Skip to content

Update sbt, scripted-plugin to 1.10.5 (#27) #56

Update sbt, scripted-plugin to 1.10.5 (#27)

Update sbt, scripted-plugin to 1.10.5 (#27) #56

Workflow file for this run

name: fortify
on:
push:
branches:
- main
pull_request:
jobs:
test:
strategy:
fail-fast: false
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 17
cache: sbt
- uses: actions/cache@v4
env:
cache-name: fortify
with:
path: ./Fortify
key: fortify-24.2.0
# https://github.com/gruntwork-io/fetch
- uses: Homebrew/actions/setup-homebrew@master
- name: Install Fetch
run: brew install fetch
- name: Install secrets
env:
LIGHTBEND_LICENSE: ${{secrets.LIGHTBEND_LICENSE}}
FORTIFY_LICENSE: ${{secrets.FORTIFY_LICENSE}}
run: |
mkdir -p ~/.lightbend
echo "$LIGHTBEND_LICENSE" > ~/.lightbend/license
echo "$FORTIFY_LICENSE" > fortify.license
# The easiest way I could think of to make the Fortify installer available to CI
# was to attach it as a release asset to a tag in a private repo.
- name: Install Fortify
run: |
if [[ ! -d Fortify ]] ; then
GITHUB_OAUTH_TOKEN=${{secrets.FORTIFY_INSTALLER_TOKEN}} fetch --repo="https://github.com/lightbend/scala-fortify" --tag="24.2.0_linux_x64" --release-asset="Fortify_SCA_24.2.0_linux_x64.run" .
chmod +x Fortify_SCA_24.2.0_linux_x64.run
mkdir Fortify
echo installdir=`pwd`/Fortify/Fortify_SCA_24.2.0 > Fortify_SCA_24.2.0_linux_x64.run.options
echo fortify_license_path=`pwd`/fortify.license >> Fortify_SCA_24.2.0_linux_x64.run.options
./Fortify_SCA_24.2.0_linux_x64.run --mode unattended
# download the Scala security rules; VersionTests makes sure they're the ones we expect
./Fortify/Fortify_SCA_24.2.0/bin/fortifyupdate
fi
- name: Test
run: |
sbt -DfortifyEnabled=true compile
rm -f target/vulnerabilities-actual.txt
./Fortify/Fortify_SCA_24.2.0/bin/sourceanalyzer \
-b sample \
-logfile target/scan.log \
-scan \
| tail -n +4 > target/vulnerabilities-actual.txt
cat target/scan.log
sum vulnerabilities.txt target/vulnerabilities-actual.txt
diff -u vulnerabilities.txt target/vulnerabilities-actual.txt