diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md deleted file mode 100644 index b9d61c3e..00000000 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ /dev/null @@ -1,65 +0,0 @@ -## Description - - - -Please include a summary of the changes and the related issue. Please also include relevant motivation and context. List any dependencies that are required for this change. - - -## What type of PR is this? (check all applicable) - -- [ ] 🍕 Feature -- [ ] 🐛 Bug Fix -- [ ] 📝 Documentation Update -- [ ] 🎨 Style -- [ ] 🧑‍💻 Code Refactor -- [ ] 🔥 Performance Improvements -- [ ] ✅ Test -- [ ] 🤖 Build -- [ ] 🔁 CI -- [ ] 📦 Chore (Release) -- [ ] ⏩ Revert - -## Related Tickets & Documents - - -- Related Issue # (issue) -- Closes # (issue) -- Fixes # (issue) -> Remove if not applicable - -## Screenshots - - - - -## Added tests? - -- [ ] 👍 yes -- [ ] 🙅 no, because they aren't needed -- [ ] 🙋 no, because I need help -- [ ] Separate ticket for tests # (issue/pr) - -Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration - - -## Added to documentation? - -- [ ] 📜 README.md -- [ ] 🙅 no documentation needed - -## Checklist: - -- [ ] My code follows the style guidelines of this project -- [ ] I have performed a self-review of my code -- [ ] I have commented my code, particularly in hard-to-understand areas -- [ ] I have made corresponding changes to the documentation -- [ ] My changes generate no new warnings -- [ ] I have added tests that prove my fix is effective or that my feature works -- [ ] New and existing unit tests pass locally with my changes -- [ ] Any dependent changes have been merged and published in downstream modules diff --git a/.github/workflows/blackduck_scan.yaml b/.github/workflows/blackduck_scan.yaml index 38c4102c..199f7fab 100644 --- a/.github/workflows/blackduck_scan.yaml +++ b/.github/workflows/blackduck_scan.yaml @@ -17,7 +17,6 @@ jobs: runs-on: [ ubuntu-latest ] steps: - name: Checkout code - if: github.event_name != 'pull_request_target' uses: actions/checkout@v4 - name: Run Black Duck Full SCA Scan (Push, Manual Trigger or Schedule) @@ -52,3 +51,4 @@ jobs: blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }} blackducksca_scan_full: false blackducksca_prComment_enabled: true + diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml deleted file mode 100644 index 5149e72a..00000000 --- a/.github/workflows/code-scan.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: "Code scanning" - -on: - push: - branches: ["main"] - pull_request: - branches: ["main"] - schedule: - - cron: "26 14 * * 2" - -jobs: - gosec: - permissions: - # Required to upload SARIF files - security-events: write - # for actions/checkout to fetch code - contents: read - # call reusable workflow from central '.github' repo - uses: open-component-model/.github/.github/workflows/code-scan.yml@main - secrets: inherit diff --git a/.github/workflows/mend.config b/.github/workflows/mend.config deleted file mode 100644 index db733b81..00000000 --- a/.github/workflows/mend.config +++ /dev/null @@ -1,115 +0,0 @@ -#################################################################### -# WhiteSource Unified-Agent configuration file for GO -# GENERAL SCAN MODE: Package Managers only -#################################################################### -#Configuration Reference: https://docs.mend.io/bundle/unified_agent/page/unified_agent_configuration_parameters.html#General - -# !!! Important for WhiteSource "DIST - *" Products: -# Please set -# checkPolicies=false -# forceCheckAllDependencies=false -# since Policy checks are not applicable for Security scans and also -# not suitable for DIST category. CheckPolicies just cover IP scan -# related license checks for SAP hosted cloud products only ("SHC - *"). -checkPolicies=true -forceCheckAllDependencies=true - -# forceUpdate is important and need to be true -forceUpdate=true -# In