From 421ad3f0f5495dda2332f92708ace35579888c73 Mon Sep 17 00:00:00 2001
From: Payal Khanna <107400406+PayalKhanna@users.noreply.github.com>
Date: Tue, 18 Jun 2024 13:22:57 +0100
Subject: [PATCH] pending changes for finos migration  (#133)

---
 .github/actions/maven-build/action.yml | 31 +++++++++
 .github/pull_request_template.md       | 10 +++
 .github/workflows/cve-scanning.yml     | 47 +++++++++++++
 .github/workflows/license-scanning.yml | 92 ++++++++++++++++++++++++++
 README.md                              |  2 +-
 codefresh.yml                          |  4 +-
 6 files changed, 183 insertions(+), 3 deletions(-)
 create mode 100644 .github/actions/maven-build/action.yml
 create mode 100644 .github/pull_request_template.md
 create mode 100644 .github/workflows/cve-scanning.yml
 create mode 100644 .github/workflows/license-scanning.yml

diff --git a/.github/actions/maven-build/action.yml b/.github/actions/maven-build/action.yml
new file mode 100644
index 0000000..8817595
--- /dev/null
+++ b/.github/actions/maven-build/action.yml
@@ -0,0 +1,31 @@
+name: Maven Build
+description: Run a Maven Build
+
+inputs:
+  build-command:
+    description: The Maven command to build the project. The default is `package`.
+    required: false
+    # type: string  - `type` field is not supported (yet). See comment below.
+    default: package
+  run-tests:
+    description: Whether or not to run tests. The default is true.
+    required: false
+    # type: boolean  - This is not supported (yet). All inputs are of type `string`. See https://github.com/actions/runner/issues/2238.
+    default: 'true'
+
+runs:
+  using: "composite"
+  steps:
+    - name: Set up JDK 17 for x64
+      uses: actions/setup-java@v4
+      with:
+        java-version: '17'
+        distribution: 'temurin'
+        architecture: x64
+        cache: maven
+        server-id: ossrh
+        server-username: CI_DEPLOY_USERNAME
+        server-password: CI_DEPLOY_PASSWORD
+    - name: Build with Maven
+      shell: bash
+      run: mvn -B -U clean ${{ inputs.build-command }}${{ inputs.run-tests == 'false' && ' -DskipTests' || '' }}
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 0000000..83da25d
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,10 @@
+Please include a summary of the change and the issue/story number.
+
+## Type of change
+
+Please delete options that are not relevant.
+
+- Bug fix (non-breaking change which fixes an issue)
+- New feature (non-breaking change which adds functionality)
+- Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- This change requires a documentation update
diff --git a/.github/workflows/cve-scanning.yml b/.github/workflows/cve-scanning.yml
new file mode 100644
index 0000000..a4529c4
--- /dev/null
+++ b/.github/workflows/cve-scanning.yml
@@ -0,0 +1,47 @@
+name: CVE Scanning
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - 'pom.xml'
+      - 'CVE-suppressions.xml'
+      - '.github/workflows/cve-scanning.yml'
+  pull_request:
+    paths:
+      - 'pom.xml'
+      - 'CVE-suppressions.xml'
+      - '.github/workflows/cve-scanning.yml'
+
+# Cancel previous jobs
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  depcheck:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: ./.github/actions/maven-build
+      with:
+        run-tests: false
+    - name: CVE scanning
+      uses: dependency-check/Dependency-Check_Action@1.1.0
+      env:
+        JAVA_HOME: /opt/jdk
+      with:
+        project: ${{github.repository}}
+        path: '.'
+        format: 'HTML'
+        out: 'reports'
+        args: >
+          --suppression CVE-suppressions.xml
+          --failOnCVSS 7
+    - name: Upload results
+      uses: actions/upload-artifact@v4
+      with:
+        name: CVE Scan Report
+        path: ${{github.workspace}}/reports
diff --git a/.github/workflows/license-scanning.yml b/.github/workflows/license-scanning.yml
new file mode 100644
index 0000000..1634f02
--- /dev/null
+++ b/.github/workflows/license-scanning.yml
@@ -0,0 +1,92 @@
+name: License Scanning for Maven
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - 'pom.xml'
+      - '.github/workflows/license-scanning.yml'
+  pull_request:
+    paths:
+      - 'pom.xml'
+      - '.github/workflows/license-scanning.yml'
+
+# Cancel previous jobs
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+env:
+  ALLOW_LICENSES: "
+    licenses/license/name!='Apache License, Version 2.0' and
