag }}-Artifacts + path: ${{ github.workspace }}/Ed-Fi-ODS/build.log \ No newline at end of file From 47d64aa5f7aa0a9bb118a1714bd0b996e07959ce Mon Sep 17 00:00:00 2001 From: "m.semalaiappan" Date: Tue, 20 Feb 2024 22:40:12 -0600 Subject: [PATCH 2/4] Review Comments CodeFix --- .../Security Vulnerability Check on Release Tags.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/Security Vulnerability Check on Release Tags.yml b/.github/workflows/Security Vulnerability Check on Release Tags.yml index 35500d6b6a..bdb13e4e5a 100644 --- a/.github/workflows/Security Vulnerability Check on Release Tags.yml +++ b/.github/workflows/Security Vulnerability Check on Release Tags.yml @@ -11,16 +11,13 @@ on: pull_request: branches: [main] -env: - EDFI_ODS_IMP_TOKEN: ${{ secrets.REPO_DISPATCH_TOKEN }} - REPOSITORY_OWNER: ${{ GITHUB.REPOSITORY_OWNER }} jobs: Security-Vulnerability-Check-Each-Release-Tag: runs-on: ubuntu-latest strategy: fail-fast: false matrix: - tag: ["v5.3-patch5","v6.1-patch3","v7.1-patch1"] + tag: ["v5.3"] name: ${{ matrix.tag }} Security-Vulnerabilities Check steps: From e4541bd9238df993706962be44e0d09db867c3a4 Mon Sep 17 00:00:00 2001 From: "m.semalaiappan" Date: Tue, 20 Feb 2024 22:47:09 -0600 Subject: [PATCH 3/4] Temparory Change - Removed --- .../workflows/Security Vulnerability Check on Release Tags.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/Security Vulnerability Check on Release Tags.yml b/.github/workflows/Security Vulnerability Check on Release Tags.yml index bdb13e4e5a..27f2712360 100644 --- a/.github/workflows/Security Vulnerability Check on Release Tags.yml +++ b/.github/workflows/Security Vulnerability Check on Release Tags.yml @@ -17,7 +17,7 @@ jobs: strategy: fail-fast: false matrix: - tag: ["v5.3"] + tag: ["v5.3-patch5","v6.1-patch3","v7.1-patch1"] name: ${{ matrix.tag }} Security-Vulnerabilities Check steps: From 9470cea014a92e05e029038650839076828a9e1b Mon Sep 17 00:00:00 2001 From: "m.semalaiappan" Date: Tue, 20 Feb 2024 22:48:17 -0600 Subject: [PATCH 4/4] pull_request Removed & workflow_dispatch Added --- .../Security Vulnerability Check on Release Tags.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/Security Vulnerability Check on Release Tags.yml b/.github/workflows/Security Vulnerability Check on Release Tags.yml index 27f2712360..a8031b50c5 100644 --- a/.github/workflows/Security Vulnerability Check on Release Tags.yml +++ b/.github/workflows/Security Vulnerability Check on Release Tags.yml @@ -7,9 +7,8 @@ name: Security Vulnerability Check on Release Tags on: schedule: - - cron: '0 0 * * *' - pull_request: - branches: [main] + - cron: '0 0 * * *' + workflow_dispatch: jobs: Security-Vulnerability-Check-Each-Release-Tag: