Merge branch 'develop' into origin/develop/weijie/EmailService

sayoungestguy · Aug 19, 2024 · 0ea9b11 · 0ea9b11
2 parents 2570acb + 1187505
commit 0ea9b11
Show file tree

Hide file tree

Showing 5 changed files with 189 additions and 63 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -1,8 +1,8 @@
-name: Application CI workflow
+name: ScaleUp Application CI workflow
 on: [push, pull_request]
 jobs:
- pipeline:
- name: scaleup pipeline
+ build:
+ name: Build Stage
  runs-on: ubuntu-latest
  if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]') && !contains(github.event.pull_request.title, '[skip ci]') && !contains(github.event.pull_request.title, '[ci skip]')"
  timeout-minutes: 40
@@ -22,11 +22,129 @@ jobs:
  java-version: 17
  - name: Install Node.js packages
  run: npm install
+ - name: Package application
+ run: npm run java:jar:prod
+
+ backend-test:
+ name: Backend Test Stage
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - uses: actions/checkout@v4
+ - uses: actions/setup-java@v4
+ with:
+ distribution: 'temurin'
+ java-version: 17
  - name: Run backend test
  run: |
  chmod +x mvnw
  npm run ci:backend:test
+
+ frontend-test:
+ name: Frontend Test Stage
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - uses: actions/checkout@v4
+ - uses: actions/setup-node@v4
+ with:
+ node-version: 20.15.0
+ - name: Install Node.js packages
+ run: npm install
  - name: Run frontend test
  run: npm run ci:frontend:test
- - name: Package application
- run: npm run java:jar:prod
+ sonar:
+ name: Sonar SAST Scan
+ runs-on: ubuntu-latest
+ needs: [backend-test, frontend-test]
+ steps:
+ - uses: actions/checkout@v3
+ with:
+ fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+ - name: Set up JDK 17
+ uses: actions/setup-java@v3
+ with:
+ java-version: 17
+ distribution: 'zulu' # Alternative distribution options are available.
+ - name: Cache SonarCloud packages
+ uses: actions/cache@v3
+ with:
+ path: ~/.sonar/cache
+ key: ${{ runner.os }}-sonar
+ restore-keys: ${{ runner.os }}-sonar
+ - name: Cache Maven packages
+ uses: actions/cache@v3
+ with:
+ path: ~/.m2
+ key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+ restore-keys: ${{ runner.os }}-m2
+ - name: Build and analyze
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
+ SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+ run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=sayoungestguy_scaleup
+ snyk:
+ name: Vulnerability Scanning with Synk
+ needs: [backend-test, frontend-test]
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@master
+ - name: Run Snyk to check for vulnerabilities
+ uses: snyk/actions/maven@master
+ continue-on-error: true # To make sure that SARIF upload gets called
+ env:
+ SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+ with:
+ args: --sarif-file-output=snyk.sarif
+ # - name: Upload result to GitHub Code Scanning
+ # uses: github/codeql-action/upload-sarif@v3
+ # with:
+ # sarif_file: snyk.sarif
+ eslint:
+ name: ESLint Code Quality
+ runs-on: ubuntu-latest
+ needs: [backend-test, frontend-test]
+ steps:
+ - name: Checkout Code
+ uses: actions/checkout@v4
+ - name: Set up Node.js
+ uses: actions/setup-node@v4
+ with:
+ node-version: 20.15.0
+ - name: Install Node.js packages
+ run: npm install
+ - name: Install ESLint
+ run: npm install eslint --save-dev
+
+ - name: Run ESLint
+ run: |
+ npx eslint . -f json -o eslint-report.json
+ npx eslint . -f html -o eslint-report.html
+
+ - name: Upload ESLint Report
+ uses: actions/upload-artifact@v4
+ with:
+ name: eslint-report
+ path: |
+ ./eslint-report.json
+ ./eslint-report.html
+ dast-scan:
+ name: DAST OWASP ZAP Scans
+ runs-on: ubuntu-latest
+ needs: [backend-test, frontend-test]
+ strategy:
+ matrix:
+ node-version: [20.x]
+ steps:
+ - uses: actions/checkout@v2
+ - name: Change script permission
+ run: |
+ chmod +x script/zap-script.sh
+ - name: ZAP scan
+ run: script/zap-script.sh
+ - name: Archive production artifacts
+ uses: actions/upload-artifact@v2
+ with:
+ name: zap report
+ path: |
+ ./zap_baseline_report.html
diff --git a/pom.xml b/pom.xml
@@ -76,6 +76,8 @@
  <sonar-maven-plugin.version>4.0.0.4121</sonar-maven-plugin.version>
  <spotless-maven-plugin.version>2.43.0</spotless-maven-plugin.version>
  <springdoc-openapi-starter-webmvc-api.version>2.5.0</springdoc-openapi-starter-webmvc-api.version>
+ <sonar.organization>sayoungestguy</sonar.organization>
+ <sonar.host.url>https://sonarcloud.io</sonar.host.url>
  </properties>
 
