From a35b10e4970e0969d0cad5af0b80770129d322ba Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Fri, 21 Feb 2025 13:07:10 +0100 Subject: [PATCH 01/14] adopt exclusion annotions for gosec --- api/v1alpha1/constants.go | 2 +- test/utils/utils.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/api/v1alpha1/constants.go b/api/v1alpha1/constants.go index 45891aa8..2f038541 100644 --- a/api/v1alpha1/constants.go +++ b/api/v1alpha1/constants.go @@ -19,7 +19,7 @@ package v1alpha1 // Ocm credential config key for secrets. const ( // OCMCredentialConfigKey defines the secret key to look for in case a user provides an ocm credential config. - OCMCredentialConfigKey = ".ocmcredentialconfig" //nolint:gosec // it isn't a cred + OCMCredentialConfigKey = ".ocmcredentialconfig" // #nosec G101 -- it isn't a credential // OCMConfigKey defines the secret or configmap key to look for in case a user provides an ocm config. OCMConfigKey = ".ocmconfig" // OCMLabelDowngradable defines the secret. diff --git a/test/utils/utils.go b/test/utils/utils.go index 18462b2d..bcdb0d09 100644 --- a/test/utils/utils.go +++ b/test/utils/utils.go @@ -236,7 +236,7 @@ func CheckOCMComponent(componentReference, ocmConfigPath string, options ...stri } c = append(c, componentReference) - cmd := exec.Command(c[0], c[1:]...) //nolint:gosec // The argument list is constructed right above. + cmd := exec.Command(c[0], c[1:]...) // #nosec G204 -- The argument list is constructed right above. if _, err := utils.Run(cmd); err != nil { return err } @@ -255,7 +255,7 @@ func GetOCMResourceImageRef(componentReference, resourceName, ocmConfigPath stri } c = append(c, "get", "resources", componentReference, resourceName, "-oJSON") // -oJSON is used to get the output in JSON format. - cmd := exec.Command(c[0], c[1:]...) //nolint:gosec // The argument list is constructed right above. + cmd := exec.Command(c[0], c[1:]...) // #nosec G204 -- The argument list is constructed right above. output, err := utils.Run(cmd) if err != nil { return "", err From 99e514cfcc97331159c2e43e909b977c42be2b73 Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Fri, 21 Feb 2025 13:10:50 +0100 Subject: [PATCH 02/14] add permission to workflow --- .github/workflows/diff-check-and-lint.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/diff-check-and-lint.yaml b/.github/workflows/diff-check-and-lint.yaml index 85820965..83ebd831 100644 --- a/.github/workflows/diff-check-and-lint.yaml +++ b/.github/workflows/diff-check-and-lint.yaml @@ -3,6 +3,10 @@ name: Check for diff after manifest and generated targets on: pull_request: {} +permissions: + contents: read + pull-requests: write + jobs: diff-check-manifests: name: Check for diff From 1351ef17459d7ef46108813d164f5627ec8af461 Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Mon, 24 Feb 2025 11:05:31 +0100 Subject: [PATCH 03/14] change annoations and remove gosec from codeql --- .github/workflows/codeql.yml | 18 +++++++++--------- api/v1alpha1/constants.go | 2 +- test/utils/utils.go | 4 ++-- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 8b23984b..2c4af070 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -93,12 +93,12 @@ jobs: with: category: "/language:${{matrix.language}}" - gosec: - permissions: - # Required to upload SARIF files - security-events: write - # only required for workflows in private repositories - contents: read - # call reusable workflow from central '.github' repo - uses: open-component-model/.github/.github/workflows/code-scan.yml@main - secrets: inherit + # gosec: + # permissions: + # # Required to upload SARIF files + # security-events: write + # # only required for workflows in private repositories + # contents: read + # # call reusable workflow from central '.github' repo + # uses: open-component-model/.github/.github/workflows/code-scan.yml@main + # secrets: inherit diff --git a/api/v1alpha1/constants.go b/api/v1alpha1/constants.go index 2f038541..23cba631 100644 --- a/api/v1alpha1/constants.go +++ b/api/v1alpha1/constants.go @@ -19,7 +19,7 @@ package v1alpha1 // Ocm credential config key for secrets. const ( // OCMCredentialConfigKey defines the secret key to look for in case a user provides an ocm credential config. - OCMCredentialConfigKey = ".ocmcredentialconfig" // #nosec G101 -- it isn't a credential + OCMCredentialConfigKey = ".ocmcredentialconfig" // nolint:gosec // G101 -- it isn't a credential // OCMConfigKey defines the secret or configmap key to look for in case a user provides an ocm config. OCMConfigKey = ".ocmconfig" // OCMLabelDowngradable defines the secret. diff --git