ACS-9044 Remove excluded files from war file for SAST (#3084)

* ACS-9044 Bump dependency.spring.version from 6.1.14 to 6.2.0 * ACS-9044 Bump spring-security to 6.4.1 * ACS-9044 Add file to hold excluded files list * ACS-9044 POC - script to remove excluded files from alfresco.war * ACS-9044 POC - change veracode SAST to scan reduced alfresco.war * ACS-9044 POC - create reduced alfresco.war before SAST * ACS-9044 POC - keep reduced alfresco.war in target dir * ACS-9044 Use temporary directory and allow any war file * ACS-9044 fix failing path * ACS-9044 update from review * ACS-9044 fix for temp dir * ACS-9044 fix for temp dir * ACS-9044 Revert spring and spring-security versions
2025-07-24 17:32:48 +00:00 · 2024-12-20 10:21:33 +00:00
parent f731c9734c
commit 4eafb13ba6
4 changed files with 37 additions and 6 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -106,12 +106,16 @@ jobs:
        run: |
          bash ./scripts/ci/init.sh
          bash ./scripts/ci/build.sh
+      - name: "Remove excluded files"
+        run: |
+          mkdir temp-dir-for-sast
+          bash ./scripts/ci/remove-sast-exclusions.sh ./packaging/war/target/alfresco.war temp-dir-for-sast/reduced.war
      - name: "Run SAST Scan"
        uses: veracode/Veracode-pipeline-scan-action@v1.0.16
        with:
          vid: ${{ secrets.VERACODE_API_ID }}
          vkey: ${{ secrets.VERACODE_API_KEY }}
-          file: "packaging/war/target/alfresco.war"
+          file: "temp-dir-for-sast/reduced.war"
          fail_build: true
          project_name: alfresco-community-repo
          issue_details: true
@@ -129,6 +133,8 @@ jobs:
        with:
          name: Veracode Pipeline-Scan Results (Human Readable)
          path: readable_output.zip
+      - name: "Remove temporary directory"
+        run: rm -rfv temp-dir-for-sast
      - name: "Clean Maven cache"
        run: bash ./scripts/ci/cleanup_cache.sh