Add support for easy exclusion of invalid vulnerabilities (#166)

* Add support for easy exclusion of invalid vulnerabilities - New Gradle file and .txt for defining and ignoring invalid OSS Index vulnerabilities - Updates Renovate config to separate major, minor and patch version changes - Excludes existing invalid findings - Fixes Lift and renovate configs {patch} Signed-off-by: Esta Nagy <[email protected]>
nagyesta · Oct 12, 2022 · 2cbf2a8 · 2cbf2a8
1 parent 3bb4420
commit 2cbf2a8
Show file tree

Hide file tree

Showing 12 changed files with 69 additions and 22 deletions.
diff --git a/.github/workflows/add-index-exclusion.yml b/.github/workflows/add-index-exclusion.yml
@@ -0,0 +1,42 @@
+name: AddOssIndexExclusion
+on:
+  workflow_dispatch:
+    inputs:
+      exclusion:
+        description: 'Vulnerability to exclude'
+        required: true
+        type: text
+
+permissions: read-all
+
+jobs:
+  build:
+    name: Add OSS Index Exclusion action
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.PUBLISH_KEY }}
+      - name: "Add exclusion"
+        run: |
+          echo "${{ github.event.inputs.exclusion }}" >> config/ossindex/exclusions.txt
+      - name: "git branch"
+        run: |
+          git config --global user.name 'Esta Nagy'
+          git config --global user.email '[email protected]'
+          git checkout -b feature/exclude-vulnerability-run-${{ github.run_number }}
+          git add config/ossindex/exclusions.txt
+          git commit -asm "Excluding vulnerability ${{ github.event.inputs.exclusion }} {patch}"
+          git push -f --set-upstream origin feature/exclude-vulnerability-run-${{ github.run_number }}
+      - uses: actions/github-script@9ac08808f993958e9de277fe43a64532a609130e  # tag=v6.0.0
+        with:
+          github-token: ${{ secrets.PUBLISH_KEY }}
+          script: |
+            github.rest.pulls.create({
+              owner: "${{ github.repository_owner }}",
+              repo: "abort-mission",
+              head: "feature/exclude-vulnerability-run-${{ github.run_number }}",
+              base: "main",
+              title: "Excluding vulnerability ${{ github.event.inputs.exclusion }} {patch}"
+            });
diff --git a/.github/workflows/gradle-ci.yml b/.github/workflows/gradle-ci.yml
@@ -22,6 +22,7 @@ on:
       - 'renovate.json'
       - '.whitesource'
       - 'gradle/libs.versions.toml'
+      - 'config/ossindex/exclusions.txt'
 
 permissions: read-all
 

diff --git a/.github/workflows/gradle-test-main.yml b/.github/workflows/gradle-test-main.yml
@@ -11,6 +11,7 @@ on:
       - 'gradle/libs.versions.toml'
       - 'gradle/verification-metadata.xml'
       - 'gradle/wrapper/gradle-wrapper.properties'
+      - 'config/ossindex/exclusions.txt'
 
 permissions: read-all
 

diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
@@ -25,6 +25,7 @@ on:
       - 'gradle/libs.versions.toml'
       - 'gradle/verification-metadata.xml'
       - 'gradle/wrapper/gradle-wrapper.properties'
+      - 'config/ossindex/exclusions.txt'
 
 permissions: read-all
 

diff --git a/.lift.toml b/.lift.toml
@@ -10,7 +10,7 @@ build = "./gradlew build -x test"
 # ignoreFiles = <gitignore format string of files to ignore>
 
 ## tools = <infer | errorprone | eslint | hlint | findsecbugs >
-tools = ["infer", "findsecbugs", "open source vulnerabilities", "bill of materials"]
+tools = ["infer", "findsecbugs"]
 
 # disableTools = <list of tools to not run on the project>
 disableTools = ["errorprone"]

diff --git a/build.gradle b/build.gradle
@@ -6,14 +6,15 @@ plugins {
 
 group = 'com.github.nagyesta.abort-mission'
 
+apply from: "config/ossindex/ossIndexAudit.gradle"
+
 project.ext {
     gitToken = project.hasProperty('githubToken') ? (project.property('githubToken') as String) : ''
     gitUser = project.hasProperty('githubUser') ? (project.property('githubUser') as String) : ''
     ossrhUser = project.hasProperty('ossrhUsername') ? (project.property('ossrhUsername') as String) : ''
     ossrhPass = project.hasProperty('ossrhPassword') ? (project.property('ossrhPassword') as String) : ''
     ossIndexUser = project.hasProperty('ossIndexUsername') ? (project.property('ossIndexUsername') as String) : ''
     ossIndexPass = project.hasProperty('ossIndexPassword') ? (project.property('ossIndexPassword') as String) : ''
-    ossIndexExclusions = ["CVE-2016-1000027", "CVE-2018-14335", "sonatype-2020-1324", "sonatype-2018-0863", "CVE-2022-38752"]
     repoUrl = 'https://github.com/nagyesta/abort-mission'
     licenseName = 'MIT License'
     licenseUrl = 'https://raw.githubusercontent.com/nagyesta/abort-mission/main/LICENSE'