some cases it could happen that Unified Agent is reporting SUCCESS but scan is incomplete or -# did not work at all. So parameter failErrorLevel=ALL needs to be set to break the scan if there are issues. -failErrorLevel=ALL -# failBuildOnPolicyViolation: -# If the flag is true, the Unified Agent exit code will be the result of the policy check. -# If the flag is false, the Unified Agent exit code will be the result of the scan. -forceUpdate.failBuildOnPolicyViolation=true -# offline parameter is important and need to be false -offline=false - -# ignoreSourceFiles parameter is important and need to be true -# IMPORTANT: This parameter is going to be deprecated in future -# and will be replaced by a new parameter, fileSystemScan. -# ignoreSourceFiles=true -# fileSystemScan parameter is important and need to be false as a -# replacement for ignoreSourceFiles=true and overrides the -# soon-to-be-deprecated ignoreSourceFiles. To scan source files, we need to enable it. -fileSystemScan=true -# resolveAllDependencies is important and need to be false -resolveAllDependencies=false - -#wss.connectionTimeoutMinutes=60 -# URL to your WhiteSource server. -# wss.url=https://sap.whitesourcesoftware.com/agent - -#################################################################### -# GO Configuration -#################################################################### - -# resolveDependencies parameter is important and need to be true -#if you are using 'modules' as a dependency manager, then the go.resolveDependencies is set to false. -#For any other dependency manager, this value is set to true. #To scan source files, we need to disable it. -go.resolveDependencies=false - -#defaut value for ignoreSourceFiles is set to false -# ignoreSourceFiles parameter is important and need to be true -go.ignoreSourceFiles=false -go.collectDependenciesAtRuntime=false -# dependencyManager: Determines the Go dependency manager to use when scanning a Go project. -# Valid values are 'dep', 'godep', 'vndr', 'gogradle', 'glide', 'govendor', 'gopm' and 'vgo' -# If empty, then the Unified Agent will try to resolve the dependencies using each one -# of the package managers above. -#go.dependencyManager= -#go.glide.ignoreTestPackages=false -#go.gogradle.enableTaskAlias=true - -#The below configuration is for the 'modules' dependency manager. -#Please comment these below 4 lines that has 'go.modules' prefix if you are not using the 'modules' dependency manager. -# Default value is true. If set to true, it resolves Go Modules dependencies. -go.modules.resolveDependencies=true -#default value is true. If set to true, this will ignore Go source files during the scan. -#To scan source files, we need to disable it. -go.modules.ignoreSourceFiles=false -#default value is true. If set to true, removes duplicate dependencies during Go Modules dependency resolution. -#go.modules.removeDuplicateDependencies=false -#default value is false. if set to true, scans Go Modules project test dependencies. -go.modules.includeTestDependencies=true -################################## - - -################################## -# Organization tokens: -################################## -# ! In case of PIPER, apiKey may not be used in this configuration, -# but set in configuration of piper. -# Please look at PIPER documentation for more information. -# ! For CoDePipes you may look at CoDePipes for more information. -# apiKey= - -# userKey is required if WhiteSource administrator has enabled "Enforce user level access" option. -# ! In case of PIPER, apiKey may not be used in this configuration, -# but set in configuration of piper. -# Please look at PIPER documentation for more information. -# ! For CoDePipes you may look at CoDePipes for more information. -# userKey= - -projectName=ocm-controller -# projectVersion= -# projectToken= - -productName=shc-open-component-model -# productVersion= -# productToken -#updateType=APPEND -#requesterEmail=user@provider.com - -######################################################################################### -# Includes/Excludes Glob patterns - PLEASE USE ONLY ONE EXCLUDE LINE AND ONE INCLUDE LINE -######################################################################################### - -includes=**/*.lock - -## Exclude file extensions or specific directories by adding **/*. or **/** -excludes=**/*sources.jar **/*javadoc.jar - -case.sensitive.glob=false -followSymbolicLinks=true diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml deleted file mode 100644 index cbad8049..00000000 --- a/.github/workflows/mend_scan.yaml +++ /dev/null @@ -1,196 +0,0 @@ -name: Mend Security Scan - -on: - schedule: - - cron: '5 0 * * 0' - push: - branches: - - main - pull_request_target: - branches: - - main - workflow_dispatch: - inputs: - logLevel: - description: 'Log level' - required: true - default: 'debug' - type: choice - options: - - info - - warning - - debug -jobs: - mend-scan: - permissions: - pull-requests: write - runs-on: ubuntu-latest - - steps: - - name: Checkout Code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - - - name: Set up Java 17 - uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 - with: - java-version: '17' - distribution: 'temurin' - - - name: Setup Go - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 - with: - go-version-file: '${{ github.workspace }}/go.mod' - - - name: 'Setup jq' - uses: dcarbone/install-jq-action@e397bd87438d72198f81efd21f876461183d383a - with: - version: '1.7' - - - name: Download Mend Universal Agent - run: curl https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o ./wss-unified-agent.jar - - - name: Run Mend Scan - run: java -jar ./wss-unified-agent.jar -c $CONFIG_FILE -wss.url $WSS_URL -apiKey $API_KEY -userKey $USER_KEY -productToken $PRODUCT_TOKEN - env: - USER_KEY: ${{ secrets.MEND_USER_KEY }} - PRODUCT_TOKEN: ${{ secrets.MEND_SHC_PRODUCT_TOKEN }} - WSS_URL: ${{ secrets.MEND_URL }} - API_KEY: ${{ secrets.MEND_API_TOKEN }} - CONFIG_FILE: './.github/workflows/mend.config' - - - name: Generate Report - id: report - env: - USER_KEY: ${{ secrets.MEND_API_USER_KEY }} - PROJECT_TOKEN: ${{ secrets.MEND_PROJECT_TOKEN_OCM_CONTR }} - API_KEY: ${{ secrets.MEND_API_ORG_TOKEN }} - EMAIL: ${{ secrets.MEND_API_EMAIL }} - run: | - data=$(cat < 52 | select(.==true)'| wc -l ) - - function print { - printf "############################################\n$1\n############################################\nMend Scan Tool: https://sap.whitesourcesoftware.com/Wss/WSS.html#!login \n" - } - - function restricted_license { - declare -a sap_restricted_licenses=("LGPL" "GPL" "Affero%20GPL" "MPL" "CDDL" "EPL") - ret_val="" - issue_count=0 - for key in "${!sap_restricted_licenses[@]}"; do - api_resp=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?search=license%3Aequals%3A${sap_restricted_licenses[$key]}" \ - --header 'Content-Type: application/json' --silent \ - --header "Authorization: Bearer ${login_token}") - - api_resp_no=$(echo "${api_resp}" | jq .additionalData.totalItems ) - issue_count=$((issue_count+api_resp_no)) - - if [[ $api_resp_no -gt 0 ]] - then - val=$(echo "${api_resp}" | jq -r .retVal[] ) - ret_val="$ret_val$val" - fi - done - export VIOLATIONS_VERBOSE="${ret_val}" - export VIOLATIONS="${issue_count}" - } - - print "HIGH/CRITICAL SECURITY VULNERABILITIES: ${security_vulnerability_no}" - if [[ $security_vulnerability_no -gt 0 ]] - then - echo "${security_vulnerability}" | jq -r .retVal[] - fi - - print "MAJOR UPDATES AVAILABLE: ${major_updates_pending_no}" - if [[ $major_updates_pending_no -gt 0 ]] - then - echo "${major_updates_pending}" | jq -r .retVal[] - fi - - print "LICENSE REQUIRES REVIEW: ${requires_review_no}" "Visit the Mend UI and add correct license" - if [[ $requires_review_no -gt 0 ]] - then - echo "${requires_review}" | jq -r .retVal[] - fi - - print "LICENSE RISK HIGH: ${high_license_risk_no}" - if [[ high_license_risk_no -gt 0 ]] - then - echo "Visit the Mend UI and check High Risk Licenses. Understand Risk Score: https://docs.mend.io/bundle/sca_user_guide/page/understanding_risk_score_attribution_and_license_analysis.html" - fi - - restricted_license - - print "RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY: ${VIOLATIONS}" - if [[ $VIOLATIONS -gt 0 ]] - then - echo "${VIOLATIONS_VERBOSE}" | jq . - fi - - echo "security_vulnerability_no=$security_vulnerability_no" >> $GITHUB_OUTPUT - echo "major_updates_pending_no=$major_updates_pending_no" >> $GITHUB_OUTPUT - echo "requires_review_no=$requires_review_no" >> $GITHUB_OUTPUT - echo "high_license_risk_no=$high_license_risk_no" >> $GITHUB_OUTPUT - echo "violations=$VIOLATIONS" >> $GITHUB_OUTPUT - - if [[ $security_vulnerability_no -gt 0 ]] || [[ $major_updates_pending_no -gt 0 ]] || [[ $requires_review_no -gt 0 ]] || [[ high_license_risk_no -gt 0 ]] || [[ violations -gt 0 ]] - then - echo "status=x" >> $GITHUB_OUTPUT - else - echo "status=white_check_mark" >> $GITHUB_OUTPUT - fi - - name: Check if PR exists - uses: 8BitJonny/gh-get-current-pr@08e737c57a3a4eb24cec6487664b243b77eb5e36 - id: pr_exists - with: - filterOutClosed: true - sha: ${{ github.event.pull_request.head.sha }} - - name: Comment Mend Status on PR - if: ${{ github.event_name != 'schedule' && steps.pr_exists.outputs.pr_found == 'true' }} - uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b - with: - message: | - ## Mend Scan Summary: :${{ steps.report.outputs.status }}: - ### Repository: ${{ github.repository }} - | VIOLATION DESCRIPTION | NUMBER OF VIOLATIONS | - | -------------------------------------------- | --------------------------- | - | HIGH/CRITICAL SECURITY VULNERABILITIES | ${{ steps.report.outputs.security_vulnerability_no }} | - | MAJOR UPDATES AVAILABLE | ${{ steps.report.outputs.major_updates_pending_no }} | - | LICENSE REQUIRES REVIEW | ${{ steps.report.outputs.requires_review_no }} | - | LICENSE RISK HIGH | ${{ steps.report.outputs.high_license_risk_no }} | - | RESTRICTED LICENSE FOR ON-PREMISE DELIVERY | ${{ steps.report.outputs.VIOLATIONS }} | - - [Detailed Logs: mend-scan-> Generate Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) - [Mend UI](https://sap.whitesourcesoftware.com/Wss/WSS.html#!login) - comment_tag: tag_mend_scan diff --git a/api/v1alpha1/constants.go b/api/v1alpha1/constants.go index e0e39442..ceded1fa 100644 --- a/api/v1alpha1/constants.go +++ b/api/v1alpha1/constants.go @@ -2,7 +2,7 @@ package v1alpha1 const ( // DefaultRegistryCertificateSecretName is the name of the of certificate secret for client and registry. - DefaultRegistryCertificateSecretName = "ocm-registry-tls-certs" // #nosec G101 -- not a credential + DefaultRegistryCertificateSecretName = "ocm-registry-tls-certs" //nolint:gosec // not a credential ) // Internal ExtraIdentity keys. @@ -35,5 +35,5 @@ const ( // Ocm credential config key for secrets. const ( // OCMCredentialConfigKey defines the secret key to look for in case a user provides an ocm credential config. - OCMCredentialConfigKey = ".ocmcredentialconfig" // #nosec G101 -- not a credential + OCMCredentialConfigKey = ".ocmcredentialconfig" //nolint:gosec // not a credential ) diff --git a/pkg/oci/repository.go b/pkg/oci/repository.go index 0ace4c99..2ec7ae1e 100644 --- a/pkg/oci/repository.go +++ b/pkg/oci/repository.go @@ -143,7 +143,7 @@ func (c *Client) setupCertificates(ctx context.Context) error { } func (c *Client) constructTLSRoundTripper() http.RoundTripper { - tlsConfig := &tls.Config{} // #nosec G402 -- must provide lower version for quay.io + tlsConfig := &tls.Config{} //nolint:gosec // must provide lower version for quay.io caCertPool := x509.NewCertPool() caCertPool.AppendCertsFromPEM(c.ca)