Skip to content
This repository has been archived by the owner on Nov 29, 2024. It is now read-only.

Commit

Permalink
chore: move state from main to fix the cve fix on release branch (#435)
Browse files Browse the repository at this point in the history
* fix: Inherit secrets and update branch retrieval for manual publish workflow (#415)

* chore: bump slackapi/slack-github-action in /.github/workflows (#416)

Bumps [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action) from 1.26.0 to 1.27.0.
- [Release notes](https://github.com/slackapi/slack-github-action/releases)
- [Commits](slackapi/slack-github-action@v1.26.0...v1.27.0)

---
updated-dependencies:
- dependency-name: slackapi/slack-github-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: Run Full CI/CD on release tag and release branch creation (#417)

* chore: Run Full CI/CD on release tag and release branch creation

* chore: Run Full CI/CD on release tag and release branch creation

* chore: Run Full CI/CD on release tag and release branch creation

---------

Co-authored-by: Rupeekshan Maheswaran <[email protected]>

* chore: Make the Image Security Scan as a part of CI workflow (#418)

* chore: add commit to manually published image tag (#422)

* chore: use github_sha variable as in other repos

* chore: Switch to wolfi to fix critical vulnerability (#421)

* chore: Switch to wolfi to fix critical vulnerability

* nl

* fix nl

* fix

* fix

* Fix manual

* needs'

* make more clear

* toolchains

* Fix

* fix: Fix job dependencies and commit hash input for scheduled scans (#424)

* fix: Improve commit hash input logic for CI versioning

* fix: Resolve job dependencies for scheduled scans

* fix: use numeric uid (#425)

* fix: Fix CVE-2024-38816 vulnerability (#426)

* fix: Fix CVE-2024-38816 vulnerability

* comment

* chore: bump joda-time:joda-time from 2.12.7 to 2.13.0 (#427)

* fix: Upgrade spring (#428)

* fix: Upgrade spring

* gradle.properties

* chore: bump chainguard/wolfi-base in /local-rest-scorer (#429)

Bumps [chainguard/wolfi-base](https://github.com/chainguard-images/images) from `0f1d816` to `b06d453`.
- [Commits](https://github.com/chainguard-images/images/commits)

---
updated-dependencies:
- dependency-name: chainguard/wolfi-base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: bump chainguard/wolfi-base in /local-rest-scorer (#430)

Bumps [chainguard/wolfi-base](https://github.com/chainguard-images/images) from `b06d453` to `7574456`.
- [Commits](https://github.com/chainguard-images/images/commits)

---
updated-dependencies:
- dependency-name: chainguard/wolfi-base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: Upgrade Spring 3.3.4 (#432)

* feat: Migrate image registry from GAR to AWS ECR (#431)

* eat: Migrate image registry from GAR to AWS ECR

* fix

* chore: Disable release publishing to MLOps ECR (#433)

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Rupeekshan Maheswaran <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sivakajan Sivaparan <[email protected]>
  • Loading branch information
4 people authored Sep 30, 2024
1 parent 5684c60 commit 81f7746
Show file tree
Hide file tree
Showing 15 changed files with 398 additions and 331 deletions.
10 changes: 10 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,13 @@ updates:
labels:
- "type/update"
- "area/chore"

- package-ecosystem: "docker"
directory: "local-rest-scorer/"
schedule:
interval: "daily"
open-pull-requests-limit: 10
commit-message:
prefix: "chore"
labels:
- "type/update"
53 changes: 49 additions & 4 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,21 +12,66 @@ on:
tags: [ 'v[0-9]+.[0-9]+.[0-9]+' ]

jobs:
code_quality_check:
uses: ./.github/workflows/code-quality-check.yml
secrets: inherit
changed_files:
runs-on: ubuntu-latest
outputs:
modified: ${{ steps.changes.outputs.src }}
steps:
- name: Checkout
uses: actions/checkout@v4

- uses: dorny/paths-filter@v3
id: changes
with:
filters: |
src:
- .github/workflows/**
- aws-lambda-scorer/**
- aws-sagemaker-hosted-scorer/**
- aws-sagemaker-hosted-scorer-cpp/**
- common/**
- config/**
- gcp-cloud-run/**
- gcp-vertex-ai-mojo-scorer/**
- gradle/**
- hive-mojo-scorer/**
- kdb-mojo-scorer/**
- local-rest-scorer/**
- sql-jdbc-scorer/**
- build.gradle
- gradlew
- gradle.properties
setup_env:
uses: ./.github/workflows/setup-environment.yml

code_quality_check:
needs:
- changed_files
- setup_env
uses: ./.github/workflows/code-quality-check.yml
secrets: inherit
with:
if: ${{ needs.setup_env.outputs.bypass_changed_files == 'true' || needs.changed_files.outputs.modified == 'true' }}

