inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-09-17 14:21:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Bump to veracode 1.0.17 and remove exclusions. Scan should fail

Browse Source
This commit is contained in:
Sara Aspery
2025-01-09 21:09:02 +00:00
parent da9c7c372c
commit 275e4bfd06
4 changed files with 6 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.github/workflows/ci.yml vendored
View File

@@ -106,16 +106,12 @@ jobs:
run: | run: |
bash ./scripts/ci/init.sh bash ./scripts/ci/init.sh
bash ./scripts/ci/build.sh bash ./scripts/ci/build.sh
- name: "Remove excluded files"
run: |
mkdir temp-dir-for-sast
bash ./scripts/ci/remove-sast-exclusions.sh ./packaging/war/target/alfresco.war temp-dir-for-sast/reduced.war
- name: "Run SAST Scan" - name: "Run SAST Scan"
uses: veracode/Veracode-pipeline-scan-action@v1.0.16 uses: veracode/Veracode-pipeline-scan-action@v1.0.17
with: with:
vid: ${{ secrets.VERACODE_API_ID }} vid: ${{ secrets.VERACODE_API_ID }}
vkey: ${{ secrets.VERACODE_API_KEY }} vkey: ${{ secrets.VERACODE_API_KEY }}
file: "temp-dir-for-sast/reduced.war" file: "packaging/war/target/alfresco.war"
fail_build: true fail_build: true
project_name: alfresco-community-repo project_name: alfresco-community-repo
issue_details: true issue_details: true
@@ -133,8 +129,6 @@ jobs:
with: with:
name: Veracode Pipeline-Scan Results (Human Readable) name: Veracode Pipeline-Scan Results (Human Readable)
path: readable_output.zip path: readable_output.zip
- name: "Remove temporary directory"
run: rm -rfv temp-dir-for-sast
- name: "Clean Maven cache" - name: "Clean Maven cache"
run: bash ./scripts/ci/cleanup_cache.sh run: bash ./scripts/ci/cleanup_cache.sh

8
.secrets.baseline
View File

@@ -133,21 +133,21 @@
"filename": ".github/workflows/ci.yml", "filename": ".github/workflows/ci.yml",
"hashed_secret": "b86dc2f033a63f2b7b9e7d270ab806d2910d7572", "hashed_secret": "b86dc2f033a63f2b7b9e7d270ab806d2910d7572",
"is_verified": false, "is_verified": false,
"line_number": 299 "line_number": 293
}, },
{ {
"type": "Secret Keyword", "type": "Secret Keyword",
"filename": ".github/workflows/ci.yml", "filename": ".github/workflows/ci.yml",
"hashed_secret": "1bfb0e20f886150ba59b853bcd49dea893e00966", "hashed_secret": "1bfb0e20f886150ba59b853bcd49dea893e00966",
"is_verified": false, "is_verified": false,
"line_number": 374 "line_number": 368
}, },
{ {
"type": "Secret Keyword", "type": "Secret Keyword",
"filename": ".github/workflows/ci.yml", "filename": ".github/workflows/ci.yml",
"hashed_secret": "128f14373ccfaff49e3664045d3a11b50cbb7b39", "hashed_secret": "128f14373ccfaff49e3664045d3a11b50cbb7b39",
"is_verified": false, "is_verified": false,
"line_number": 908 "line_number": 902
} }
], ],
".github/workflows/master_release.yml": [ ".github/workflows/master_release.yml": [
@@ -1888,5 +1888,5 @@
} }
] ]
}, },
"generated_at": "2024-12-19T08:58:42Z" "generated_at": "2025-01-09T21:08:44Z"
} }

1
scripts/ci/SAST-exclusion-list.txt
View File

@@ -1 +0,0 @@
spring-security*

24
scripts/ci/remove-sast-exclusions.sh
View File

@@ -1,24 +0,0 @@
#!/usr/bin/env bash
echo "=========================== Excluding Files from Veracode SAST ==========================="
set -ex
pushd "$(dirname "${BASH_SOURCE[0]}")/../../"
# Copy war file to temporary directory
cp -f "$1" "$2"
# Remove files to be excluded from Veracode SAST
exclusions="./scripts/ci/SAST-exclusion-list.txt"
if [ -e $exclusions ]
then
while read -r line
do
echo "Removing WEB-INF/lib/$line"
zip -d "$2" "WEB-INF/lib/$line" || true
done < "$exclusions"
else
echo "No files to be excluded from SAST"
fi
popd
set +ex
echo "=========================== Finishing Excluding Files from Veracode SAST =========================="