Fix!: setup gradle run and allow lists #42
Conversation
cvaskinn
changed the title
cvaskinn
changed the title
.github/workflows/code-scan.yml
Outdated
| 'allowlist': { | ||
| 'required' : False, | ||
| 'type': 'list', | ||
| 'minlength': 1, |
There was a problem hiding this comment.
'minlength': 1 kan fjernes. Allowlist vil nok endre seg over tid, så det kan hende at utviklere har satt en tom allowlist fra en tid til en annen.
.github/workflows/docker-scan.yml
Outdated
| run: | | ||
| python -c " | ||
| import yaml | ||
| from cerberus import Validator | ||
| import sys | ||
| import os | ||
|
|
||
| _config_file_names = ('dockerscan.yml', 'dockerscan.yaml') | ||
| _file_location = '.entur/security' | ||
|
|
||
| schema = { | ||
| 'apiVersion': {'type': 'string', 'required': True}, |
There was a problem hiding this comment.
Sett allowed values til entur.io/securitytools/v1 (https://docs.python-cerberus.org/validation-rules.html#allowed)
README-code-scan.md
Outdated
|
|
||
| Some potential pitfalls and solutions with CodeQL | ||
|
|
||
| ### Autobuild fails for Gradle projects because of JVM versions |
There was a problem hiding this comment.
### Autobuild fails for Gradle projects because of JVM versions
->
### Autobuild fails for Gradle projects because of JVM version mismatch
.github/workflows/code-scan.yml
Outdated
| @@ -363,22 +370,28 @@ jobs: | |||
| import sys | |||
| import os | |||
|
|
|||
| _config_file_names = ('codescan.yml', 'codescan.yaml') | |||
| _file_location = '.entur/security' | |||
|
|
|||
| schema = { | |||
| 'apiVersion': {'type': 'string', 'required': True}, | |||
There was a problem hiding this comment.
Sett allowed values til entur.io/securitytools/v1 (https://docs.python-cerberus.org/validation-rules.html#allowed)
.github/workflows/code-scan.yml
Outdated
| @@ -332,8 +339,8 @@ jobs: | |||
| 'Authorization': f'token {external_token}' | |||
| } | |||
|
|
|||
| for file_name in ('code_scan_config.yml', 'code_scan_config.yaml'): | |||
| response = requests.get(f'https://api.github.com/repos/entur/{external_repository}/contents/{file_name}', headers=headers) | |||
| for file_name in 'code_scan_config.yml', 'code_scan_config.yaml': | |||
There was a problem hiding this comment.
-> for file_name in _config_file_names:
.github/workflows/docker-scan.yml
Outdated
| @@ -158,7 +170,7 @@ jobs: | |||
| if os.getenv('GHA_SECURITY_DOCKER_SCAN_EXTERNAL_ALLOWLIST') == 'True': | |||
| data = '' | |||
| try: | |||
| with open('external_docker_scan_config.yml', 'r') as f: | |||
| with open(os.path.join(_file_location, 'external_docker_scan_config.yml'), 'r') as f: | |||
There was a problem hiding this comment.
Rename filen til external_dockerscan.yml.
There was a problem hiding this comment.
Ikke noe problem, men hva er argumentasjonen for å bytte navnet når den har hatt det siden starten?
There was a problem hiding this comment.
Ikke noe annen grunn enn at det gir mer mening når man leser koden. I.e. det er enklere å skjønne at det er en kopi av codescan.yml som hentes eksternt.
.github/workflows/docker-scan.yml
Outdated
| allowlist = {} | ||
|
|
||
| try: | ||
| with open('external_docker_scan_config', 'r') as f: | ||
| with open(os.path.join(_file_location, 'external_docker_scan_config'), 'r') as f: |
There was a problem hiding this comment.
Rename filen til external_dockerscan.yml. Er forsåvidt også en bug her i originalen (.yml extension mangler).
.github/workflows/docker-scan.yml
Outdated
| _config_file_names = ('dockerscan.yml', 'dockerscan.yaml') | ||
| _file_location = '.entur/security' | ||
|
|
||
| for file_name in : |
There was a problem hiding this comment.
Antar du mener for file_name in _config_file_names:
Documentation and both WFs have been updated to reflect requirements in spec.
Docker Scan didn't have access to the external_repository_token as the environment variable wasn't set.
cvaskinn
force-pushed
the
fix/setup_gradle_run
branch
from
f207ced to
9a593d3
Compare
.github/workflows/docker-scan.yml
Outdated
| allowlist = {} | ||
|
|
||
| try: | ||
| with open('external_docker_scan_config', 'r') as f: | ||
| with open(os.path.join(_file_location, 'external_dockerscan'), 'r') as f: |
There was a problem hiding this comment.
Mangler .yml extension.
BREAKING CHANGES: