From e58a7f3b7edd6ed63a9ae24a6c6ccb9d93cd23e4 Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Thu, 29 Oct 2020 17:14:06 -0400 Subject: [PATCH 01/14] adding ShiftLeft action workflow config --- .github/workflows/shiftleft.yml | 58 +++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 .github/workflows/shiftleft.yml diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml new file mode 100644 index 000000000..29b9af0a8 --- /dev/null +++ b/.github/workflows/shiftleft.yml @@ -0,0 +1,58 @@ +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + # We are building this application with Java 11 + - name: Setup Java JDK + uses: actions/setup-java@v1.3.0 + with: + java-version: 11.0.x + - name: Package with maven + run: mvn compile package + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + # ShiftLeft requires Java 1.8. Post the package step override the version + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 1.8 + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --wait --app shiftleft-java-demo --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/hello-shiftleft-0.0.1.jar + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + Build-Rules: + runs-on: ubuntu-latest + needs: NextGen-Static-Analysis + steps: + - uses: actions/checkout@v2 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Validate Build Rules + run: ${GITHUB_WORKSPACE}/sl check-analysis --app shiftleft-java-demo \ + --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" \ + --report \ + --github-pr-number=${{github.event.number}} \ + --github-pr-user=${{ github.repository_owner }} \ + --github-pr-repo=${{ github.event.repository.name }} \ + --github-token=${{ secrets.GITHUB_TOKEN }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + \ No newline at end of file From 708bad6c6b237c6a89c7caab3aa2bedfc6e0939c Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Thu, 29 Oct 2020 17:14:07 -0400 Subject: [PATCH 02/14] adding ShiftLeft action workflow config --- shiftleft.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 shiftleft.yml diff --git a/shiftleft.yml b/shiftleft.yml new file mode 100644 index 000000000..e66f8c693 --- /dev/null +++ b/shiftleft.yml @@ -0,0 +1,11 @@ +build_rules: + - id: allow-zero-findings + finding_types: + - vuln + - secret + - insight + severity: + - SEVERITY_MEDIUM_IMPACT + - SEVERITY_HIGH_IMPACT + - SEVERITY_LOW_IMPACT + threshold: 0 \ No newline at end of file From a2eda2eef5bbb7302255e02424fcbbe7151a4965 Mon Sep 17 00:00:00 2001 From: Curtis Yanko Date: Thu, 29 Oct 2020 23:44:51 -0400 Subject: [PATCH 03/14] Added Jenkinsfile --- Jenkinsfile | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 Jenkinsfile diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 000000000..0723d9393 --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,11 @@ +pipeline { + agent any + stages { + stage('MVN Build') { + steps { + sh 'mvn clean package' + } + } + + } +} \ No newline at end of file From d513fb7f729157256f0d49e9454be32c092652aa Mon Sep 17 00:00:00 2001 From: Curtis Yanko Date: Thu, 29 Oct 2020 23:50:38 -0400 Subject: [PATCH 04/14] Added Jenkinsfile --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 0723d9393..3959a1cf3 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -3,7 +3,7 @@ pipeline { stages { stage('MVN Build') { steps { - sh 'mvn clean package' + sh './mvn clean package' } } From ff503b07e0a4b9639bde895815269904a591de44 Mon Sep 17 00:00:00 2001 From: Curtis Yanko Date: Thu, 29 Oct 2020 23:58:35 -0400 Subject: [PATCH 05/14] Update Jenkinsfile --- Jenkinsfile | 65 +++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 56 insertions(+), 9 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 3959a1cf3..d03e679d7 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,11 +1,58 @@ -pipeline { - agent any - stages { - stage('MVN Build') { - steps { - sh './mvn clean package' +import groovy.json.