ACS-9044 Remove excluded files from war file for SAST (#3084)

* ACS-9044 Bump dependency.spring.version from 6.1.14 to 6.2.0

* ACS-9044 Bump spring-security to 6.4.1

* ACS-9044 Add file to hold excluded files list

* ACS-9044 POC - script to remove excluded files from alfresco.war

* ACS-9044 POC - change veracode SAST to scan reduced alfresco.war

* ACS-9044 POC - create reduced alfresco.war before SAST

* ACS-9044 POC - keep reduced alfresco.war in target dir

* ACS-9044 Use temporary directory and allow any war file

* ACS-9044 fix failing path

* ACS-9044 update from review

* ACS-9044 fix for temp dir

* ACS-9044 fix for temp dir

* ACS-9044 Revert spring and spring-security versions

.github/workflows/ci.yml

@@ -106,12 +106,16 @@ jobs:
         run: |
           bash ./scripts/ci/init.sh
           bash ./scripts/ci/build.sh
+      - name: "Remove excluded files"
+        run: |
+          mkdir temp-dir-for-sast
+          bash ./scripts/ci/remove-sast-exclusions.sh ./packaging/war/target/alfresco.war temp-dir-for-sast/reduced.war
       - name: "Run SAST Scan"
         uses: veracode/Veracode-pipeline-scan-action@v1.0.16
         with:
           vid: ${{ secrets.VERACODE_API_ID }}
           vkey: ${{ secrets.VERACODE_API_KEY }}
-          file: "packaging/war/target/alfresco.war"
+          file: "temp-dir-for-sast/reduced.war"
           fail_build: true
           project_name: alfresco-community-repo
           issue_details: true
@@ -129,6 +133,8 @@ jobs:
         with:
           name: Veracode Pipeline-Scan Results (Human Readable)
           path: readable_output.zip
+      - name: "Remove temporary directory"
+        run: rm -rfv temp-dir-for-sast
       - name: "Clean Maven cache"
         run: bash ./scripts/ci/cleanup_cache.sh
 

.secrets.baseline

@@ -133,21 +133,21 @@
         "filename": ".github/workflows/ci.yml",
         "hashed_secret": "b86dc2f033a63f2b7b9e7d270ab806d2910d7572",
         "is_verified": false,
-        "line_number": 293
+        "line_number": 299
       },
       {
         "type": "Secret Keyword",
         "filename": ".github/workflows/ci.yml",
         "hashed_secret": "1bfb0e20f886150ba59b853bcd49dea893e00966",
         "is_verified": false,
-        "line_number": 368
+        "line_number": 374
       },
       {
         "type": "Secret Keyword",
         "filename": ".github/workflows/ci.yml",
         "hashed_secret": "128f14373ccfaff49e3664045d3a11b50cbb7b39",
         "is_verified": false,
-        "line_number": 902
+        "line_number": 908
       }
     ],
     ".github/workflows/master_release.yml": [
@@ -1888,5 +1888,5 @@
       }
     ]
   },
-  "generated_at": "2024-10-09T09:32:52Z"
+  "generated_at": "2024-12-19T08:58:42Z"
-}
+}

scripts/ci/SAST-exclusion-list.txt

@@ -0,0 +1 @@
+spring-security*

scripts/ci/remove-sast-exclusions.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+echo "=========================== Excluding Files from Veracode SAST ==========================="
+set -ex
+pushd "$(dirname "${BASH_SOURCE[0]}")/../../"
+
+# Copy war file to temporary directory
+cp -f "$1" "$2"
+
+# Remove files to be excluded from Veracode SAST
+exclusions="./scripts/ci/SAST-exclusion-list.txt"
+if [ -e $exclusions ]
+then
+    while read -r line
+    do
+      echo "Removing WEB-INF/lib/$line"
+      zip -d "$2" "WEB-INF/lib/$line" || true
+    done < "$exclusions"
+else
+    echo "No files to be excluded from SAST"
+fi
+
+popd
+set +ex
+echo "=========================== Finishing Excluding Files from Veracode SAST =========================="