From 2cbf2a89c209e734ffc60846a945295e5d302c02 Mon Sep 17 00:00:00 2001 From: Esta Nagy Date: Wed, 12 Oct 2022 10:44:34 +0200 Subject: [PATCH] Add support for easy exclusion of invalid vulnerabilities (#166) * Add support for easy exclusion of invalid vulnerabilities - New Gradle file and .txt for defining and ignoring invalid OSS Index vulnerabilities - Updates Renovate config to separate major, minor and patch version changes - Excludes existing invalid findings - Fixes Lift and renovate configs {patch} Signed-off-by: Esta Nagy --- .github/workflows/add-index-exclusion.yml | 42 +++++++++++++++++++ .github/workflows/gradle-ci.yml | 1 + .github/workflows/gradle-test-main.yml | 1 + .github/workflows/gradle.yml | 1 + .lift.toml | 2 +- build.gradle | 3 +- config/ossindex/exclusions.txt | 6 +++ config/ossindex/ossIndexAudit.gradle | 10 +++++ gradle/libs.versions.toml | 2 + gradle/verification-metadata.xml | 20 --------- .../flight-evaluation-report/build.gradle | 1 + renovate.json | 2 + 12 files changed, 69 insertions(+), 22 deletions(-) create mode 100644 .github/workflows/add-index-exclusion.yml create mode 100644 config/ossindex/exclusions.txt create mode 100644 config/ossindex/ossIndexAudit.gradle diff --git a/.github/workflows/add-index-exclusion.yml b/.github/workflows/add-index-exclusion.yml new file mode 100644 index 00000000..cece449b --- /dev/null +++ b/.github/workflows/add-index-exclusion.yml @@ -0,0 +1,42 @@ +name: AddOssIndexExclusion +on: + workflow_dispatch: + inputs: + exclusion: + description: 'Vulnerability to exclude' + required: true + type: text + +permissions: read-all + +jobs: + build: + name: Add OSS Index Exclusion action + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 + with: + fetch-depth: 0 + token: ${{ secrets.PUBLISH_KEY }} + - name: "Add exclusion" + run: | + echo "${{ github.event.inputs.exclusion }}" >> config/ossindex/exclusions.txt + - name: "git branch" + run: | + git config --global user.name 'Esta Nagy' + git config --global user.email 'nagyesta@gmail.com' + git checkout -b feature/exclude-vulnerability-run-${{ github.run_number }} + git add config/ossindex/exclusions.txt + git commit -asm "Excluding vulnerability ${{ github.event.inputs.exclusion }} {patch}" + git push -f --set-upstream origin feature/exclude-vulnerability-run-${{ github.run_number }} + - uses: actions/github-script@9ac08808f993958e9de277fe43a64532a609130e # tag=v6.0.0 + with: + github-token: ${{ secrets.PUBLISH_KEY }} + script: | + github.rest.pulls.create({ + owner: "${{ github.repository_owner }}", + repo: "abort-mission", + head: "feature/exclude-vulnerability-run-${{ github.run_number }}", + base: "main", + title: "Excluding vulnerability ${{ github.event.inputs.exclusion }} {patch}" + }); diff --git a/.github/workflows/gradle-ci.yml b/.github/workflows/gradle-ci.yml index 6c7da8fd..f58a7696 100644 --- a/.github/workflows/gradle-ci.yml +++ b/.github/workflows/gradle-ci.yml @@ -22,6 +22,7 @@ on: - 'renovate.json' - '.whitesource' - 'gradle/libs.versions.toml' + - 'config/ossindex/exclusions.txt' permissions: read-all diff --git a/.github/workflows/gradle-test-main.yml b/.github/workflows/gradle-test-main.yml index 084fb9e2..54c4539d 100644 --- a/.github/workflows/gradle-test-main.yml +++ b/.github/workflows/gradle-test-main.yml @@ -11,6 +11,7 @@ on: - 'gradle/libs.versions.toml' - 'gradle/verification-metadata.xml' - 'gradle/wrapper/gradle-wrapper.properties' + - 'config/ossindex/exclusions.txt' permissions: read-all diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml index d063cae9..11ff8245 100644 --- a/.github/workflows/gradle.yml +++ b/.github/workflows/gradle.yml @@ -25,6 +25,7 @@ on: - 'gradle/libs.versions.toml' - 'gradle/verification-metadata.xml' - 'gradle/wrapper/gradle-wrapper.properties' + - 'config/ossindex/exclusions.txt' permissions: read-all diff --git a/.lift.toml b/.lift.toml index 5fd94793..301d0f7e 100644 --- a/.lift.toml +++ b/.lift.toml @@ -10,7 +10,7 @@ build = "./gradlew build -x test" # ignoreFiles = ## tools = -tools = ["infer", "findsecbugs", "open source vulnerabilities", "bill of materials"] +tools = ["infer", "findsecbugs"] # disableTools = disableTools = ["errorprone"] diff --git a/build.gradle b/build.gradle index 3b2e554d..179640e5 100644 --- a/build.gradle +++ b/build.gradle @@ -6,6 +6,8 @@ plugins { group = 'com.github.nagyesta.abort-mission' +apply from: "config/ossindex/ossIndexAudit.gradle" + project.ext { gitToken = project.hasProperty('githubToken') ? (project.property('githubToken') as String) : '' gitUser = project.hasProperty('githubUser') ? (project.property('githubUser') as String) : '' @@ -13,7 +15,6 @@ project.ext { ossrhPass = project.hasProperty('ossrhPassword') ? (project.property('ossrhPassword') as String) : '' ossIndexUser = project.hasProperty('ossIndexUsername') ? (project.property('ossIndexUsername') as String) : '' ossIndexPass = project.hasProperty('ossIndexPassword') ? (project.property('ossIndexPassword') as String) : '' - ossIndexExclusions = ["CVE-2016-1000027", "CVE-2018-14335", "sonatype-2020-1324", "sonatype-2018-0863", "CVE-2022-38752"] repoUrl = 'https://github.com/nagyesta/abort-mission' licenseName = 'MIT License' licenseUrl = 'https://raw.githubusercontent.com/nagyesta/abort-mission/main/LICENSE' diff --git a/config/ossindex/exclusions.txt b/config/ossindex/exclusions.txt new file mode 100644 index 00000000..0d36bef2 --- /dev/null +++ b/config/ossindex/exclusions.txt @@ -0,0 +1,6 @@ +CVE-2016-1000027 +CVE-2018-14335 +sonatype-2020-1324 +sonatype-2018-0863 +CVE-2022-38752 +CVE-2022-42003 diff --git a/config/ossindex/ossIndexAudit.gradle b/config/ossindex/ossIndexAudit.gradle new file mode 100644 index 00000000..bb25bd95 --- /dev/null +++ b/config/ossindex/ossIndexAudit.gradle @@ -0,0 +1,10 @@ +def readExclusions() { + return rootProject.file("config/ossindex/exclusions.txt").readLines() + .stream() + .filter(s -> !s.isBlank()) + .toArray() +} + +project.ext { + ossIndexExclusions = readExclusions() +} diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index bdd9e75f..b07ce47d 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -6,6 +6,7 @@ thymeleaf = "3.0.15.RELEASE" thymeleafExtrasTime = "3.0.4.RELEASE" logback = "1.2.11" jsonSchemaValidator = "1.0.73" +jackson = "2.13.4" gson = "2.9.1" slf4j = "1.7.36" h2 = "2.1.214" @@ -47,6 +48,7 @@ logback-core = { module = "ch.qos.logback:logback-core", version.ref = "logback" gson = { module = "com.google.code.gson:gson", version.ref = "gson" } json-schema-validator = { module = "com.networknt:json-schema-validator", version.ref = "jsonSchemaValidator" } +jackson-databind = { module = "com.fasterxml.jackson.core:jackson-databind", version.ref = "jackson" } slf4j-api = { module = "org.slf4j:slf4j-api", version.ref = "slf4j" } diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml index b43bb2a4..7a7a819d 100644 --- a/gradle/verification-metadata.xml +++ b/gradle/verification-metadata.xml @@ -95,11 +95,6 @@ - - - - - @@ -145,31 +140,16 @@ - - - - - - - - - - - - - - - diff --git a/mission-report/flight-evaluation-report/build.gradle b/mission-report/flight-evaluation-report/build.gradle index 75c2f994..cf4bf007 100644 --- a/mission-report/flight-evaluation-report/build.gradle +++ b/mission-report/flight-evaluation-report/build.gradle @@ -14,6 +14,7 @@ project.ext { dependencies { implementation libs.json.schema.validator + implementation libs.jackson.databind implementation libs.thymeleaf implementation libs.thymeleaf.extras.java8time implementation libs.bundles.logback diff --git a/renovate.json b/renovate.json index af394f39..6f5305fb 100644 --- a/renovate.json +++ b/renovate.json @@ -8,6 +8,8 @@ ], "assigneesSampleSize": 1, "commitMessageSuffix": "{patch}", + "separateMajorMinor" : true, + "separateMinorPatch" : true, "github-actions": { "pinDigests": true },