From 293391c9942c0ca03b4c69e2fe6e243a6dc123d0 Mon Sep 17 00:00:00 2001
From: "Calvin A. Allen" <calvinallen@newrelic.com>
Date: Thu, 21 Nov 2024 15:50:31 -0500
Subject: [PATCH] Add FOSSA integration (#21)

* Add FOSSA integration

* Don't scan on PRs
---
 .github/workflows/build_image.yml   | 48 ++++++++++++++---------------
 .github/workflows/publish_image.yml | 15 ++++-----
 Dockerfile                          | 13 ++++++++
 3 files changed, 45 insertions(+), 31 deletions(-)

diff --git a/.github/workflows/build_image.yml b/.github/workflows/build_image.yml
index 25f6a98..f969b91 100644
--- a/.github/workflows/build_image.yml
+++ b/.github/workflows/build_image.yml
@@ -1,34 +1,34 @@
 name: Build the Docker Image
 
 on:
-  pull_request:
-    types: [ opened, reopened, synchronize ]
-    branches:
-      - main
+    pull_request:
+        types: [opened, reopened, synchronize]
+        branches:
+            - main
 
 env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
+    REGISTRY: ghcr.io
+    IMAGE_NAME: ${{ github.repository }}
 
 jobs:
-  build-image:
-    runs-on: ubuntu-latest
+    build-image:
+        runs-on: ubuntu-latest
 
-    permissions: write-all
+        permissions: write-all
 
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@v4
 
-      - name: Build Docker image
-        id: push
-        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
-        with:
-          context: .
-          push: false
-          build-args: |
-            BROWSER_LICENSE_KEY=${{ secrets.BROWSER_LICENSE_KEY }}
-            BROWSER_ACCOUNT_ID=${{ secrets.BROWSER_ACCOUNT_ID }}
-            BROWSER_TRUST_KEY=${{ secrets.BROWSER_TRUST_KEY }}
-            BROWSER_AGENT_ID=${{ secrets.BROWSER_AGENT_ID }}
-            BROWSER_APPLICATION_ID=${{ secrets.BROWSER_APPLICATION_ID }}
+            - name: Build Docker image
+              id: push
+              uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+              with:
+                  context: .
+                  push: false
+                  build-args: |
+                      BROWSER_LICENSE_KEY=${{ secrets.BROWSER_LICENSE_KEY }}
+                      BROWSER_ACCOUNT_ID=${{ secrets.BROWSER_ACCOUNT_ID }}
+                      BROWSER_TRUST_KEY=${{ secrets.BROWSER_TRUST_KEY }}
+                      BROWSER_AGENT_ID=${{ secrets.BROWSER_AGENT_ID }}
+                      BROWSER_APPLICATION_ID=${{ secrets.BROWSER_APPLICATION_ID }}
diff --git a/.github/workflows/publish_image.yml b/.github/workflows/publish_image.yml
index ce6cb1e..1700792 100644
--- a/.github/workflows/publish_image.yml
+++ b/.github/workflows/publish_image.yml
@@ -42,13 +42,14 @@ jobs:
                   labels: ${{ steps.meta.outputs.labels }}
                   github-token: ${{ secrets.GITHUB_TOKEN }}
                   build-args: |
-                    BROWSER_LICENSE_KEY=${{ secrets.BROWSER_LICENSE_KEY }}
-                    BROWSER_ACCOUNT_ID=${{ secrets.BROWSER_ACCOUNT_ID }}
-                    BROWSER_TRUST_KEY=${{ secrets.BROWSER_TRUST_KEY }}
-                    BROWSER_AGENT_ID=${{ secrets.BROWSER_AGENT_ID }}
-                    BROWSER_APPLICATION_ID=${{ secrets.BROWSER_APPLICATION_ID }}
-                    NEW_RELIC_METADATA_COMMIT=${{ github.sha }}
-                    NEW_RELIC_METADATA_RELEASE_TAG=${{ github.ref_name }}
+                      BROWSER_LICENSE_KEY=${{ secrets.BROWSER_LICENSE_KEY }}
+                      BROWSER_ACCOUNT_ID=${{ secrets.BROWSER_ACCOUNT_ID }}
+                      BROWSER_TRUST_KEY=${{ secrets.BROWSER_TRUST_KEY }}
+                      BROWSER_AGENT_ID=${{ secrets.BROWSER_AGENT_ID }}
+                      BROWSER_APPLICATION_ID=${{ secrets.BROWSER_APPLICATION_ID }}
+                      FOSSA_API_KEY=${{ secrets.FOSSA_API_KEY }}
+                      NEW_RELIC_METADATA_COMMIT=${{ github.sha }}
+                      NEW_RELIC_METADATA_RELEASE_TAG=${{ github.ref_name }}
 
             - name: Generate artifact attestation
               uses: actions/attest-build-provenance@v1
diff --git a/Dockerfile b/Dockerfile
index aa05d97..1faa600 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -29,16 +29,29 @@ ARG BROWSER_ACCOUNT_ID
 ARG BROWSER_TRUST_KEY
 ARG BROWSER_AGENT_ID
 ARG BROWSER_APPLICATION_ID
+ARG FOSSA_API_KEY
 
 ENV BROWSER_LICENSE_KEY=$BROWSER_LICENSE_KEY
 ENV BROWSER_ACCOUNT_ID=$BROWSER_ACCOUNT_ID
 ENV BROWSER_TRUST_KEY=$BROWSER_TRUST_KEY
 ENV BROWSER_AGENT_ID=$BROWSER_AGENT_ID
 ENV BROWSER_APPLICATION_ID=$BROWSER_APPLICATION_ID
+ENV FOSSA_API_KEY=$FOSSA_API_KEY
 
 RUN --mount=type=cache,target=/root/.gradle ./gradlew downloadNewRelicAgent --console=plain --info --no-daemon --no-watch-fs
 RUN --mount=type=cache,target=/root/.gradle ./gradlew build --console=plain --info --no-daemon --no-watch-fs
 
+RUN if [ -z "$FOSSA_API_KEY" ] ; then \
+    echo --SKIPPING FOSSA CLI DOWNLOAD ; \
+    else \
+        curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash; \
+    fi
+RUN if [ -z "$FOSSA_API_KEY" ] ; then \
+    echo --SKIPPING FOSSA SCAN ; \
+    else \
+        fossa analyze; \
+    fi
+
 FROM base AS final
 WORKDIR /app
 COPY --from=build /src/build/libs/petclinic-backend-1.0.0.jar .