Merge remote-tracking branch 'origin/rel-3.42.0' #4336
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Snyk Security Vulnerability Scan | |
on: | |
workflow_dispatch: | |
pull_request: | |
push: | |
tags: | |
- 'jenkins-[0-9]+.[0-9]+.[0-9]+.[0-9]+' | |
branches: | |
- 'master' | |
- 'rel-*' | |
permissions: | |
contents: read | |
jobs: | |
snyk_scan_test: | |
if: ${{ github.event_name == 'pull_request' }} | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@master | |
with: | |
fetch-depth: 0 # To fetch all commits history on branch (Refer: https://github.com/tj-actions/changed-files#usage) | |
- name: Check changed Deps files | |
uses: tj-actions/changed-files@v35 | |
id: changed-files | |
with: | |
files: | # This will match all the files with below patterns | |
**/build.gradle | |
**/requirements.txt | |
**/package.json | |
- uses: snyk/actions/setup@master | |
- uses: actions/setup-java@v3 | |
with: | |
java-version: "8" | |
distribution: 'adopt' | |
- name: Snyk scan for Java dependencies | |
if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'build.gradle') | |
id: scan1 | |
continue-on-error: true | |
run: | | |
unset CI # By default GH actions will set it to true. Therefore it will affect isCi flag in build.gradle (line #7) | |
snyk test \ | |
--all-sub-projects \ | |
-d \ | |
--fail-on=all \ | |
--package-manager=gradle \ | |
--print-deps \ | |
--configuration-matching='^\(compile\|runtime\)' | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: "3.7" | |
- name: Snyk scan for Python 3.7 dependencies | |
if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'requirements.txt') | |
id: scan2 | |
continue-on-error: true | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
run: | | |
sudo apt-get install -y libkrb5-dev | |
pip install -r h2o-py/requirements.txt | |
snyk test -d --fail-on=all --file=h2o-py/requirements.txt --package-manager=pip --command=python3 --skip-unresolved | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: '16.x' | |
- name: Snyk scan for Node dependencies | |
if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'package.json') | |
id: scan3 | |
continue-on-error: true | |
run: | | |
snyk test --file=h2o-web/package.json -d --fail-on=all | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
- name: Check Snyk scan results | |
if: steps.scan1.outcome == 'failure' || steps.scan2.outcome == 'failure' || steps.scan3.outcome == 'failure' | |
shell: bash | |
run: | | |
echo "[warning] Please solve the fixable security vulnerabilities found in failed steps! | |
Snyk scan for Java dependencies - ${{ steps.scan1.outcome }} | |
Snyk scan for Python 3.7 dependencies - ${{ steps.scan2.outcome }} | |
Snyk scan for Node dependencies - ${{ steps.scan3.outcome }}" | |
exit 1 | |
snyk_scan_monitor: | |
if: ${{ github.event_name == 'push' }} | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@master | |
- name: Extract github branch/tag name | |
shell: bash | |
run: echo "ref=$(echo ${GITHUB_REF##*/})" >> $GITHUB_OUTPUT | |
id: extract_ref | |
- uses: snyk/actions/setup@master | |
- uses: actions/setup-java@v3 | |
with: | |
java-version: "8" | |
distribution: 'adopt' | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: "3.7" | |
- name: Snyk scan for Python 3.7 dependencies | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
run: | | |
sudo apt-get install -y libkrb5-dev | |
pip install -r h2o-py/requirements.txt | |
snyk monitor -d --fail-on=all --org=h2o-3 --file=h2o-py/requirements.txt --package-manager=pip --command=python3 --skip-unresolved --remote-repo-url=h2o-3/${{ steps.extract_ref.outputs.ref }} --project-name=H2O-3/h2o-3/${{ steps.extract_ref.outputs.ref }}/h2o-py/requirements.txt | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: '16.x' | |
- name: Snyk scan for Node dependencies | |
run: | | |
snyk monitor --org=h2o-3 --remote-repo-url=h2o-3/${{ steps.extract_ref.outputs.ref }} --file=h2o-web/package.json --project-name=H2O-3/h2o-3/${{ steps.extract_ref.outputs.ref }}/h2o-web/package.json -d | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
- name: Snyk scan for Java dependencies | |
continue-on-error: true | |
run: | | |
unset CI # By default GH actions will set it to true. Therefore it will set isCi flag in build.gradle to true (line #7) | |
export BUILD_HADOOP=true # To include all the build.gradle files to scan | |
for file in $(find . -name "build.gradle"); do | |
file=${file:2} | |
echo "" | |
echo "##### SCAN $file START #####" | |
echo "" | |
snyk monitor \ | |
--org=h2o-3 \ | |
--remote-repo-url=h2o-3/${{ steps.extract_ref.outputs.ref }} \ | |
--file=$file --project-name=H2O-3/h2o-3/${{ steps.extract_ref.outputs.ref }}/$file \ | |
-d \ | |
--skip-unresolved \ | |
--print-deps \ | |
--configuration-matching='^\(compile\|runtime\)' | |
echo "##### SCAN $file END #####" | |
done | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} |