From ed2b8d6c70eda9cd1ad5fd7a5a8e016450960e47 Mon Sep 17 00:00:00 2001 From: jakubkochman Date: Thu, 10 Jul 2025 10:30:34 +0200 Subject: [PATCH] Feature/prodsec 10326 update commons fileupload 7.4.N (#3446) Co-authored-by: Manish Kumar --- .github/workflows/ci.yml | 283 +++++++++++++++++------- .github/workflows/master_release.yml | 14 +- packaging/war/pom.xml | 5 + packaging/war/src/main/webapp/index.jsp | 3 +- pom.xml | 2 +- scripts/ci/remove-sast-exclusions.sh | 24 ++ 6 files changed, 238 insertions(+), 93 deletions(-) create mode 100644 scripts/ci/remove-sast-exclusions.sh diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d246944f6b..4a978ebfa2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,6 +26,9 @@ env: CI_WORKSPACE: ${{ github.workspace }} TAS_ENVIRONMENT: ./packaging/tests/environment TAS_SCRIPTS: ../alfresco-community-repo/packaging/tests/scripts + AUTH0_CLIENT_ID: ${{ secrets.AUTH0_OIDC_ADMIN_CLIENT_ID }} + AUTH0_CLIENT_SECRET: ${{ secrets.AUTH0_OIDC_CLIENT_SECRET }} + AUTH0_ADMIN_PASSWORD: ${{ secrets.AUTH0_OIDC_ADMIN_PASSWORD }} jobs: prepare: @@ -36,8 +39,13 @@ jobs: !contains(github.event.head_commit.message, '[force') steps: - uses: actions/checkout@v4 - - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 - - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 + with: + fetch-depth: 0 + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0 +# 7.4.N does not have proper pre-commit support +# - uses: Alfresco/alfresco-build-tools/.github/actions/pre-commit@v8.16.0 - name: "Init" run: bash ./scripts/ci/init.sh - name: "Prepare maven cache and check compilation" @@ -45,45 +53,136 @@ jobs: - name: "Clean Maven cache" run: bash ./scripts/ci/cleanup_cache.sh - veracode: + veracode_sca: name: "Source Clear Scan (SCA)" runs-on: ubuntu-latest needs: [prepare] if: > - ((github.ref_name == 'master' || startsWith(github.ref_name, 'release/')) && github.event_name != 'pull_request') && + (github.ref_name == 'master' || startsWith(github.ref_name, 'release/') || github.event_name == 'pull_request') && !contains(github.event.head_commit.message, '[skip tests]') && !contains(github.event.head_commit.message, '[force') steps: - uses: actions/checkout@v4 - - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 - - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0 - name: "Init" run: bash ./scripts/ci/init.sh - - uses: Alfresco/alfresco-build-tools/.github/actions/veracode@v7.0.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/veracode@v8.16.0 continue-on-error: true with: srcclr-api-token: ${{ secrets.SRCCLR_API_TOKEN }} - name: "Clean Maven cache" run: bash ./scripts/ci/cleanup_cache.sh - + + veracode_sast: + name: "Pipeline SAST Scan" + runs-on: ubuntu-latest + needs: [prepare] + if: > + (github.ref_name == 'master' || startsWith(github.ref_name, 'release/') || github.event_name == 'pull_request') && + github.actor != 'dependabot[bot]' && + !contains(github.event.head_commit.message, '[skip tests]') && + !contains(github.event.head_commit.message, '[force') + steps: + - uses: actions/checkout@v4 + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/github-download-file@v8.16.0 + with: + token: ${{ secrets.BOT_GITHUB_TOKEN }} + repository: "Alfresco/veracode-baseline-archive" + file-path: "alfresco-community-repo/alfresco-community-repo-baseline.json" + target: "baseline.json" + - name: "Build" + timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }} + run: | + bash ./scripts/ci/init.sh + bash ./scripts/ci/build.sh + - name: "Remove