a/test/utils/utils.go b/test/utils/utils.go index bcdb0d09..e6dc7341 100644 --- a/test/utils/utils.go +++ b/test/utils/utils.go @@ -236,7 +236,7 @@ func CheckOCMComponent(componentReference, ocmConfigPath string, options ...stri } c = append(c, componentReference) - cmd := exec.Command(c[0], c[1:]...) // #nosec G204 -- The argument list is constructed right above. + cmd := exec.Command(c[0], c[1:]...) // nolint:gosec // G204 -- The argument list is constructed right above. if _, err := utils.Run(cmd); err != nil { return err } @@ -255,7 +255,7 @@ func GetOCMResourceImageRef(componentReference, resourceName, ocmConfigPath stri } c = append(c, "get", "resources", componentReference, resourceName, "-oJSON") // -oJSON is used to get the output in JSON format. - cmd := exec.Command(c[0], c[1:]...) // #nosec G204 -- The argument list is constructed right above. + cmd := exec.Command(c[0], c[1:]...) // nolint:gosec // G204 -- The argument list is constructed right above. output, err := utils.Run(cmd) if err != nil { return "", err From 27db9aa15d000cd8e2f03b3e3421711df7a684b1 Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Mon, 24 Feb 2025 11:40:55 +0100 Subject: [PATCH 04/14] move templates to .github repo --- .github/ISSUE_TEMPLATE/bug_report.md | 33 ----------------------- .github/ISSUE_TEMPLATE/custom.md | 8 ------ .github/ISSUE_TEMPLATE/feature_request.md | 20 -------------- .github/PULL_REQUEST_TEMPLATE.md | 7 ----- 4 files changed, 68 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/bug_report.md delete mode 100644 .github/ISSUE_TEMPLATE/custom.md delete mode 100644 .github/ISSUE_TEMPLATE/feature_request.md delete mode 100644 .github/PULL_REQUEST_TEMPLATE.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index d84afb42..00000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -name: Bug report -about: Create a report to help us improve -title: "[BUG] ---" -labels: kind/bugfix -assignees: '' - ---- - -**Describe the bug** -A clear and concise description of what the bug is. - -**To Reproduce** -Steps to reproduce the behavior: - -1. Go to '...' -2. Click on '....' -3. Scroll down to '....' -4. See error - -**Expected behavior** -A clear and concise description of what you expected to happen. - -**Screenshots** -If applicable, add screenshots to help explain your problem. - -**Desktop (please complete the following information):** - -- OS: [e.g. iOS] -- Version [e.g. 22] - -**Additional context** -Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/custom.md b/.github/ISSUE_TEMPLATE/custom.md deleted file mode 100644 index b9f8e5a7..00000000 --- a/.github/ISSUE_TEMPLATE/custom.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -name: Custom issue template -about: Describe this issue template's purpose here. -title: '' -labels: kind/chore -assignees: '' - ---- diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md deleted file mode 100644 index d681cbf0..00000000 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -name: Feature request -about: Suggest an idea for this project -title: '' -labels: kind/feature -assignees: '' - ---- - -**Is your feature request related to a problem? Please describe.** -A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] - -**Describe the solution you'd like** -A clear and concise description of what you want to happen. - -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Additional context** -Add any other context or screenshots about the feature request here. diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md deleted file mode 100644 index d9fe330b..00000000 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ /dev/null @@ -1,7 +0,0 @@ - -#### What this PR does / why we need it - -#### Which issue(s) this PR fixes - From da07b719e3f6f6624f732f1e7b848d7081b46c3f Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Mon, 24 Feb 2025 14:34:21 +0100 Subject: [PATCH 05/14] remove mend --- .github/workflows/blackduck_scan.