build_image:
uses: ./.github/workflows/image-build.yml
needs:
- changed_files
- setup_env
- code_quality_check
uses: ./.github/workflows/image-build.yml
secrets: inherit
with:
component_version: ${{ needs.setup_env.outputs.component_version }}
if: ${{ needs.setup_env.outputs.bypass_changed_files == 'true' || needs.changed_files.outputs.modified == 'true' }}
# The `! failure()` condition runs when the parent jobs completed successfully or were skipped.
if: ${{ ! failure() }}

security_scan:
name: Security Scan
uses: ./.github/workflows/component-scan.yml
needs: build_image
secrets: inherit

publish_latest_from_dev_branch:
if: ${{ startsWith(github.ref, 'refs/heads/main') }}
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/code-quality-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,16 @@ name: Code Analysis

on:
workflow_call:
inputs:
if:
description: Whether to run the workflow (workaround for required status checks issue)
type: boolean
default: true

jobs:
code_quality_check:
name: Linters
if: ${{ inputs.if }}
runs-on: ubuntu-latest
steps:
- name: Checkout
Expand Down
243 changes: 243 additions & 0 deletions .github/workflows/component-scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,243 @@
name: Security Scan

on:
workflow_call:

env:
CODE_OWNERS: '<@U047W9ULVQ9>'

jobs:
trivy_scan:
name: Trivy Scan
runs-on: ubuntu-latest
outputs:
job: ${{ steps.publish.outputs.job }}
steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: image
path: /tmp

- name: Load image
run: docker load -i /tmp/image.tar

- name: Scan all the vulnerabilities and generate JSON report
if: always()
uses: aquasecurity/[email protected]
with:
image-ref: image:latest
format: 'json'
vuln-type: 'os,library'
output: 'trivy-results.json'

- name: Save vulnerabilities report in tabular format
if: always()
uses: aquasecurity/[email protected]
with:
image-ref: trivy-results.json
scan-type: convert
vuln-type: ''
format: 'table'
output: 'trivy-results.txt'

- name: Display vulnerabilities report
if: always()
uses: aquasecurity/[email protected]
with:
image-ref: trivy-results.json
scan-type: convert
vuln-type: ''

- name: Fail on high and critical vulnerabilities
if: always()
uses: aquasecurity/[email protected]
with:
image-ref: trivy-results.json
scan-type: convert
exit-code: '1'
vuln-type: ''
severity: 'HIGH,CRITICAL'

- name: Publish scan report
if: always()
id: publish
run: |
api_url="https://api.github.com/repos/h2oai/${{ github.event.repository.name }}/actions/runs/${{ github.run_id }}/jobs"
job_id=$(curl -s -H "Authorization: token ${{ github.token }}" "$api_url" | jq -r '.jobs[] | select(.name == "Security Scan / Trivy Scan") | .id')
job_url_suffix="/actions/runs/${{ github.run_id }}/job/$job_id#step:7:17"
echo "job=${job_url_suffix}" >> $GITHUB_OUTPUT
- name: Upload report for notifications
if: always()
uses: actions/upload-artifact@v4
with:
name: trivy-results
path: trivy-results.txt

prisma_scan:
name: Prisma Scan
runs-on: ubuntu-latest
outputs:
job: ${{ steps.publish.outputs.job }}
steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: image
path: /tmp

- name: Load image
run: docker load -i /tmp/image.tar

- name: VPN Connection
uses: Twingate/[email protected]
with:
service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}

- name: Prisma Cloud image scan
uses: PaloAltoNetworks/[email protected]
with:
pcc_console_url: http://mr-0xz1.h2o.local:8081/
pcc_user: ${{ secrets.PCC_USER }}
pcc_pass: ${{ secrets.PCC_PASS }}
image_name: image:latest
results_file: pcc_scan_results.json

- name: Upload report for notifications
uses: actions/upload-artifact@v4
with:
name: prisma-results
path: pcc_scan_results.json

- name: Verify report results
run: |
high=$(jq '.results[0].vulnerabilityDistribution.high' pcc_scan_results.json)
critical=$(jq '.results[0].vulnerabilityDistribution.critical' pcc_scan_results.json)
if [[ $high -gt 0 || $critical -gt 0 ]]; then
exit 1
fi
echo "No high or critical vulnerabilities found."
- name: Publish scan report
if: always()
id: publish
run: |
api_url="https://api.github.com/repos/h2oai/${{ github.event.repository.name }}/actions/runs/${{ github.run_id }}/jobs"
job_id=$(curl -s -H "Authorization: token ${{ github.token }}" "$api_url" | jq -r '.jobs[] | select(.name == "Security Scan / Prisma Scan") | .id')
job_url_suffix="/actions/runs/${{ github.run_id }}/job/$job_id#step:5:18"
echo "job=${job_url_suffix}" >> $GITHUB_OUTPUT
notify:
name: Notify
needs:
- trivy_scan
- prisma_scan
if: failure()
runs-on: ubuntu-latest
steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
pattern: '*-results'
merge-multiple: true

- name: Summarize the criticality count
run: |
trivy_total=0
trivy_low=0
trivy_medium=0
trivy_high=0
trivy_critical=0
while IFS= read -r line; do
if [[ $line =~ Total:\ ([0-9]+)\ \(UNKNOWN:\ [0-9]+,\ LOW:\ ([0-9]+),\ MEDIUM:\ ([0-9]+),\ HIGH:\ ([0-9]+),\ CRITICAL:\ ([0-9]+)\) ]]; then
trivy_total=$((trivy_total + ${BASH_REMATCH[1]}))
trivy_low=$((trivy_low + ${BASH_REMATCH[2]}))
trivy_medium=$((trivy_medium + ${BASH_REMATCH[3]}))
trivy_high=$((trivy_high + ${BASH_REMATCH[4]}))
trivy_critical=$((trivy_critical + ${BASH_REMATCH[5]}))
fi
done < "trivy-results.txt"
echo "TRIVY_SUMMARY='Total: $trivy_total (LOW: $trivy_low, MEDIUM: $trivy_medium, HIGH: $trivy_high, CRITICAL: $trivy_critical)'" >> $GITHUB_ENV
prisma_total=$(jq '.results[0].vulnerabilityDistribution.total' pcc_scan_results.json)
prisma_low=$(jq '.results[0].vulnerabilityDistribution.low' pcc_scan_results.json)
prisma_medium=$(jq '.results[0].vulnerabilityDistribution.medium' pcc_scan_results.json)
prisma_high=$(jq '.results[0].vulnerabilityDistribution.high' pcc_scan_results.json)
prisma_critical=$(jq '.results[0].vulnerabilityDistribution.critical' pcc_scan_results.json)
echo "PRISMA_SUMMARY='Total: $prisma_total (LOW: $prisma_low, MEDIUM: $prisma_medium, HIGH: $prisma_high, CRITICAL: $prisma_critical)'" >> $GITHUB_ENV
- name: Comment the results to the PR
if: ${{ github.event_name == 'pull_request' }}
uses: actions/github-script@v7
with:
github-token: ${{ github.token }}
script: |
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
})
const botComment = comments.find(comment => {
return comment.user.type === 'Bot' && comment.body.includes('#### Vulnerabilities have been detected')
})
const output = `#### Vulnerabilities have been detected.
\`\`\`
Trivy: ${process.env.TRIVY_SUMMARY}
Prisma: ${process.env.PRISMA_SUMMARY}
\`\`\`
@${{ github.actor }}, please review the following reports: [**Trivy**](https://github.com/h2oai/${{ github.event.repository.name }}${{ needs.trivy_scan.outputs.job }}), [**Prisma**](https://github.com/h2oai/${{ github.event.repository.name }}${{ needs.prisma_scan.outputs.job }})`;
if (botComment) {
github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: output
})
} else {
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
}
- name: Send Notification to Slack
if: ${{ startsWith(github.ref, 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/') }}
uses: slackapi/[email protected]
with:
channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
payload: |
{
"text": "Trivy Vulnerability Report",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*Java MOJO Runtime* \n_Vulnerabilities have been detected on the `${{ github.ref_name }}` branch_"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "> *Trivy :: `${{ env.TRIVY_SUMMARY }}`*\n> *Prisma :: `${{ env.PRISMA_SUMMARY }}`*"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "${{ env.CODE_OWNERS }}, please review the following reports: <https://github.com/h2oai/${{ github.event.repository.name }}${{ needs.trivy_scan.outputs.job }}|_Trivy_>, <https://github.com/h2oai/${{ github.event.repository.name }}${{ needs.prisma_scan.outputs.job }}|_Prisma_>"
}
}
]
}
env:
SLACK_BOT_TOKEN: ${{ secrets.H2O_OPS_SLACK_BOT_TOKEN }}
17 changes: 11 additions & 6 deletions .github/workflows/image-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,19 @@ name: Build Images
on:
workflow_call:
inputs:
if:
description: Whether to run the workflow (workaround for required status checks issue)
type: boolean
default: true
component_version:
description: Gradle component version
required: true
type: string
default: true

jobs:
build:
name: Build Image
if: ${{ inputs.if }}
runs-on: ubuntu-latest
steps:
- name: Checkout
Expand All @@ -25,13 +30,13 @@ jobs:
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v4

- name: Build templates
run: |
./gradlew --init-script init.gradle distributionZip
- name: Build images with Gradle Wrapper
run: |
./gradlew -Pversion=${{inputs.component_version}} --init-script init.gradle jibBuildTar -Djib.to.image=image:latest -Djib.outputPaths.tar=/tmp/image.tar
./gradlew :local-rest-scorer:build -Pversion=${{ inputs.component_version }} -x check --init-script init.gradle
docker build -t image:latest -f local-rest-scorer/Dockerfile local-rest-scorer
- name: Save docker image
run: docker save image:latest > /tmp/image.tar

- name: Save image artifact
uses: actions/upload-artifact@v4
Expand Down
Loading

0 comments on commit 81f7746

Please sign in to comment.