Skip to content

Commit

Permalink
enh(ci): add veracode scans (#126)
Browse files Browse the repository at this point in the history
  • Loading branch information
@sc979
sc979 authored Feb 28, 2024
1 parent 6b3c41f commit d17d086
Show file tree
Hide file tree
Showing 5 changed files with 473 additions and 0 deletions.
85 changes: 85 additions & 0 deletions .github/actions/veracode-create-jira-ticket/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
name: QG incident tracking
description: Create Jira ticket on Veracode QG failure

inputs:
jira_base_url:
required: true
description: jira base url
jira_user_email:
required: true
description: jira user email
jira_api_token:
required: true
description: jira api token
module_name:
required: true
description: module name

runs:
using: "composite"
steps:
- name: Check if ticket exists already
id: check_ticket
run: |
check_if_ticket_exists=$( curl --request POST \
--url '${{ inputs.jira_base_url }}/rest/api/3/search' \
--user '${{ inputs.jira_user_email }}:${{ inputs.jira_api_token }}' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--data '{
"fields": ["summary"],
"jql": "project = MON AND parentEpic = AT-268 AND issueType = Technical AND summary ~ \"PR-${{ github.event.pull_request.number }} incident on ${{ inputs.module_name }}\" AND resolution = unresolved",
"maxResults": 1
}' | jq .issues[0].key )
if [[ "$check_if_ticket_exists" != "null" ]]; then
echo "abort_ticket_creation=true" >> $GITHUB_ENV
echo "::error::ticket found as $check_if_ticket_exists aborting ticket creation"
fi
shell: bash

- name: Create Jira Issue
if: ${{ env.abort_ticket_creation != 'true' }}
run: |
component_name="${{ inputs.module_name }}"
if [[ "${{ inputs.module_name }}" == "centreon" ]]; then
component_name="centreon-web"
fi
DATA=$( cat <<-EOF
{
"fields": {
"summary": "PR-${{ github.event.pull_request.number }} incident on ${{ inputs.module_name }}",
"project": {"key": "MON"},
"issuetype": {"id": "10209"},
"parent": {"id": "83818", "key": "AT-268"},
"labels": ["Veracode", "Pipeline"],
"components":[{"name": "$component_name"}],
"customfield_10902": {"id": "10524", "value": "DevSecOps"},
"customfield_10005": 1.0,
"description": {"version": 1,"type": "doc","content": [
{"type": "paragraph","content": [{"type": "text","text": "This incident ticket relates to:"}]},
{"type": "bulletList","content": [
{"type": "listItem","content": [{"type": "paragraph","content": [{"type": "text","text": "Ref: "},{"type": "text","text": "PR-${{ github.event.pull_request.number }}","marks": [{"type": "link","attrs": {"href": "${{ github.event.pull_request.html_url }}"}}]}]}]}
]},
{"type": "paragraph","content": []},
{"type": "bulletList","content": [
{"type": "listItem","content": [{"type": "paragraph","content": [{"type": "text","text": "Target: "},{"type": "text","text": "${{ github.base_ref || github.ref_name }}","marks": [{"type": "strong"}]}]}]},
{"type": "listItem","content": [{"type": "paragraph","content": [{"type": "text","text": "Link to the job","marks": [{"type": "link","attrs": {"href": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"}}]}]}]}
]},
{"type": "paragraph","content": []}
]}
}
}
EOF
)
create_ticket_ang_get_id=$( curl --request POST \
--url "${{ inputs.jira_base_url }}/rest/api/3/issue" \
--user "${{ inputs.jira_user_email }}:${{ inputs.jira_api_token }}" \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--data "$DATA" | jq .key )
echo "::error::Incident ticket created as $create_ticket_ang_get_id"
shell: bash
44 changes: 44 additions & 0 deletions .github/actions/veracode-generate-binary/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: "veracode-generate-binary"
description: "Prepare binary to be analyzed"
inputs:
cache_key:
required: true
description: key used to identify the cache

runs:
using: "composite"
steps:
- name: Exclude development files
run: |
if [[ -f ".veracode-exclusions" ]]; then
for LINE in $( cat .veracode-exclusions | sed 's/[^a-zA-Z0-9_./-]//g' | sed -r 's/\.\./\./g' ); do
if [[ -d "$LINE" ]]; then
rm -rf "$LINE"
echo "[INFO] - folder removed from analysis : '$LINE'"
elif [[ -e "$LINE" ]]; then
rm -f "$LINE"
echo "[INFO] - file removed from analysis : '$LINE'"
elif [[ -z "$LINE" ]]; then
echo "[INFO] - empty directive. Skipping this line"
else
echo "[INFO] - target to exclude not found. Skipping: '$LINE'"
fi
done
else
echo "[INFO] - No '.veracode-exclusions' file found for this module. Skipping exclusion step"
fi
shell: bash

- name: Create zip file
run: |
if [[ -z "${{ inputs.cache_key }}" ]]; then
echo "[DEBUG] - cache key is missing. killing process"
exit 1
fi
zip -rq "${{ inputs.cache_key }}.zip" *
shell: bash

- uses: actions/cache/save@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
with:
path: "${{ inputs.cache_key }}.zip"
key: ${{ inputs.cache_key }}
30 changes: 30 additions & 0 deletions .github/workflows/drawio.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: drawio
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true

on:
workflow_dispatch:
schedule:
- cron: '0 1 2 * *'
pull_request:
paths:
- "**"
push:
branches:
- dev
paths:
- "**"

jobs:
veracode-analysis:
uses: ./.github/workflows/veracode-analysis.yml
with:
module_name: drawio
secrets:
veracode_api_id: ${{ secrets.VERACODE_API_ID_BUILD }}
veracode_api_key: ${{ secrets.VERACODE_API_KEY_BUILD }}
veracode_srcclr_token: ${{ secrets.VERACODE_SRCCLR_TOKEN }}
jira_base_url: ${{ secrets.JIRA_BASE_URL }}
jira_user_email: ${{ secrets.XRAY_JIRA_USER_EMAIL }}
jira_api_token: ${{ secrets.XRAY_JIRA_TOKEN }}
Loading

0 comments on commit d17d086

Please sign in to comment.