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/blackduck_scan.yaml b/.github/workflows/blackduck_scan.yaml index d812367a..441c5b75 100644 --- a/.github/workflows/blackduck_scan.yaml +++ b/.github/workflows/blackduck_scan.yaml @@ -1,9 +1,9 @@ name: Blackduck SCA Scan on: - #push: - # branches: [ "main" ] - #pull_request: - # branches: [ "main" ] + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] schedule: - cron: '5 0 * * 0' workflow_dispatch: From c6e1e3b1a23511b4b5cacfb30ac56dfc6475df9b Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Tue, 25 Feb 2025 13:07:56 +0100 Subject: [PATCH 06/14] correct typo --- .github/workflows/publish-image-main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-image-main.yaml b/.github/workflows/publish-image-main.yaml index 3bf57488..51461874 100644 --- a/.github/workflows/publish-image-main.yaml +++ b/.github/workflows/publish-image-main.yaml @@ -9,7 +9,7 @@ on: - '**/*.mod' - '**/*.sum' - 'config/**' - - 'Dockefile' + - 'Dockerfile' jobs: docker_publish: runs-on: ubuntu-latest From 9683fac1dba00d38c40ccb4a61a352c6ede45db4 Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Tue, 25 Feb 2025 13:57:51 +0100 Subject: [PATCH 07/14] remove cache --- .github/workflows/blackduck_scan.yaml | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/.github/workflows/blackduck_scan.yaml b/.github/workflows/blackduck_scan.yaml index 441c5b75..274b84a4 100644 --- a/.github/workflows/blackduck_scan.yaml +++ b/.github/workflows/blackduck_scan.yaml @@ -24,28 +24,6 @@ jobs: with: go-version-file: '${{ github.workspace }}/go.mod' cache: false - - - name: Get go environment for use with cache - run: | - echo "go_cache=$(go env GOCACHE)" >> $GITHUB_ENV - echo "go_modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV - # This step will only reuse the go mod and build cache from main made during the Build, - # see push_ocm.yaml => "ocm-cli-latest" Job - # This means it never caches by itself and PRs cannot cause cache pollution / thrashing - # This is because we have huge storage requirements for our cache because of the mass of dependencies - - - name: Restore / Reuse Cache from central build - id: cache-golang-restore - uses: actions/cache/restore@v4 # Only Restore, not build another cache (too big) - with: - path: | - ${{ env.go_cache }} - ${{ env.go_modcache }} - key: ${{ env.cache_name }}-${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ hashFiles('**/go.mod') }} - restore-keys: | - ${{ env.cache_name }}-${{ runner.os }}-go- - env: - cache_name: ocm-cli-latest-go-cache # needs to be the same key in the end as in the build step - name: Run Black Duck Full SCA Scan (Manual Trigger and Scheduled) if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' From c885d663572fd94d9a37a6658945858fe2b8e17f Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Tue, 25 Feb 2025 13:59:00 +0100 Subject: [PATCH 08/14] schedule only --- .github/workflows/blackduck_scan.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/blackduck_scan.yaml b/.github/workflows/blackduck_scan.yaml index 274b84a4..13783e58 100644 --- a/.github/workflows/blackduck_scan.yaml +++ b/.github/workflows/blackduck_scan.yaml @@ -1,11 +1,7 @@ name: Blackduck SCA Scan on: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] schedule: - - cron: '5 0 * * 0' + - cron: '5 0 * * *' workflow_dispatch: permissions: From 228bd12eaf39db64140ea92b57d56ca33cdc7c13 Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Tue, 25 Feb 2025 14:30:31 +0100 Subject: [PATCH 09/14] bring back pr and push --- .github/workflows/blackduck_scan.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/blackduck_scan.yaml b/.github/workflows/blackduck_scan.yaml index 13783e58..274b84a4 100644 --- a/.github/workflows/blackduck_scan.yaml +++ b/.github/workflows/blackduck_scan.yaml @@ -1,7 +1,11 @@ name: Blackduck SCA Scan on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] schedule: - - cron: '5 0 * * *' + - cron: '5 0 * * 0' workflow_dispatch: permissions: From c8ff6943cba60cd26b42c798858c91b7642cf689 Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Tue, 25 Feb 2025 14:39:57 +0100 Subject: [PATCH 10/14] correct nolint --- api/v1alpha1/constants.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/v1alpha1/constants.go b/api/v1alpha1/constants.go index 23cba631..655ae300 100644 --- a/api/v1alpha1/constants.go +++ b/api/v1alpha1/constants.go @@ -19,7 +19,7 @@ package v1alpha1 // Ocm credential config key for secrets. const ( // OCMCredentialConfigKey defines the secret key to look for in case a user provides an ocm credential config. - OCMCredentialConfigKey = ".ocmcredentialconfig" // nolint:gosec // G101 -- it isn't a credential + OCMCredentialConfigKey = ".ocmcredentialconfig" //nolint:gosec // G101 -- it isn't a credential // OCMConfigKey defines the secret or configmap key to look for in case a user provides an ocm config. OCMConfigKey = ".ocmconfig" // OCMLabelDowngradable defines the secret. From be4558efb27a85e49c1257494b125cb27dc532be Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Tue, 25 Feb 2025 14:55:43 +0100 Subject: [PATCH 11/14] remove setup go --- .github/workflows/blackduck_scan.