  <dependencies>

diff --git a/script/zap-script.sh b/script/zap-script.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+docker pull zaproxy/zap-stable
+docker run -i zaproxy/zap-stable zap-baseline.py -t "https://github.com/sayoungestguy/scaleup" -l PASS > zap_baseline_report.html
+
+echo $? > /dev/null
diff --git a/sonar-project.properties b/sonar-project.properties
@@ -1,43 +1,43 @@
-sonar.projectKey = scaleup
-sonar.projectName = scaleup generated by jhipster
-
-# Typescript tests files must be inside sources and tests, otherwise `INFO: Test execution data ignored for 80 unknown files, including:` 
-# is shown.
-sonar.sources = src
-sonar.tests = src
-sonar.host.url = http://localhost:9001
-
-sonar.test.inclusions = src/test/**/*.*, src/main/webapp/app/**/*.spec.ts, src/main/webapp/app/**/*.spec.tsx
-sonar.coverage.jacoco.xmlReportPaths = target/site/**/jacoco*.xml
-sonar.java.codeCoveragePlugin = jacoco
-sonar.junit.reportPaths = target/surefire-reports,target/failsafe-reports
-sonar.testExecutionReportPaths = target/test-results/jest/TESTS-results-sonar.xml
-sonar.javascript.lcov.reportPaths = target/test-results/lcov.info
-
-sonar.sourceEncoding = UTF-8
-sonar.exclusions = src/main/webapp/content/**/*.*, src/main/webapp/i18n/*.js, target/classes/static/**/*.*
-
-sonar.issue.ignore.multicriteria = S1192,S125,S3437,S4502,S4684,S5145,UndocumentedApi
-
-# Rule https://rules.sonarsource.com/java/RSPEC-3437 is ignored, as a JPA-managed field cannot be transient
-sonar.issue.ignore.multicriteria.S3437.resourceKey = src/main/java/**/*
-sonar.issue.ignore.multicriteria.S3437.ruleKey = squid:S3437
-# Rule https://rules.sonarsource.com/java/RSPEC-4502 is ignored, as for JWT tokens we are not subject to CSRF attack
-sonar.issue.ignore.multicriteria.S4502.resourceKey = src/main/java/**/*
-sonar.issue.ignore.multicriteria.S4502.ruleKey = java:S4502
-# Rule https://rules.sonarsource.com/java/RSPEC-4684
-sonar.issue.ignore.multicriteria.S4684.resourceKey = src/main/java/**/*
-sonar.issue.ignore.multicriteria.S4684.ruleKey = java:S4684
-# Rule https://rules.sonarsource.com/java/RSPEC-5145 log filter is applied
-sonar.issue.ignore.multicriteria.S5145.resourceKey = src/main/java/**/*
-sonar.issue.ignore.multicriteria.S5145.ruleKey = javasecurity:S5145
-# Rule https://rules.sonarsource.com/java/RSPEC-1176 is ignored, as we want to follow "clean code" guidelines and classes, methods and 
-# arguments names should be self-explanatory
-sonar.issue.ignore.multicriteria.UndocumentedApi.resourceKey = src/main/java/**/*
-sonar.issue.ignore.multicriteria.UndocumentedApi.ruleKey = squid:UndocumentedApi
-# Rule https://rules.sonarsource.com/java/RSPEC-1192
-sonar.issue.ignore.multicriteria.S1192.resourceKey = src/main/java/**/CacheConfiguration.java
-sonar.issue.ignore.multicriteria.S1192.ruleKey = java:S1192
-# Rule https://rules.sonarsource.com/xml/RSPEC-125
-sonar.issue.ignore.multicriteria.S125.resourceKey = src/main/resources/logback-spring.xml
-sonar.issue.ignore.multicriteria.S125.ruleKey = xml:S125
+#sonar.projectKey = scaleup
+#sonar.projectName = scaleup generated by jhipster
+#