excluded files" + run: | + mkdir temp-dir-for-sast + bash ./scripts/ci/remove-sast-exclusions.sh ./packaging/war/target/alfresco.war temp-dir-for-sast/reduced.war + - name: "Run SAST Scan" + uses: veracode/Veracode-pipeline-scan-action@v1.0.16 + with: + vid: ${{ secrets.VERACODE_API_ID }} + vkey: ${{ secrets.VERACODE_API_KEY }} + file: "temp-dir-for-sast/reduced.war" + fail_build: true + project_name: alfresco-community-repo + issue_details: true + veracode_policy_name: Alfresco Default + summary_output: true + summary_output_file: results.json + summary_display: true + baseline_file: baseline.json + - name: Upload scan result + if: success() || failure() + run: zip readable_output.zip results.json + - name: Upload Artifact + if: success() || failure() + uses: actions/upload-artifact@v4 + with: + name: Veracode Pipeline-Scan Results (Human Readable) + path: readable_output.zip + - name: "Remove temporary directory" + run: rm -rfv temp-dir-for-sast + - name: "Clean Maven cache" + run: bash ./scripts/ci/cleanup_cache.sh + + pmd_scan: + name: "PMD Scan" + runs-on: ubuntu-latest + needs: [prepare] + if: > + github.event_name == 'pull_request' && + !contains(github.event.head_commit.message, '[skip pmd]') && + !contains(github.event.head_commit.message, '[skip tests]') && + !contains(github.event.head_commit.message, '[force]') + steps: + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0 + - uses: Alfresco/ya-pmd-scan@v4.3.0 + with: + classpath-build-command: "mvn test-compile -ntp -Pags -pl \"-:alfresco-community-repo-docker\"" + all_unit_tests_suite: - name: "Core, Data-Model, Repository - AllUnitTestsSuite - Build and test" + name: ${{ matrix.testName }} - AllUnitTestsSuite - Build and test runs-on: ubuntu-latest needs: [prepare] if: > !contains(github.event.head_commit.message, '[skip repo]') && !contains(github.event.head_commit.message, '[skip tests]') && !contains(github.event.head_commit.message, '[force') + strategy: + fail-fast: false + matrix: + include: + - testName: Core + testModule: core + testAttributes: "-Dtest=AllCoreUnitTestSuite" + - testName: Data-Model + testModule: data-model + testAttributes: "-Dtest=AllDataModelUnitTestSuite" + - testName: Repository + testModule: repository + testAttributes: "-Dtest=AllUnitTestsSuite" + - testName: Mmt + testModule: mmt + testAttributes: "-Dtest=AllMmtUnitTestSuite" steps: - uses: actions/checkout@v4 - - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 - - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0 - name: "Init" run: bash ./scripts/ci/init.sh - name: "Run tests" run: | - mvn -B test -pl core,data-model -am -DfailIfNoTests=false - mvn -B test -pl "repository,mmt" -am "-Dtest=AllUnitTestsSuite,AllMmtUnitTestSuite" -DfailIfNoTests=false + mvn -B test -pl ${{ matrix.testModule }} -am ${{ matrix.testAttributes }} -DfailIfNoTests=false "${args[@]}" - name: "Clean Maven cache" run: bash ./scripts/ci/cleanup_cache.sh @@ -113,8 +212,9 @@ jobs: REQUIRES_INSTALLED_ARTIFACTS: true steps: - uses: actions/checkout@v4 - - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 - - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0 - name: "Build" timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }} run: | @@ -123,9 +223,10 @@ jobs: - name: "Set transformers tag" run: echo "TRANSFORMERS_TAG=$(mvn help:evaluate -Dexpression=dependency.alfresco-transform-core.version -q -DforceStdout)" >> $GITHUB_ENV - name: "Set up the environment" + timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }} run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile ${{ matrix.compose-profile }} up -d - name: "Run tests" - run: mvn -B test -pl remote-api -Dtest=${{ matrix.testSuite }} -Ddb.driver=org.postgresql.Driver -Ddb.name=alfresco -Ddb.url=jdbc:postgresql://localhost:5433/alfresco -Ddb.username=alfresco -Ddb.password=alfresco + run: mvn -B test -pl remote-api -Dtest=${{ matrix.testSuite }} -Ddb.driver=org.postgresql.Driver -Ddb.name=alfresco -Ddb.url=jdbc:postgresql://localhost:5433/alfresco -Ddb.username=alfresco -Ddb.password=alfresco # pragma: allowlist secret - name: "Clean Maven cache" run: bash ./scripts/ci/cleanup_cache.sh @@ -143,11 +244,12 @@ jobs: strategy: fail-fast: false matrix: - version: ['10.2.18', '10.4', '10.5'] + version: ['10.2.18', '10.4', '10.5', '10.6'] steps: - uses: actions/checkout@v4 - - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 - - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0 - name: "Init" run: bash ./scripts/ci/init.sh - name: Run MariaDB ${{ matrix.version }} database @@ -155,33 +257,7 @@ jobs: env: MARIADB_VERSION: ${{ matrix.version }} - name: "Run tests" - run: mvn -B test -pl repository -am -Dtest=AllDBTestsTestSuite -DfailIfNoTests=false -Ddb.name=alfresco -Ddb.url=jdbc:mariadb://localhost:3307/alfresco?useUnicode=yes\&characterEncoding=UTF-8 -Ddb.username=alfresco -Ddb.password=alfresco -Ddb.driver=org.mariadb.jdbc.Driver - - name: "Clean Maven cache" - run: bash ./scripts/ci/cleanup_cache.sh - - repository_mariadb_10_6_tests: - name: "Repository - MariaDB 10.6 tests" - runs-on: ubuntu-latest - needs: [prepare] - if: > - (((github.ref_name == 'master' || startsWith(github.ref_name, 'release/') || github.event_name == 'pull_request') && - !contains(github.event.head_commit.message, '[skip db]')) || - contains(github.event.head_commit.message, '[latest db]') || - contains(github.event.head_commit.message, '[db]')) && - !contains(github.event.head_commit.message, '[skip tests]') && - !contains(github.event.head_commit.message, '[force') - steps: - - uses: actions/checkout@v4 - - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 - - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 - - name: "Init" - run: bash ./scripts/ci/init.sh - - name: "Run MariaDB 10.6 database" - run: docker compose -f ./scripts/ci/docker-compose/docker-compose-db.yaml --profile mariadb up -d - env: - MARIADB_VERSION: 10.6 - - name: "Run tests" - run: mvn -B test -pl repository -am -Dtest=AllDBTestsTestSuite -DfailIfNoTests=false -Ddb.name=alfresco -Ddb.url=jdbc:mariadb://localhost:3307/alfresco?useUnicode=yes\&characterEncoding=UTF-8 -Ddb.username=alfresco -Ddb.password=alfresco -Ddb.driver=org.mariadb.jdbc.Driver + run: mvn -B test -pl repository -am -Dtest=AllDBTestsTestSuite -DfailIfNoTests=false -Ddb.name=alfresco -Ddb.url=jdbc:mariadb://localhost:3307/alfresco?useUnicode=yes\&characterEncoding=UTF-8 -Ddb.username=alfresco -Ddb.password=alfresco -Ddb.driver=org.mariadb.jdbc.Driver # pragma: allowlist secret - name: "Clean Maven cache" run: bash ./scripts/ci/cleanup_cache.sh @@ -198,8 +274,9 @@ jobs: !contains(github.event.head_commit.message, '[force') steps: - uses: actions/checkout@v4 - - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 - - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0 - name: "Init" run: bash ./scripts/ci/init.sh - name: "Run MySQL 8 database" @@ -207,7 +284,7 @@ jobs: env: MYSQL_VERSION: 8 - name: "Run tests" - run: mvn -B test -pl repository -am -Dtest=AllDBTestsTestSuite -DfailIfNoTests=false -Ddb.driver=com.mysql.jdbc.Driver -Ddb.name=alfresco -Ddb.url=jdbc:mysql://localhost:3307/alfresco -Ddb.username=alfresco -Ddb.password=alfresco + run: mvn -B test -pl repository -am -Dtest=AllDBTestsTestSuite -DfailIfNoTests=false -Ddb.driver=com.mysql.jdbc.Driver -Ddb.name=alfresco -Ddb.url=jdbc:mysql://localhost:3307/alfresco -Ddb.username=alfresco -Ddb.password=alfresco # pragma: allowlist secret - name: "Clean Maven cache" run: bash ./scripts/ci/cleanup_cache.sh @@ -223,8 +300,9 @@ jobs: !contains(github.event.head_commit.message, '[force') steps: - uses: actions/checkout@v4 - - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 - - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0 - name: "Init" run: bash ./scripts/ci/init.sh - name: "Run PostgreSQL 13.7 database" @@ -232,24 +310,25 @@ jobs: env: POSTGRES_VERSION: 13.7 - name: "Run tests" - run: mvn -B test -pl repository -am -Dtest=AllDBTestsTestSuite -DfailIfNoTests=false -Ddb.driver=org.postgresql.Driver -Ddb.name=alfresco -Ddb.url=jdbc:postgresql://localhost:5433/alfresco -Ddb.username=alfresco -Ddb.password=alfresco + run: mvn -B test -pl repository -am -Dtest=AllDBTestsTestSuite -DfailIfNoTests=false -Ddb.driver=org.postgresql.Driver -Ddb.name=alfresco -Ddb.url=jdbc:postgresql://localhost:5433/alfresco -Ddb.username=alfresco -Ddb.password=alfresco # pragma: allowlist secret - name: "Clean Maven cache" run: bash ./scripts/ci/cleanup_cache.sh repository_postgresql_14_4_tests: name: "Repository - PostgreSQL 14.4 tests" runs-on: ubuntu-latest - needs: [prepare] + needs: [ prepare ] if: > - (!contains(github.event.head_commit.message, '[skip db]') || - contains(github.event.head_commit.message, '[latest db]') || + (((github.ref_name == 'master' || startsWith(github.ref_name, 'release/')) && github.event_name != 'pull_request' && + !contains(github.event.head_commit.message, '[skip db]')) || contains(github.event.head_commit.message, '[db]')) && !contains(github.event.head_commit.message, '[skip tests]') && !contains(github.event.head_commit.message, '[force') steps: - uses: actions/checkout@v4 - - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 - - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0 - name: "Init" run: bash ./scripts/ci/init.sh - name: "Run PostgreSQL 14.4 database" @@ -257,10 +336,11 @@ jobs: env: POSTGRES_VERSION: 14.4 - name: "Run tests" - run: mvn -B test -pl repository -am -Dtest=AllDBTestsTestSuite -DfailIfNoTests=false -Ddb.driver=org.postgresql.Driver -Ddb.name=alfresco -Ddb.url=jdbc:postgresql://localhost:5433/alfresco -Ddb.username=alfresco -Ddb.password=alfresco + run: mvn -B test -pl repository -am -Dtest=AllDBTestsTestSuite -DfailIfNoTests=false -Ddb.driver=org.postgresql.Driver -Ddb.name=alfresco -Ddb.url=jdbc:postgresql://localhost:5433/alfresco -Ddb.username=alfresco -Ddb.password=alfresco # pragma: allowlist secret - name: "Clean Maven cache" run: bash ./scripts/ci/cleanup_cache.sh + repository_messaging_tests: name: Repository - Messaging tests runs-on: ubuntu-latest @@ -271,19 +351,20 @@ jobs: !contains(github.event.head_commit.message, '[force') steps: - uses: actions/checkout@v4 - - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 - - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0 - name: "Init" run: bash ./scripts/ci/init.sh - name: "Run ActiveMQ" run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile activemq up -d - name: "Run tests" - run: mvn -B test -pl repository -am -Dtest=CamelRoutesTest,CamelComponentsTest -DfailIfNoTests=false + run: mvn -B test -pl repository -am -Dtest=CamelRoutesTest,CamelComponentsTest -DfailIfNoTests=false # pragma: allowlist secret - name: "Clean Maven cache" run: bash ./scripts/ci/cleanup_cache.sh repository_app_context_test_suites: - name: Repository - ${{ matrix.testSuite }} + name: Repository - ${{ matrix.testSuite }} ${{ matrix.idp }} runs-on: ubuntu-latest needs: [prepare] if: > @@ -304,7 +385,12 @@ jobs: compose-profile: with-transform-core-aio - testSuite: AppContext05TestSuite compose-profile: with-sso - mvn-options: '"-Didentity-service.auth-server-url=http://${HOST_IP}:8999/auth"' + mvn-options: '-Didentity-service.auth-server-url=http://${HOST_IP}:8999/auth -Dauthentication.chain=identity-service1:identity-service,alfrescoNtlm1:alfrescoNtlm' + idp: Keycloak + - testSuite: AppContext05TestSuite + compose-profile: default + mvn-options: '-Didentity-service.auth-server-url=https://dev-ps-alfresco.auth0.com/ -Dauthentication.chain=identity-service1:identity-service,alfrescoNtlm1:alfrescoNtlm -Didentity-service.audience=http://localhost:3000 -Didentity-service.resource=${AUTH0_CLIENT_ID} -Didentity-service.credentials.secret=${AUTH0_CLIENT_SECRET} -Didentity-service.public-client=false -Didentity-service.realm= -Didentity-service.client-id.validation.disabled=false -Dadmin.user=admin@alfresco.com -Dadmin.password=${AUTH0_ADMIN_PASSWORD} -Dauth0.enabled=true -Dauth0.admin.password=${AUTH0_ADMIN_PASSWORD} -Didentity-service.principal-attribute=nickname' + idp: Auth0 - testSuite: AppContext06TestSuite compose-profile: with-transform-core-aio - testSuite: AppContextExtraTestSuite @@ -321,8 +407,9 @@ jobs: mvn-options: '-Dencryption.ssl.keystore.location=${CI_WORKSPACE}/keystores/alfresco/alfresco.keystore -Dencryption.ssl.truststore.location=${CI_WORKSPACE}/keystores/alfresco/alfresco.truststore' steps: - uses: actions/checkout@v4 - - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 - - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0 - name: "Init" run: bash ./scripts/ci/init.sh - name: "Set transformers tag" @@ -341,9 +428,10 @@ jobs: echo "HOSTNAME_VERIFICATION_DISABLED=false" >> "$GITHUB_ENV" fi - name: "Set up the environment" + timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }} run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile ${{ matrix.compose-profile }} up -d - name: "Run tests" - run: mvn -B test -pl repository -am -Dtest=${{ matrix.testSuite }} -DfailIfNoTests=false -Ddb.driver=org.postgresql.Driver -Ddb.name=alfresco -Ddb.url=jdbc:postgresql://localhost:5433/alfresco -Ddb.username=alfresco -Ddb.password=alfresco ${{ matrix.mvn-options }} + run: mvn -B test -pl repository -am -Dtest=${{ matrix.testSuite }} -DfailIfNoTests=false -Ddb.driver=org.postgresql.Driver -Ddb.name=alfresco -Ddb.url=jdbc:postgresql://localhost:5433/alfresco -Ddb.username=alfresco -Ddb.password=alfresco ${{ matrix.mvn-options }} # pragma: allowlist secret - name: "Clean Maven cache" run: bash ./scripts/ci/cleanup_cache.sh @@ -383,26 +471,22 @@ jobs: pom-dir: tas-email - test-name: "WebDAV TAS tests" pom-dir: tas-webdav - - test-name: "Integration TAS tests (Java 17)" + - test-name: "Integration TAS tests" pom-dir: tas-integration - - test-name: "Integration TAS tests (Java 11)" - pom-dir: tas-integration - jre-version: 11 env: REQUIRES_LOCAL_IMAGES: true steps: - uses: actions/checkout@v4 - - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 - - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 - with: - java-version: ${{ matrix.jre-version || '17' }} + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0 - name: "Build" timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }} run: | bash ./scripts/ci/init.sh - export BUILD_OPTIONS="-Ddocker.buildArg.JRE_VERSION=${{ matrix.jre-version }} ${BUILD_OPTIONS}" bash ./scripts/ci/build.sh - name: "Set up the environment" + timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }} run: | ${{ env.TAS_SCRIPTS }}/start-compose.sh ${{ env.TAS_ENVIRONMENT }}/docker-compose-minimal+transforms.yml ${{ env.TAS_SCRIPTS }}/wait-for-alfresco-start.sh "http://localhost:8082/alfresco" @@ -432,14 +516,15 @@ jobs: !contains(github.event.head_commit.message, '[force') steps: - uses: actions/checkout@v4 - - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 - - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0 - name: "Init" run: bash ./scripts/ci/init.sh - - name: "Run Postgres 14.4 database" + - name: "Run Postgres 16.6 database" run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile postgres up -d - name: "Run tests" - run: mvn -B test -pl :alfresco-share-services -am -Dtest=ShareServicesTestSuite -DfailIfNoTests=false -Ddb.driver=org.postgresql.Driver -Ddb.name=alfresco -Ddb.url=jdbc:postgresql://localhost:5433/alfresco -Ddb.username=alfresco -Ddb.password=alfresco + run: mvn -B test -pl :alfresco-share-services -am -Dtest=ShareServicesTestSuite -DfailIfNoTests=false -Ddb.driver=org.postgresql.Driver -Ddb.name=alfresco -Ddb.url=jdbc:postgresql://localhost:5433/alfresco -Ddb.username=alfresco -Ddb.password=alfresco # pragma: allowlist secret - name: "Clean Maven cache" run: bash ./scripts/ci/cleanup_cache.sh @@ -461,8 +546,9 @@ jobs: REQUIRES_INSTALLED_ARTIFACTS: true steps: - uses: actions/checkout@v4 - - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 - - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0 - name: "Build" timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }} run: | @@ -492,8 +578,9 @@ jobs: REQUIRES_INSTALLED_ARTIFACTS: true steps: - uses: actions/checkout@v4 - - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 - - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0 - name: "Build" timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }} run: | @@ -519,8 +606,9 @@ jobs: REQUIRES_LOCAL_IMAGES: true steps: - uses: actions/checkout@v4 - - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 - - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0 - name: "Build" timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }} run: | @@ -551,3 +639,28 @@ jobs: aws s3 cp --acl private ./amps/ags/rm-automation/rm-automation-community-rest-api/target/reports/rm-automation-community-rest-api.log s3://ags-travis-artifacts/community/${{ github.run_number }}/AGS-Community-Rest-API-Tests/rm-automation-community-rest-api.log - name: "Clean Maven cache" run: bash ./scripts/ci/cleanup_cache.sh + + ags_start_api_explorer: + name: "Test Tomcat deployment of api explorer" + runs-on: ubuntu-latest + needs: [ prepare ] + if: > + (((github.ref_name == 'master' || startsWith(github.ref_name, 'release/') || github.event_name == 'pull_request' ) && + !contains(github.event.head_commit.message, '[skip ags]')) || + contains(github.event.head_commit.message, '[ags]')) && + !contains(github.event.head_commit.message, '[skip tests]') && + !contains(github.event.head_commit.message, '[force]') + steps: + - uses: actions/checkout@v4 + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0 + - name: "Build" + timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }} + run: | + bash ./scripts/ci/init.sh + bash ./scripts/ci/build.sh + - name: "Test Tomcat deployment" + run: | + mvn verify -Pags,start-api-explorer -DskipTests & + ${{ env.TAS_SCRIPTS }}/wait-for-alfresco-start.sh "http://localhost:8085/api-explorer" diff --git a/.github/workflows/master_release.yml b/.github/workflows/master_release.yml index 2913f24adc..6fdd4eaed5 100644 --- a/.github/workflows/master_release.yml +++ b/.github/workflows/master_release.yml @@ -34,11 +34,12 @@ jobs: - uses: actions/checkout@v4 with: persist-credentials: false - - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 - - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0 - name: "Init" run: bash ./scripts/ci/init.sh - - uses: Alfresco/alfresco-build-tools/.github/actions/configure-git-author@v7.0.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/configure-git-author@v8.16.0 with: username: ${{ env.GIT_USERNAME }} email: ${{ env.GIT_EMAIL }} @@ -62,11 +63,12 @@ jobs: - uses: actions/checkout@v4 with: persist-credentials: false - - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 - - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0 - name: "Init" run: bash ./scripts/ci/init.sh - - uses: Alfresco/alfresco-build-tools/.github/actions/configure-git-author@v7.0.0 + - uses: Alfresco/alfresco-build-tools/.github/actions/configure-git-author@v8.16.0 with: username: ${{ env.GIT_USERNAME }} email: ${{ env.GIT_EMAIL }} diff --git a/packaging/war/pom.xml b/packaging/war/pom.xml index bdf4d7d437..0913d19d1c 100644 --- a/packaging/war/pom.xml +++ b/packaging/war/pom.xml @@ -115,6 +115,11 @@ mysql-connector-java test + + org.owasp.encoder + encoder + 1.2.3 + diff --git a/packaging/war/src/main/webapp/index.jsp b/packaging/war/src/main/webapp/index.jsp index 97357660e6..3628992c3b 100644 --- a/packaging/war/src/main/webapp/index.jsp +++ b/packaging/war/src/main/webapp/index.jsp @@ -34,6 +34,7 @@ <%@ page import="org.alfresco.service.cmr.module.ModuleDetails" %> <%@ page import="org.alfresco.service.cmr.module.ModuleInstallState" %> <%@ page import="java.util.Calendar" %> +<%@ page import="org.owasp.encoder.Encode" %> <% @@ -88,7 +89,7 @@ ModuleDetails shareServicesModule = moduleService.getModule("alfresco-share-serv

Alfresco WebScripts Home (admin only - INTERNAL)

-

Alfresco API Explorer

+

Alfresco API Explorer

<% if (descriptorService.getLicenseDescriptor() == null && transactionService.isReadOnly()) { diff --git a/pom.xml b/pom.xml index bd4bb4a9b8..6092468ee6 100644 --- a/pom.xml +++ b/pom.xml @@ -403,7 +403,7 @@ commons-fileupload commons-fileupload - 1.5 + 1.6.0 diff --git a/scripts/ci/remove-sast-exclusions.sh b/scripts/ci/remove-sast-exclusions.sh new file mode 100644 index 0000000000..8826cb2aa1 --- /dev/null +++ b/scripts/ci/remove-sast-exclusions.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash +echo "=========================== Excluding Files from Veracode SAST ===========================" +set -ex +pushd "$(dirname "${BASH_SOURCE[0]}")/../../" + +# Copy war file to temporary directory +cp -f "$1" "$2" + +# Remove files to be excluded from Veracode SAST +exclusions="./scripts/ci/SAST-exclusion-list.txt" +if [ -e $exclusions ] +then + while read -r line + do + echo "Removing WEB-INF/lib/$line" + zip -d "$2" "WEB-INF/lib/$line" || true + done < "$exclusions" +else + echo "No files to be excluded from SAST" +fi + +popd +set +ex +echo "=========================== Finishing Excluding Files from Veracode SAST =========================="