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/blackduck_scan.yaml b/.github/workflows/blackduck_scan.yaml index 274b84a4..b08f779c 100644 --- a/.github/workflows/blackduck_scan.yaml +++ b/.github/workflows/blackduck_scan.yaml @@ -18,12 +18,6 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - - - name: Setup Go - uses: actions/setup-go@v5 - with: - go-version-file: '${{ github.workspace }}/go.mod' - cache: false - name: Run Black Duck Full SCA Scan (Manual Trigger and Scheduled) if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' From 6b99b6528efd5e1ae9cc2ecec2b4dabccf094805 Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Wed, 26 Feb 2025 16:13:13 +0100 Subject: [PATCH 12/14] remove params --- .github/workflows/blackduck_scan.yaml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/blackduck_scan.yaml b/.github/workflows/blackduck_scan.yaml index b08f779c..859923b2 100644 --- a/.github/workflows/blackduck_scan.yaml +++ b/.github/workflows/blackduck_scan.yaml @@ -18,9 +18,9 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - - - name: Run Black Duck Full SCA Scan (Manual Trigger and Scheduled) - if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' + + - name: Run Black Duck Full SCA Scan (Push, Manual Trigger or Schedule) + if: ${{ github.event_name != 'pull_request' }} uses: blackduck-inc/black-duck-security-scan@v2.0.0 env: DETECT_PROJECT_USER_GROUPS: opencomponentmodel @@ -35,18 +35,20 @@ jobs: blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }} blackducksca_scan_full: true - - name: Run Black Duck SCA Scan (Pull Request or Push) - if: github.event_name != 'workflow_dispatch' - # The action sets blackducksca_scan_full internally: for pushes to true and PRs to false + - name: Run Black Duck SCA Scan (Pull Requests) + if: ${{ github.event_name == 'pull_request' }} + # The action sets blackducksca_scan_full internally: for pushes to true and PRs to false uses: blackduck-inc/black-duck-security-scan@v2.0.0 env: DETECT_PROJECT_USER_GROUPS: opencomponentmodel DETECT_PROJECT_VERSION_DISTRIBUTION: opensource DETECT_SOURCE_PATH: ./ + DETECT_SCAN_MODE: RAPID DETECT_EXCLUDED_DIRECTORIES: .bridge NODE_TLS_REJECT_UNAUTHORIZED: true with: github_token: ${{ secrets.GITHUB_TOKEN }} blackducksca_url: ${{ secrets.BLACKDUCK_URL }} blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }} + blackducksca_scan_full: false blackducksca_prComment_enabled: true From 03bb82c16212394e33c46262fe928eb24f961182 Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Thu, 27 Feb 2025 10:34:29 +0100 Subject: [PATCH 13/14] remove upload --- .github/workflows/blackduck_scan.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/blackduck_scan.yaml b/.github/workflows/blackduck_scan.yaml index 859923b2..8809f173 100644 --- a/.github/workflows/blackduck_scan.yaml +++ b/.github/workflows/blackduck_scan.yaml @@ -2,10 +2,10 @@ name: Blackduck SCA Scan on: push: branches: [ "main" ] - pull_request: + pull_request_target: branches: [ "main" ] schedule: - - cron: '5 0 * * 0' + - cron: '15 1 * * 0' workflow_dispatch: permissions: @@ -20,7 +20,7 @@ jobs: uses: actions/checkout@v4 - name: Run Black Duck Full SCA Scan (Push, Manual Trigger or Schedule) - if: ${{ github.event_name != 'pull_request' }} + if: ${{ github.event_name != 'pull_request_target' }} uses: blackduck-inc/black-duck-security-scan@v2.0.0 env: DETECT_PROJECT_USER_GROUPS: opencomponentmodel @@ -36,7 +36,7 @@ jobs: blackducksca_scan_full: true - name: Run Black Duck SCA Scan (Pull Requests) - if: ${{ github.event_name == 'pull_request' }} + if: ${{ github.event_name == 'pull_request_target' }} # The action sets blackducksca_scan_full internally: for pushes to true and PRs to false uses: blackduck-inc/black-duck-security-scan@v2.0.0 env: @@ -52,3 +52,4 @@ jobs: blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }} blackducksca_scan_full: false blackducksca_prComment_enabled: true + \ No newline at end of file From b02d7633dd8cccce70903ac73909a92c1f449efb Mon Sep 17 00:00:00 2001 From: Gerald Morrison Date: Thu, 27 Feb 2025 11:05:42 +0100 Subject: [PATCH 14/14] remove rapid param --- .github/workflows/blackduck_scan.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/blackduck_scan.yaml b/.github/workflows/blackduck_scan.yaml index 8809f173..666ac76f 100644 --- a/.github/workflows/blackduck_scan.yaml +++ b/.github/workflows/blackduck_scan.yaml @@ -43,7 +43,6 @@ jobs: DETECT_PROJECT_USER_GROUPS: opencomponentmodel DETECT_PROJECT_VERSION_DISTRIBUTION: opensource DETECT_SOURCE_PATH: ./ - DETECT_SCAN_MODE: RAPID DETECT_EXCLUDED_DIRECTORIES: .bridge NODE_TLS_REJECT_UNAUTHORIZED: true with: