Skip to content

Merge remote-tracking branch 'origin/rel-3.42.0' #4336

Merge remote-tracking branch 'origin/rel-3.42.0'

Merge remote-tracking branch 'origin/rel-3.42.0' #4336

Workflow file for this run

name: Snyk Security Vulnerability Scan
on:
workflow_dispatch:
pull_request:
push:
tags:
- 'jenkins-[0-9]+.[0-9]+.[0-9]+.[0-9]+'
branches:
- 'master'
- 'rel-*'
permissions:
contents: read
jobs:
snyk_scan_test:
if: ${{ github.event_name == 'pull_request' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
with:
fetch-depth: 0 # To fetch all commits history on branch (Refer: https://github.com/tj-actions/changed-files#usage)
- name: Check changed Deps files
uses: tj-actions/changed-files@v35
id: changed-files
with:
files: | # This will match all the files with below patterns
**/build.gradle
**/requirements.txt
**/package.json
- uses: snyk/actions/setup@master
- uses: actions/setup-java@v3
with:
java-version: "8"
distribution: 'adopt'
- name: Snyk scan for Java dependencies
if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'build.gradle')
id: scan1
continue-on-error: true
run: |
unset CI # By default GH actions will set it to true. Therefore it will affect isCi flag in build.gradle (line #7)
snyk test \
--all-sub-projects \
-d \
--fail-on=all \
--package-manager=gradle \
--print-deps \
--configuration-matching='^\(compile\|runtime\)'
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- uses: actions/setup-python@v4
with:
python-version: "3.7"
- name: Snyk scan for Python 3.7 dependencies
if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'requirements.txt')
id: scan2
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: |
sudo apt-get install -y libkrb5-dev
pip install -r h2o-py/requirements.txt
snyk test -d --fail-on=all --file=h2o-py/requirements.txt --package-manager=pip --command=python3 --skip-unresolved
- uses: actions/setup-node@v3
with:
node-version: '16.x'
- name: Snyk scan for Node dependencies
if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'package.json')
id: scan3
continue-on-error: true
run: |
snyk test --file=h2o-web/package.json -d --fail-on=all
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Check Snyk scan results
if: steps.scan1.outcome == 'failure' || steps.scan2.outcome == 'failure' || steps.scan3.outcome == 'failure'
shell: bash
run: |
echo "[warning] Please solve the fixable security vulnerabilities found in failed steps!
Snyk scan for Java dependencies - ${{ steps.scan1.outcome }}
Snyk scan for Python 3.7 dependencies - ${{ steps.scan2.outcome }}
Snyk scan for Node dependencies - ${{ steps.scan3.outcome }}"
exit 1
snyk_scan_monitor:
if: ${{ github.event_name == 'push' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Extract github branch/tag name
shell: bash
run: echo "ref=$(echo ${GITHUB_REF##*/})" >> $GITHUB_OUTPUT
id: extract_ref
- uses: snyk/actions/setup@master
- uses: actions/setup-java@v3
with:
java-version: "8"
distribution: 'adopt'
- uses: actions/setup-python@v4
with:
python-version: "3.7"
- name: Snyk scan for Python 3.7 dependencies
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: |
sudo apt-get install -y libkrb5-dev
pip install -r h2o-py/requirements.txt
snyk monitor -d --fail-on=all --org=h2o-3 --file=h2o-py/requirements.txt --package-manager=pip --command=python3 --skip-unresolved --remote-repo-url=h2o-3/${{ steps.extract_ref.outputs.ref }} --project-name=H2O-3/h2o-3/${{ steps.extract_ref.outputs.ref }}/h2o-py/requirements.txt
- uses: actions/setup-node@v3
with:
node-version: '16.x'
- name: Snyk scan for Node dependencies
run: |
snyk monitor --org=h2o-3 --remote-repo-url=h2o-3/${{ steps.extract_ref.outputs.ref }} --file=h2o-web/package.json --project-name=H2O-3/h2o-3/${{ steps.extract_ref.outputs.ref }}/h2o-web/package.json -d
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Snyk scan for Java dependencies
continue-on-error: true
run: |
unset CI # By default GH actions will set it to true. Therefore it will set isCi flag in build.gradle to true (line #7)
export BUILD_HADOOP=true # To include all the build.gradle files to scan
for file in $(find . -name "build.gradle"); do
file=${file:2}
echo ""
echo "##### SCAN $file START #####"
echo ""
snyk monitor \
--org=h2o-3 \
--remote-repo-url=h2o-3/${{ steps.extract_ref.outputs.ref }} \
--file=$file --project-name=H2O-3/h2o-3/${{ steps.extract_ref.outputs.ref }}/$file \
-d \
--skip-unresolved \
--print-deps \
--configuration-matching='^\(compile\|runtime\)'
echo "##### SCAN $file END #####"
done
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}