From e416c6b905ce4afbf6fa3da4f4d19672f3ec6f94 Mon Sep 17 00:00:00 2001 From: "Dr. Christoph \"Schorsch\" Jung" Date: Thu, 16 Nov 2023 08:11:16 +0100 Subject: [PATCH] fix(workflows): pin all github actions to prevent supply-chain attacks --- .github/workflows/build.yml | 38 ++++++++-------- .github/workflows/helm-chart-lint.yml | 21 ++++----- .github/workflows/helm-chart-release.yml | 14 +++--- .github/workflows/kics.yml | 39 ++++++++-------- .github/workflows/trivy.yml | 40 +++++++++-------- .github/workflows/veracode.yml | 57 +++--------------------- 6 files changed, 85 insertions(+), 124 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 88b76c8..607fcd0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,3 +1,4 @@ +--- # # Copyright (c) 2023 SAP SE # Copyright (c) 2023 T-Systems International GmbH @@ -27,6 +28,7 @@ on: branches: - main - 'release/*' + # Can be scheduled on all branches and version tags tags: - 'v*.*.*' - 'v*.*.*-*' @@ -75,35 +77,35 @@ jobs: - name: Check github repository and set docker repo id: set-docker-repo run: | - echo "REGISTRY=docker.io" >> $GITHUB_OUTPUT; - echo "REPO=tractusx" >> $GITHUB_OUTPUT; - if [ "${{ github.repository }}" != "eclipse-tractusx/knowledge-agents-aas-bridge" ]; - then + echo "REGISTRY=docker.io" >> $GITHUB_OUTPUT; + echo "REPO=tractusx" >> $GITHUB_OUTPUT; + if [ "${{ github.repository }}" != "eclipse-tractusx/knowledge-agents-aas-bridge" ]; + then echo "REGISTRY=ghcr.io" >> $GITHUB_OUTPUT echo "REPO=ghcr.io/${{ github.repository }}" >> $GITHUB_OUTPUT - fi + fi exit 0 # Get the Code - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive # Setup build environment - uses: ./.github/actions/setup-java - # Enable deployment access (on main branch and version tags only) + # Enable deployment access (on demand or main branch and version tags only) - name: Login to GitHub Container Registry - if: ${{ ( github.event.inputs.deploy_docker == 'true' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) }} - uses: docker/login-action@v2 + if: ${{ ( github.event.inputs.deploy_docker == 'true' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') ) }} + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ${{ steps.set-docker-repo.outputs.REGISTRY }} # Use existing DockerHub credentials present as secrets username: ${{ secrets.DOCKER_HUB_USER || github.actor }} password: ${{ secrets.DOCKER_HUB_TOKEN || secrets.GITHUB_TOKEN }} - - # Run Maven Deploy (if either running on main or a version tag) + + # Run Maven Deploy (on demand or if either running on main or a version tag) - name: Deploy Java via Maven if: ${{ ( github.event.inputs.deploy_maven == 'true' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') ) }} run: | @@ -122,9 +124,9 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Create SemVer or ref tags dependent of trigger event - - name: Docker Meta Conforming - id: meta-conf - uses: docker/metadata-action@v4 + - name: Docker Meta AAS Bridge + id: meta-aas + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 with: images: | ${{ steps.set-docker-repo.outputs.REPO }}/aas-bridge @@ -141,19 +143,19 @@ jobs: # build in any case, but push only main and version tag settings - name: AAS Bridge Container Build and Push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 with: context: sparql-aas/. file: sparql-aas/src/main/docker/Dockerfile # Build image for verification purposes on every trigger event. Only push if event is not a PR push: ${{ ( github.event.inputs.deploy_docker == 'true' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') ) }} - tags: ${{ steps.meta-hash.outputs.tags }} - labels: ${{ steps.meta-hash.outputs.labels }} + tags: ${{ steps.meta-aas.outputs.tags }} + labels: ${{ steps.meta-aas.outputs.labels }} # Important step to push image description to DockerHub - since this is version independent, we always take it from main - name: Update Docker Hub description for AAS Bridge if: ${{ steps.set-docker-repo.outputs.REPO == 'docker.io' && github.ref == 'refs/heads/main' }} - uses: peter-evans/dockerhub-description@v3 + uses: peter-evans/dockerhub-description@dc67fad7001ef9e8e3c124cb7a64e16d0a63d864 # v3.4.2 with: readme-filepath: sparql-aas/README.md username: ${{ secrets.DOCKER_HUB_USER }} diff --git a/.github/workflows/helm-chart-lint.yml b/.github/workflows/helm-chart-lint.yml index e1bf49d..d1f9f83 100644 --- a/.github/workflows/helm-chart-lint.yml +++ b/.github/workflows/helm-chart-lint.yml @@ -1,3 +1,4 @@ +--- # # Copyright (c) 2023 SAP SE # Copyright (c) 2023 T-Systems International GmbH @@ -27,14 +28,14 @@ on: push: branches: - main - - 'releases/**' + - 'release/*' paths: - .github/workflows/** - charts/** pull_request: branches: - main - - 'releases/**' + - 'release/*' paths: - .github/workflows/** - charts/** @@ -59,38 +60,38 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Set up Helm - uses: azure/setup-helm@v3 + uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 with: version: v3.10.3 - uses: ./.github/actions/setup-java - - uses: actions/setup-python@v4 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: 3.9 - name: Set up chart-testing - uses: helm/chart-testing-action@v2.3.1 + uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - name: Run chart-testing (lint) - run: ct lint --target-branch ${{ github.event.repository.default_branch }} --config charts/config/chart-testing-config.yaml + run: ct lint --target-branch ${{ github.base_ref || github.ref_name }} --config charts/config/chart-testing-config.yaml - name: Run chart-testing (list-changed) id: list-changed run: | - changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }}) + changed=$(ct list-changed --target-branch ${{ github.base_ref || github.ref_name }}) if [[ -n "$changed" ]]; then echo "CHART_CHANGED=true" >> $GITHUB_ENV fi # Preparing a kind cluster to install and test charts on - name: Create kind cluster - uses: container-tools/kind-action@v1 + uses: container-tools/kind-action@61f1afd4807b0dac84f3232ec99e45c63701d220 # v2.0.1 with: # upgrade version, default (v0.17.0) uses node image v1.21.1 and doesn't work with more recent node image versions version: v0.19.0 @@ -100,7 +101,7 @@ jobs: - name: Build Java/Docker via Maven run: | - ./mvnw -s settings.xml deploy -Drepo=kind-registry:5000/tractusx/ -Dmaven.deploy.skip -DskipTests -Pwith-docker-image + ./mvnw -s settings.xml deploy -Drepo=kind-registry:5000/tractusx/ -Dmaven.deploy.skip -DskipTests -Pwith-docker-image if: github.event_name != 'pull_request' || env.CHART_CHANGED == 'true' env: GITHUB_ACTOR: ${{ github.actor }} diff --git a/.github/workflows/helm-chart-release.yml b/.github/workflows/helm-chart-release.yml index 807af4d..f01e9f7 100644 --- a/.github/workflows/helm-chart-release.yml +++ b/.github/workflows/helm-chart-release.yml @@ -1,3 +1,4 @@ +--- # # Copyright (c) 2022, 2023 Contributors to the Eclipse Foundation # @@ -22,9 +23,6 @@ name: Release Charts on: # May be invoked manually workflow_dispatch: - branches: - - main - - 'releases/**' # Or by pushing to the chart dir of some dev/ release branch push: # prevent unnecessary GH action runs for files outside of charts folder @@ -32,7 +30,7 @@ on: - 'charts/**' branches: - main - - 'releases/**' + - 'release/*' jobs: release: @@ -43,7 +41,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 @@ -53,11 +51,11 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Install Helm - uses: azure/setup-helm@v3 + uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Run chart-releaser - uses: helm/chart-releaser-action@v1.4.1 + uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0 env: - CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" \ No newline at end of file + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/kics.yml b/.github/workflows/kics.yml index 421796a..7b42889 100644 --- a/.github/workflows/kics.yml +++ b/.github/workflows/kics.yml @@ -1,3 +1,4 @@ +--- # # Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation # @@ -17,18 +18,17 @@ # SPDX-License-Identifier: Apache-2.0 # ---- name: "KICS" on: push: - branches: - - main - - 'releases/**' + branches: + - main + - 'release/*' pull_request: - branches: + branches: - main - - 'releases/**' + - 'release/*' workflow_dispatch: @@ -46,29 +46,30 @@ jobs: security-events: write steps: - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 -# -# Take out -# - the "Always" Image Pull Policy Rule (caa3479d-885d-4882-9aac-95e5e78ef5c2) because depending on the deployment/rollout scenarios, other policies are more reasonable. -# - the "LimitRange" Namespace Rule (4a20ebac-1060-4c81-95d1-1f7f620e983b) because the target namespace may define that external to the Chart. -# - the "ResourceQuota" Namespace Rule (48a5beba-e4c0-4584-a2aa-e6894e4cf424) because the target namespace may define that external to the Chart. -# - the "Digest" Image Requirement (7c81d34c-8e5a-402b-9798-9f442630e678) can be realised for releases, but not the mainline -# - the "AppArmorProfile" Requirement (8b36775e-183d-4d46-b0f7-96a6f34a723f) is still a beta functionality -# - the "Administrative Boundaries" Info (e84eaf4d-2f45-47b2-abe8-e581b06deb66) would not be visible -# + + # + # Take out + # - the "Always" Image Pull Policy Rule (caa3479d-885d-4882-9aac-95e5e78ef5c2) because depending on the deployment/rollout scenarios, other policies are more reasonable. + # - the "LimitRange" Namespace Rule (4a20ebac-1060-4c81-95d1-1f7f620e983b) because the target namespace may define that external to the Chart. + # - the "ResourceQuota" Namespace Rule (48a5beba-e4c0-4584-a2aa-e6894e4cf424) because the target namespace may define that external to the Chart. + # - the "Digest" Image Requirement (7c81d34c-8e5a-402b-9798-9f442630e678) can be realised for releases, but not the mainline + # - the "AppArmorProfile" Requirement (8b36775e-183d-4d46-b0f7-96a6f34a723f) is still a beta functionality + # - the "Administrative Boundaries" Info (e84eaf4d-2f45-47b2-abe8-e581b06deb66) would not be visible + # - name: KICS scan - uses: checkmarx/kics-github-action@v1.7.0 + uses: checkmarx/kics-github-action@8a44970e3d2eca668be41abe9d4e06709c3b3609 # v1.7.0 with: path: "." fail_on: high disable_secrets: true - output_path: kicsResults/ + output_path: kicsResults/ exclude_queries: caa3479d-885d-4882-9aac-95e5e78ef5c2,4a20ebac-1060-4c81-95d1-1f7f620e983b,48a5beba-e4c0-4584-a2aa-e6894e4cf424,7c81d34c-8e5a-402b-9798-9f442630e678,8b36775e-183d-4d46-b0f7-96a6f34a723f,e84eaf4d-2f45-47b2-abe8-e581b06deb66 output_formats: "json,sarif" - name: Upload SARIF file for GitHub Advanced Security Dashboard if: always() - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@689fdc5193eeb735ecb2e52e819e3382876f93f4 # v2.22.6 with: sarif_file: kicsResults/results.sarif diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index fa95c9e..7a2a5a6 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,3 +1,4 @@ +--- # # Copyright (c) 2023 SAP SE # Copyright (c) 2023 T-Systems International GmbH @@ -19,7 +20,6 @@ # SPDX-License-Identifier: Apache-2.0 # ---- name: "Trivy" on: @@ -27,7 +27,7 @@ on: - cron: "0 0 * * *" workflow_dispatch: workflow_run: - workflows: [ "Build" ] + workflows: ["Build"] branches: - main tags: @@ -55,9 +55,9 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # v0.14.0 with: scan-type: "config" # ignore-unfixed: true @@ -67,60 +67,62 @@ jobs: output: "trivy-results-config.sarif" severity: "CRITICAL,HIGH" - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@689fdc5193eeb735ecb2e52e819e3382876f93f4 # v2.22.6 if: always() with: sarif_file: "trivy-results-config.sarif" trivy: - needs: [ git-sha7 ] + needs: [git-sha7] permissions: actions: read contents: read security-events: write runs-on: ubuntu-latest strategy: - fail-fast: false # continue scanning other images although if the other has been vulnerable + # continue scanning other images although if the other has been vulnerable + fail-fast: false matrix: image: - aas-bridge steps: + # Determine the right target docker repo - name: Check github repository and set docker repo id: set-docker-repo run: | - echo "REGISTRY=docker.io" >> $GITHUB_OUTPUT; - echo "REPO=tractusx" >> $GITHUB_OUTPUT; - if [ "${{ github.repository }}" != "eclipse-tractusx/knowledge-agents-aas-bridge" ]; - then + echo "REGISTRY=docker.io" >> $GITHUB_OUTPUT; + echo "REPO=tractusx" >> $GITHUB_OUTPUT; + if [ "${{ github.repository }}" != "eclipse-tractusx/knowledge-agents-aas-bridge" ]; + then echo "REGISTRY=ghcr.io" >> $GITHUB_OUTPUT echo "REPO=ghcr.io/${{ github.repository }}" >> $GITHUB_OUTPUT - fi + fi exit 0 - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 # Enable repository access (on main branch and version tags only) - name: Login to GitHub Container Registry - if: ${{ ( github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) }} - uses: docker/login-action@v2 + if: ${{ ( github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') ) }} + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ${{ steps.set-docker-repo.outputs.REGISTRY }} # Use existing DockerHub credentials present as secrets username: ${{ secrets.DOCKER_HUB_USER || github.actor }} password: ${{ secrets.DOCKER_HUB_TOKEN || secrets.GITHUB_TOKEN }} - ## This step will fail if the docker images is not found + # This step will fail if the docker images is not found - name: "Check if image exists" id: imageCheck run: | docker manifest inspect ${{ steps.set-docker-repo.outputs.REPO }}/${{ matrix.image }}:${{ needs.git-sha7.outputs.value }} continue-on-error: true - ## the next two steps will only execute if the image exists check was successful + # the next two steps will only execute if the image exists check was successful - name: Run Trivy vulnerability scanner if: success() && steps.imageCheck.outcome != 'failure' - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # v0.14.0 with: image-ref: "${{ steps.set-docker-repo.outputs.REPO }}/${{ matrix.image }}:${{ needs.git-sha7.outputs.value }}" format: "sarif" @@ -131,6 +133,6 @@ jobs: - name: Upload Trivy scan results to GitHub Security tab if: success() && steps.imageCheck.outcome != 'failure' - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@689fdc5193eeb735ecb2e52e819e3382876f93f4 # v2.22.6 with: sarif_file: "trivy-results-${{ matrix.image }}.sarif" diff --git a/.github/workflows/veracode.yml b/.github/workflows/veracode.yml index db6eab6..0a045f0 100644 --- a/.github/workflows/veracode.yml +++ b/.github/workflows/veracode.yml @@ -1,3 +1,4 @@ +--- # # Copyright (c) 2023 SAP SE # Copyright (c) 2023 T-Systems International GmbH @@ -19,7 +20,6 @@ # SPDX-License-Identifier: Apache-2.0 # ---- name: "Veracode" on: @@ -51,12 +51,12 @@ jobs: - name: Verify proper formatting run: ./mvnw spotless:check -### -# Standalone applications have all dependencies in their jar -### + ### + # Standalone applications have all dependencies in their jar + ### build_standalone: runs-on: ubuntu-latest - needs: [ secret-presence, verify-formatting ] + needs: [secret-presence, verify-formatting] permissions: contents: read strategy: @@ -66,7 +66,7 @@ jobs: ] steps: # Set-Up - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./.github/actions/setup-java # Build - name: Build ${{ matrix.variant.name }} @@ -79,7 +79,7 @@ jobs: run: |- tar -czvf ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}.tar.gz ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}-*.jar - name: Veracode Upload And Scan - uses: veracode/veracode-uploadandscan-action@v1.0 + uses: veracode/veracode-uploadandscan-action@c3c0b78bddb42d5f6b10d70562f692215a410d7b #v1.0 if: | needs.secret-presence.outputs.ORG_VERACODE_API_ID && needs.secret-presence.outputs.ORG_VERACODE_API_KEY continue-on-error: true @@ -91,46 +91,3 @@ jobs: vid: ${{ secrets.ORG_VERACODE_API_ID }} vkey: ${{ secrets.ORG_VERACODE_API_KEY }} -### -# Embedded applications need dependencies being provided. -# Expecially wrt. Spring 5.3.28 Web there is an open HIGH vulnerability regarding -# org/springframework/remoting/httpinvoker which will not be fixed -# so we manipulate the jar in the docker environment directly and exclude -# the dependency from the scan -### - build_embedded: - runs-on: ubuntu-latest - needs: [ secret-presence, verify-formatting ] - permissions: - contents: read - strategy: - fail-fast: false - matrix: - variant: [ { dir: provisioning, name: provisioning-agent }, - ] - steps: - # Set-Up - - uses: actions/checkout@v3.5.2 - - uses: ./.github/actions/setup-java - # Build - - name: Build ${{ matrix.variant.name }} - run: |- - ./mvnw -s settings.xml -pl ${{ matrix.variant.dir }} install - env: - GITHUB_ACTOR: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Tar gzip files for veracode upload - run: |- - tar --exclude='spring-web-5.3.28.jar' -czvf ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}.tar.gz ${{ matrix.variant.dir }}/target/lib/*.jar ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}-*.jar - - name: Veracode Upload And Scan - uses: veracode/veracode-uploadandscan-action@v1.0 - if: | - needs.secret-presence.outputs.ORG_VERACODE_API_ID && needs.secret-presence.outputs.ORG_VERACODE_API_KEY - continue-on-error: true - with: - appname: knowledge-agents/${{ matrix.variant.name }} - createprofile: true - version: ${{ matrix.variant.name }}-${{ github.sha }} - filepath: ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}.tar.gz - vid: ${{ secrets.ORG_VERACODE_API_ID }} - vkey: ${{ secrets.ORG_VERACODE_API_KEY }} \ No newline at end of file