* + +node () { + def mvnHome, commitId + + stage('Preparation') { // for display purposes + // Get some code from a GitHub repository + // git 'git@github.com:CMYanko/struts2-showcase-demo.git' + checkout scm + + + // Get the Maven tool. + // ** NOTE: This 'M3' Maven tool must be configured + // ** in the global configuration. + // mvnHome = tool 'M3' + + // sh 'git rev-parse HEAD > commit' + // commitId = readFile('commit').trim() + // sh "echo my commitid ${commitId}" + + } + stage('Build') { + // Run the maven build + try{ + if (isUnix()) { + configFileProvider([configFile(fileId: 'f8c43603-b756-4195-9207-e327bb4e0ccc', variable: 'MY_SETTINGS_XML')]) { + sh "./mvnw -B clean package" + } + + } else { + bat(/mvnw.cmd -B clean package/) + } + + currentBuild.result = 'SUCCESS' + + }catch(Exception err){ + currentBuild.result = 'FAILURE' + } - } - } -} \ No newline at end of file + sh "echo current build status ${currentBuild.result}" + /* + if (currentBuild.result == 'FAILURE') { + postGitHub(commitId, 'failure', 'build', 'Build failed') + return + } else { + postGitHub(commitId, 'success', 'build', 'Build succeeded') + } */ + + } + + stage('SLAnalyze') { + dir("") { + sh '/usr/local/bin/sl analyze --app HelloShiftLeft --java target/hello-shiftleft-*.jar' + } + } + +} From 46a293db6f605e99c7e3505d06aadbc11ae747ea Mon Sep 17 00:00:00 2001 From: Curtis Yanko Date: Fri, 30 Oct 2020 00:00:13 -0400 Subject: [PATCH 06/14] Update Jenkinsfile --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index d03e679d7..0bf75d76f 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -12,7 +12,7 @@ node () { // Get the Maven tool. // ** NOTE: This 'M3' Maven tool must be configured // ** in the global configuration. - // mvnHome = tool 'M3' + mvnHome = tool 'M3' // sh 'git rev-parse HEAD > commit' // commitId = readFile('commit').trim() From 9ede70e2a91fdc362e9b4181c0a6addb05794818 Mon Sep 17 00:00:00 2001 From: Curtis Yanko Date: Fri, 30 Oct 2020 00:04:53 -0400 Subject: [PATCH 07/14] Update Jenkinsfile --- Jenkinsfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 0bf75d76f..a682c8f73 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -24,11 +24,11 @@ node () { try{ if (isUnix()) { configFileProvider([configFile(fileId: 'f8c43603-b756-4195-9207-e327bb4e0ccc', variable: 'MY_SETTINGS_XML')]) { - sh "./mvnw -B clean package" + sh "./mvn -B clean package" } } else { - bat(/mvnw.cmd -B clean package/) + bat(/mvn -B clean package/) } currentBuild.result = 'SUCCESS' From 28929a2533abce09ed830bcebfdef233886db6e4 Mon Sep 17 00:00:00 2001 From: Curtis Yanko Date: Fri, 30 Oct 2020 00:08:14 -0400 Subject: [PATCH 08/14] Update Jenkinsfile --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index a682c8f73..213ea3613 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -50,7 +50,7 @@ node () { } stage('SLAnalyze') { - dir("") { + { sh '/usr/local/bin/sl analyze --app HelloShiftLeft --java target/hello-shiftleft-*.jar' } } From f92a45afd0447adce528102e2f08ff5acd0f8d50 Mon Sep 17 00:00:00 2001 From: Curtis Yanko Date: Fri, 30 Oct 2020 00:22:43 -0400 Subject: [PATCH 09/14] Update Jenkinsfile --- Jenkinsfile | 144 ++++++++++++++++++++++++++++++++-------------------- 1 file changed, 88 insertions(+), 56 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 213ea3613..def4de0cd 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,58 +1,90 @@ -import groovy.json.* - -node () { - def mvnHome, commitId - - stage('Preparation') { // for display purposes - // Get some code from a GitHub repository - // git 'git@github.com:CMYanko/struts2-showcase-demo.git' - checkout scm - - - // Get the Maven tool. - // ** NOTE: This 'M3' Maven tool must be configured - // ** in the global configuration. - mvnHome = tool 'M3' - - // sh 'git rev-parse HEAD > commit' - // commitId = readFile('commit').trim() - // sh "echo my commitid ${commitId}" - - } - stage('Build') { - // Run the maven build - try{ - if (isUnix()) { - configFileProvider([configFile(fileId: 'f8c43603-b756-4195-9207-e327bb4e0ccc', variable: 'MY_SETTINGS_XML')]) { - sh "./mvn -B clean package" +pipeline { + agent any + stages { + stage('Build') { + steps { + sh ''' + echo "PATH = ${PATH}" + echo "M2_HOME = ${M2_HOME}" + mvn clean package -B + ''' + } + post { + always { + junit '**/target/surefire-reports/**/*.xml' + + } + + } + } + stage('Scan App - Build Container') { + parallel { + stage('IQ-BOM') { + steps { + nexusPolicyEvaluation(iqApplication: 'sljavademo', iqStage: 'build', iqScanPatterns: [[scanPattern: '']]) + } + } + stage('Static Analysis') { + steps { + sh '/usr/local/bin/sl analyze --app HelloShiftLeft --java target/hello-shiftleft-*.jar' } - - } else { - bat(/mvn -B clean package/) - } - - currentBuild.result = 'SUCCESS' - - }catch(Exception err){ - currentBuild.result = 'FAILURE' - - } - - sh "echo current build status ${currentBuild.result}" - /* - if (currentBuild.result == 'FAILURE') { - postGitHub(commitId, 'failure', 'build', 'Build failed') - return - } else { - postGitHub(commitId, 'success', 'build', 'Build succeeded') - } */ - - } - - stage('SLAnalyze') { - { - sh '/usr/local/bin/sl analyze --app HelloShiftLeft --java target/hello-shiftleft-*.jar' - } - } - + } + stage('Build Container') { + steps { + echo '...need to learn the build process first' + } + } + } + } + stage('Test Container') { + steps { + echo '...run container and test it' + } + post { + success { + echo '...the Test Scan Passed!' + + } + + failure { + echo '...the Test FAILED' + error '...the Container Test FAILED' + + } + + } + } + stage('Scan Container') { + steps { + echo '...TODO scan container' + } + post { + success { + echo '...the IQ Scan PASSED' + postGitHub(commitId, 'success', 'analysis', 'Nexus Lifecycle Container Analysis succeeded', "${policyEvaluationResult.applicationCompositionReportUrl}") + + } + + failure { + echo '...the IQ Scan FAILED' + postGitHub(commitId, 'failure', 'analysis', 'Nexus Lifecycle Containe Analysis failed', "${policyEvaluationResult.applicationCompositionReportUrl}") + error '...the IQ Scan FAILED' + + } + + } + } + stage('Publish Container') { + when { + branch 'master' + } + steps { + echo '...figure out container' + } + } + } + tools { + jdk 'jdk8' + maven 'M3' + } } From ecbbff8df720774e1c3eecb6208ca43ffee972b6 Mon Sep 17 00:00:00 2001 From: Curtis Yanko Date: Fri, 30 Oct 2020 13:04:11 -0400 Subject: [PATCH 10/14] Update Jenkinsfile --- Jenkinsfile | 7 ------- 1 file changed, 7 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index def4de0cd..b7aeb3548 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -9,13 +9,6 @@ pipeline { mvn clean package -B ''' } - post { - always { - junit '**/target/surefire-reports/**/*.xml' - - } - - } } stage('Scan App - Build Container') { parallel { From 10051d8768feaf772c7389c0bc60eadb7148e018 Mon Sep 17 00:00:00 2001 From: Curtis Yanko Date: Fri, 30 Oct 2020 13:06:34 -0400 Subject: [PATCH 11/14] renamed step --- Jenkinsfile | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index b7aeb3548..223848af9 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -10,6 +10,7 @@ pipeline { ''' } } + stage('Scan App - Build Container') { parallel { stage('IQ-BOM') { @@ -17,56 +18,58 @@ pipeline { nexusPolicyEvaluation(iqApplication: 'sljavademo', iqStage: 'build', iqScanPatterns: [[scanPattern: '']]) } } - stage('Static Analysis') { + + stage('Shiftleft Analyze') { steps { sh '/usr/local/bin/sl analyze --app HelloShiftLeft --java target/hello-shiftleft-*.jar' } } + stage('Build Container') { steps { echo '...need to learn the build process first' } } + } } + stage('Test Container') { - steps { - echo '...run