+    not(contains(licenses/license/url, '://www.apache.org/licenses/LICENSE-2.0.txt')) and
+    
+    licenses/license/name!='BSD License' and
+    not(contains(licenses/license/url, 'antlr.org/license.html')) and
+    
+    licenses/license/name!='New BSD License' and
+    not(contains(licenses/license/url, '://www.opensource.org/licenses/bsd-license.php')) and
+    
+    licenses/license/name!='BSD-3-Clause' and
+    not(contains(licenses/license/url, '://asm.ow2.io/license.html')) and
+    licenses/license/name!='BSD License 3' and
+    not(contains(licenses/license/url, '://opensource.org/license/BSD-3-Clause')) and
+    
+    licenses/license/name!='Eclipse Public License - v 1.0' and
+    not(contains(licenses/license/url, '://www.eclipse.org/legal/epl-v10.html')) and
+    
+    licenses/license/name!='Eclipse Public License - v 2.0' and
+    not(contains(licenses/license/url, '://www.eclipse.org/legal/epl-v20.html')) and
+    not(contains(licenses/license/url, '://www.eclipse.org/legal/epl-2.0')) and
+    
+    licenses/license/name!='GNU Lesser General Public License' and
+    not(contains(licenses/license/url, '://www.gnu.org/licenses/old-licenses/lgpl-2.1.html')) and
+    
+    licenses/license/name!='GNU General Public License (GPL), version 2, with the Classpath exception' and
+    not(contains(licenses/license/url, '://openjdk.java.net/legal/gplv2+ce.html')) and
+    
+    licenses/license/name!='The MIT License' and
+    not(contains(licenses/license/url, '://opensource.org/licenses/MIT')) and
+    not(contains(licenses/license/url, '://www.opensource.org/licenses/mit-license.php')) and
+    
+    licenses/license/name!='CDDL + GPLv2 with classpath exception' and
+    not(contains(licenses/license/url, '://github.com/javaee/javax.annotation/blob/master/LICENSE')) and
+    licenses/license/name!='CDDL/GPLv2+CE' and
+    not(contains(licenses/license/url, '://github.com/javaee/activation/blob/master/LICENSE')) and
+    licenses/license/name!='CDDL 1.1' and
+    not(contains(licenses/license/url, '://oss.oracle.com/licenses/CDDL+GPL-1.1')) and
+    
+    licenses/license/name!='Public Domain'
+    "
+  REPORT_PATH: "target/generated-resources"
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Install XQ
+      run: pip install xq
+    - uses: ./.github/actions/maven-build
+      with:
+        build-command: install
+        run-tests: false
+    - name: License XML report
+      run: mvn org.codehaus.mojo:license-maven-plugin:2.4.0:aggregate-download-licenses
+    - name: Validate XML report
+      run: |
+        LICENSE_REPORT=`xq "//dependency[${{ env.ALLOW_LICENSES }}]" ./${{ env.REPORT_PATH }}/licenses.xml`
+        LINES_FOUND=`echo "$LICENSE_REPORT" | wc -l`
+        if [ $LINES_FOUND -gt 1 ]; then echo "License issues found ..." ; echo "$LICENSE_REPORT" ; exit -1; fi
+    - name: Upload license reports
+      uses: actions/upload-artifact@v4
+      with:
+        name: license-reports
+        path: '**/${{ env.REPORT_PATH }}/'
+    - name: Upload license XML reports
+      uses: actions/upload-artifact@v4
+      with:
+        name: license-xml-reports
+        path: '**/${{ env.REPORT_PATH }}/licenses.xml'
diff --git a/README.md b/README.md
index 4b94537..0c65341 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 # Rune Testing
 
-Rune Testing is a java library that is utilised by [Rosetta Code Generators](https://github.com/REGnosys/rosetta-code-generators) and models expressed in the [Rosetta DSL](https://github.com/REGnosys/rosetta-dsl).
+Rune Testing is a java library that is part of `Finos Rune` utilised by [Rune Code Generators](https://github.com/REGnosys/rosetta-code-generators) and models expressed in [Rune DSL](https://github.com/finos/rune-dsl) the main `Rune` project.
 
 ## Installation
 
diff --git a/codefresh.yml b/codefresh.yml
index 803461c..7fae5a0 100644
--- a/codefresh.yml
+++ b/codefresh.yml
@@ -108,13 +108,13 @@ steps:
       - git push https://${{REGNOSYS_OPS}}:${{REGNOSYS_OPS_TOKEN}}@github.com/REGnosys/${{CF_REPO_NAME}}.git ${{RELEASE_NAME}}
 
   StartNextBuild:
-    title: Build rosetta-components if on master
+    title: Build rosetta-components if on main
     stage: 'finalise'
     image: codefresh/cli
     when:
       branch:
         only:
-          - master
+          - main
       condition:
         all:
           buildPassed: steps.BuildTesting.result == 'success'