From 4eafb13ba6cb53ed43120e6ee6fb8c11c4962e0e Mon Sep 17 00:00:00 2001 From: Sara Date: Fri, 20 Dec 2024 10:21:33 +0000 Subject: [PATCH] ACS-9044 Remove excluded files from war file for SAST (#3084) * ACS-9044 Bump dependency.spring.version from 6.1.14 to 6.2.0 * ACS-9044 Bump spring-security to 6.4.1 * ACS-9044 Add file to hold excluded files list * ACS-9044 POC - script to remove excluded files from alfresco.war * ACS-9044 POC - change veracode SAST to scan reduced alfresco.war * ACS-9044 POC - create reduced alfresco.war before SAST * ACS-9044 POC - keep reduced alfresco.war in target dir * ACS-9044 Use temporary directory and allow any war file * ACS-9044 fix failing path * ACS-9044 update from review * ACS-9044 fix for temp dir * ACS-9044 fix for temp dir * ACS-9044 Revert spring and spring-security versions --- .github/workflows/ci.yml | 8 +++++++- .secrets.baseline | 10 +++++----- scripts/ci/SAST-exclusion-list.txt | 1 + scripts/ci/remove-sast-exclusions.sh | 24 ++++++++++++++++++++++++ 4 files changed, 37 insertions(+), 6 deletions(-) create mode 100644 scripts/ci/SAST-exclusion-list.txt create mode 100755 scripts/ci/remove-sast-exclusions.sh diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a1a97c0aa8..7cf8140d04 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -106,12 +106,16 @@ jobs: run: | bash ./scripts/ci/init.sh bash ./scripts/ci/build.sh + - name: "Remove excluded files" + run: | + mkdir temp-dir-for-sast + bash ./scripts/ci/remove-sast-exclusions.sh ./packaging/war/target/alfresco.war temp-dir-for-sast/reduced.war - name: "Run SAST Scan" uses: veracode/Veracode-pipeline-scan-action@v1.0.16 with: vid: ${{ secrets.VERACODE_API_ID }} vkey: ${{ secrets.VERACODE_API_KEY }} - file: "packaging/war/target/alfresco.war" + file: "temp-dir-for-sast/reduced.war" fail_build: true project_name: alfresco-community-repo issue_details: true @@ -129,6 +133,8 @@ jobs: with: name: Veracode Pipeline-Scan Results (Human Readable) path: readable_output.zip + - name: "Remove temporary directory" + run: rm -rfv temp-dir-for-sast - name: "Clean Maven cache" run: bash ./scripts/ci/cleanup_cache.sh diff --git a/.secrets.baseline b/.secrets.baseline index 42456c42ab..0b3be8cdb8 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -133,21 +133,21 @@ "filename": ".github/workflows/ci.yml", "hashed_secret": "b86dc2f033a63f2b7b9e7d270ab806d2910d7572", "is_verified": false, - "line_number": 293 + "line_number": 299 }, { "type": "Secret Keyword", "filename": ".github/workflows/ci.yml", "hashed_secret": "1bfb0e20f886150ba59b853bcd49dea893e00966", "is_verified": false, - "line_number": 368 + "line_number": 374 }, { "type": "Secret Keyword", "filename": ".github/workflows/ci.yml", "hashed_secret": "128f14373ccfaff49e3664045d3a11b50cbb7b39", "is_verified": false, - "line_number": 902 + "line_number": 908 } ], ".github/workflows/master_release.yml": [ @@ -1888,5 +1888,5 @@ } ] }, - "generated_at": "2024-10-09T09:32:52Z" -} \ No newline at end of file + "generated_at": "2024-12-19T08:58:42Z" +} diff --git a/scripts/ci/SAST-exclusion-list.txt b/scripts/ci/SAST-exclusion-list.txt new file mode 100644 index 0000000000..2f671333d6 --- /dev/null +++ b/scripts/ci/SAST-exclusion-list.txt @@ -0,0 +1 @@ +spring-security* diff --git a/scripts/ci/remove-sast-exclusions.sh b/scripts/ci/remove-sast-exclusions.sh new file mode 100755 index 0000000000..8826cb2aa1 --- /dev/null +++ b/scripts/ci/remove-sast-exclusions.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash +echo "=========================== Excluding Files from Veracode SAST ===========================" +set -ex +pushd "$(dirname "${BASH_SOURCE[0]}")/../../" + +# Copy war file to temporary directory +cp -f "$1" "$2" + +# Remove files to be excluded from Veracode SAST +exclusions="./scripts/ci/SAST-exclusion-list.txt" +if [ -e $exclusions ] +then + while read -r line + do + echo "Removing WEB-INF/lib/$line" + zip -d "$2" "WEB-INF/lib/$line" || true + done < "$exclusions" +else + echo "No files to be excluded from SAST" +fi + +popd +set +ex +echo "=========================== Finishing Excluding Files from Veracode SAST =========================="