diff --git a/config/ossindex/exclusions.txt b/config/ossindex/exclusions.txt
@@ -0,0 +1,6 @@
+CVE-2016-1000027
+CVE-2018-14335
+sonatype-2020-1324
+sonatype-2018-0863
+CVE-2022-38752
+CVE-2022-42003
diff --git a/config/ossindex/ossIndexAudit.gradle b/config/ossindex/ossIndexAudit.gradle
@@ -0,0 +1,10 @@
+def readExclusions() {
+    return rootProject.file("config/ossindex/exclusions.txt").readLines()
+            .stream()
+            .filter(s -> !s.isBlank())
+            .toArray()
+}
+
+project.ext {
+    ossIndexExclusions = readExclusions()
+}
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -6,6 +6,7 @@ thymeleaf = "3.0.15.RELEASE"
 thymeleafExtrasTime = "3.0.4.RELEASE"
 logback = "1.2.11"
 jsonSchemaValidator = "1.0.73"
+jackson = "2.13.4"
 gson = "2.9.1"
 slf4j = "1.7.36"
 h2 = "2.1.214"
@@ -47,6 +48,7 @@ logback-core = { module = "ch.qos.logback:logback-core", version.ref = "logback"
 
 gson = { module = "com.google.code.gson:gson", version.ref = "gson" }
 json-schema-validator = { module = "com.networknt:json-schema-validator", version.ref = "jsonSchemaValidator" }
+jackson-databind = { module = "com.fasterxml.jackson.core:jackson-databind", version.ref = "jackson" }
 
 slf4j-api = { module = "org.slf4j:slf4j-api", version.ref = "slf4j" }
 

diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
@@ -95,11 +95,6 @@
             <sha256 value="9c9b67073f1e4cedce8196db825912e26cbeca4cb11d6a883779f69d07813c1b" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.fasterxml.jackson" name="jackson-base" version="2.13.3">
-         <artifact name="jackson-base-2.13.3.pom">
-            <sha256 value="72d67291876c63e1896bc7d8ff799033d3a4b9029020110488af9c97315ed939" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="com.fasterxml.jackson" name="jackson-base" version="2.13.4">
          <artifact name="jackson-base-2.13.4.pom">
             <sha256 value="98b08346fa922deb37afb02713d50a6c56848250374c64198153a3f9dcb79879" origin="Generated by Gradle"/>
@@ -145,31 +140,16 @@
             <sha256 value="2bba89978172af1effcb4d143d09921a3f3082ca4dcf122b1ded98bf55b2ad57" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.fasterxml.jackson.core" name="jackson-annotations" version="2.13.3">
-         <artifact name="jackson-annotations-2.13.3.jar">
-            <sha256 value="5326a6fbcde7cf8817f36c254101cd45f6acea4258518cd3c80ee5b89f4e4b9b" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="com.fasterxml.jackson.core" name="jackson-annotations" version="2.13.4">
          <artifact name="jackson-annotations-2.13.4.jar">
             <sha256 value="ac5b27a634942391ca113850ee7db01df1499a240174021263501c05fc653b44" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.fasterxml.jackson.core" name="jackson-core" version="2.13.3">
-         <artifact name="jackson-core-2.13.3.jar">
-            <sha256 value="ab119a8ea3cc69472ebc0e870b849bfbbe536ad57d613dc38453ccd592ca6a3d" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="com.fasterxml.jackson.core" name="jackson-core" version="2.13.4">
          <artifact name="jackson-core-2.13.4.jar">
             <sha256 value="4c2e043200edd9ee7ba6fc378bd5c17784a5bf2388e152d208068b51fd0839cf" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.fasterxml.jackson.core" name="jackson-databind" version="2.13.3">
-         <artifact name="jackson-databind-2.13.3.jar">
-            <sha256 value="6444bf08d8cd4629740afc3db1276938f494728deb663ce585c4e91f6b45eb84" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="com.fasterxml.jackson.core" name="jackson-databind" version="2.13.4">
          <artifact name="jackson-databind-2.13.4.jar">
             <sha256 value="c9faff420d9e2c7e1e4711dbeebec2506a32c9942027211c5c293d8d87807eb6" origin="Generated by Gradle"/>

diff --git a/mission-report/flight-evaluation-report/build.gradle b/mission-report/flight-evaluation-report/build.gradle
@@ -14,6 +14,7 @@ project.ext {
 
 dependencies {
     implementation libs.json.schema.validator
+    implementation libs.jackson.databind
     implementation libs.thymeleaf
     implementation libs.thymeleaf.extras.java8time
     implementation libs.bundles.logback

diff --git a/renovate.json b/renovate.json
@@ -8,6 +8,8 @@
   ],
   "assigneesSampleSize": 1,
   "commitMessageSuffix": "{patch}",
+  "separateMajorMinor" : true,
+  "separateMinorPatch" : true,
   "github-actions": {
     "pinDigests": true
   },