container and test it' - } post { success { echo '...the Test Scan Passed!' - } failure { echo '...the Test FAILED' error '...the Container Test FAILED' - } } - } - stage('Scan Container') { steps { - echo '...TODO scan container' + echo '...run container and test it' } + } + + stage('Scan Container') { post { success { echo '...the IQ Scan PASSED' postGitHub(commitId, 'success', 'analysis', 'Nexus Lifecycle Container Analysis succeeded', "${policyEvaluationResult.applicationCompositionReportUrl}") - } failure { echo '...the IQ Scan FAILED' postGitHub(commitId, 'failure', 'analysis', 'Nexus Lifecycle Containe Analysis failed', "${policyEvaluationResult.applicationCompositionReportUrl}") error '...the IQ Scan FAILED' - } } + steps { + echo '...TODO scan container' + } } + stage('Publish Container') { when { branch 'master' @@ -75,9 +78,10 @@ pipeline { echo '...figure out container' } } + } tools { jdk 'jdk8' maven 'M3' } -} +} \ No newline at end of file From 8fe99901f32f9a1d2f4fd18498ac0b1268c0da25 Mon Sep 17 00:00:00 2001 From: CMYanko Date: Mon, 2 Nov 2020 08:25:00 -0500 Subject: [PATCH 12/14] updated SL setting for GH action --- .github/workflows/shiftleft.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml index 29b9af0a8..824e353b2 100644 --- a/.github/workflows/shiftleft.yml +++ b/.github/workflows/shiftleft.yml @@ -35,6 +35,7 @@ jobs: run: ${GITHUB_WORKSPACE}/sl analyze --wait --app shiftleft-java-demo --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/hello-shiftleft-0.0.1.jar env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_ORG_ID: ${{ secrets.SHIFTLEFT_ORG_ID }} Build-Rules: runs-on: ubuntu-latest From e8ff3fc8659038801c23ccdd5e08bc893bffb34e Mon Sep 17 00:00:00 2001 From: CMYanko Date: Mon, 2 Nov 2020 08:33:02 -0500 Subject: [PATCH 13/14] relaxed coupling to target artifact --- .github/workflows/shiftleft.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml index 824e353b2..545a99881 100644 --- a/.github/workflows/shiftleft.yml +++ b/.github/workflows/shiftleft.yml @@ -32,7 +32,7 @@ jobs: run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" id: extract_branch - name: NextGen Static Analysis - run: ${GITHUB_WORKSPACE}/sl analyze --wait --app shiftleft-java-demo --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/hello-shiftleft-0.0.1.jar + run: ${GITHUB_WORKSPACE}/sl analyze --wait --app shiftleft-java-demo --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/hello-shiftleft-*.jar env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} SHIFTLEFT_ORG_ID: ${{ secrets.SHIFTLEFT_ORG_ID }} From 60aba1ea1c0df65ad2ef43c7e904f353e9c4d403 Mon Sep 17 00:00:00 2001 From: CMYanko Date: Mon, 2 Nov 2020 08:39:29 -0500 Subject: [PATCH 14/14] trying to trigger a check --- .github/workflows/shiftleft.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml index 545a99881..8adeaddba 100644 --- a/.github/workflows/shiftleft.yml +++ b/.github/workflows/shiftleft.yml @@ -36,6 +36,13 @@ jobs: env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} SHIFTLEFT_ORG_ID: ${{ secrets.SHIFTLEFT_ORG_ID }} + - name: Create status check + run: | + URL="https://www.shiftleft.io/violationlist/ShiftLeftJava?apps=ShiftLeftJava&isApp=1" + GH_CHECK_URL="https://api.github.com/repos/${GITHUB_REPOSITORY}/check-runs" + curl -XPOST $GH_CHECK_URL -H "Authorization: Token ${GITHUB_TOKEN}" -H "accept: application/vnd.github.antiope-preview+json" -H "Content-Type: application/json" -d "{\"name\": \"ShiftLeft NG SAST\", \"head_sha\": \"${GITHUB_REF}\", \"external_id\": \"ShiftLeftJava\", \"details_url\": \"${URL}\", \"status\": \"completed\", \"conclusion\": \"action_required\", \"output\": {\"title\": \"ShiftLeft NG SAST Findings\", \"summary\": \"Visit ${URL} for the findings\"}}" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} Build-Rules: runs-on: ubuntu-latest