+## Typescript tests files must be inside sources and tests, otherwise `INFO: Test execution data ignored for 80 unknown files, including:`
+## is shown.
+#sonar.sources = src
+#sonar.tests = src
+#sonar.host.url = http://localhost:9001
+#
+#sonar.test.inclusions = src/test/**/*.*, src/main/webapp/app/**/*.spec.ts, src/main/webapp/app/**/*.spec.tsx
+#sonar.coverage.jacoco.xmlReportPaths = target/site/**/jacoco*.xml
+#sonar.java.codeCoveragePlugin = jacoco
+#sonar.junit.reportPaths = target/surefire-reports,target/failsafe-reports
+#sonar.testExecutionReportPaths = target/test-results/jest/TESTS-results-sonar.xml
+#sonar.javascript.lcov.reportPaths = target/test-results/lcov.info
+#
+#sonar.sourceEncoding = UTF-8
+#sonar.exclusions = src/main/webapp/content/**/*.*, src/main/webapp/i18n/*.js, target/classes/static/**/*.*
+#
+#sonar.issue.ignore.multicriteria = S1192,S125,S3437,S4502,S4684,S5145,UndocumentedApi
+#
+## Rule https://rules.sonarsource.com/java/RSPEC-3437 is ignored, as a JPA-managed field cannot be transient
+#sonar.issue.ignore.multicriteria.S3437.resourceKey = src/main/java/**/*
+#sonar.issue.ignore.multicriteria.S3437.ruleKey = squid:S3437
+## Rule https://rules.sonarsource.com/java/RSPEC-4502 is ignored, as for JWT tokens we are not subject to CSRF attack
+#sonar.issue.ignore.multicriteria.S4502.resourceKey = src/main/java/**/*
+#sonar.issue.ignore.multicriteria.S4502.ruleKey = java:S4502
+## Rule https://rules.sonarsource.com/java/RSPEC-4684
+#sonar.issue.ignore.multicriteria.S4684.resourceKey = src/main/java/**/*
+#sonar.issue.ignore.multicriteria.S4684.ruleKey = java:S4684
+## Rule https://rules.sonarsource.com/java/RSPEC-5145 log filter is applied
+#sonar.issue.ignore.multicriteria.S5145.resourceKey = src/main/java/**/*
+#sonar.issue.ignore.multicriteria.S5145.ruleKey = javasecurity:S5145
+## Rule https://rules.sonarsource.com/java/RSPEC-1176 is ignored, as we want to follow "clean code" guidelines and classes, methods and
+## arguments names should be self-explanatory
+#sonar.issue.ignore.multicriteria.UndocumentedApi.resourceKey = src/main/java/**/*
+#sonar.issue.ignore.multicriteria.UndocumentedApi.ruleKey = squid:UndocumentedApi
+## Rule https://rules.sonarsource.com/java/RSPEC-1192
+#sonar.issue.ignore.multicriteria.S1192.resourceKey = src/main/java/**/CacheConfiguration.java
+#sonar.issue.ignore.multicriteria.S1192.ruleKey = java:S1192
+## Rule https://rules.sonarsource.com/xml/RSPEC-125
+#sonar.issue.ignore.multicriteria.S125.resourceKey = src/main/resources/logback-spring.xml
+#sonar.issue.ignore.multicriteria.S125.ruleKey = xml:S125
diff --git a/src/main/docker/sonar.yml b/src/main/docker/sonar.yml
@@ -1,15 +1,15 @@
-# This configuration is intended for development purpose, it's **your** responsibility to harden it for production
-name: scaleup
-services:
- sonar:
- container_name: sonarqube
- image: sonarqube:10.5.1-community
- # Forced authentication redirect for UI is turned off for out of the box experience while trying out SonarQube
- # For real use cases delete SONAR_FORCEAUTHENTICATION variable or set SONAR_FORCEAUTHENTICATION=true
- environment:
- - SONAR_FORCEAUTHENTICATION=false
- # If you want to expose these ports outside your dev PC,
- # remove the "127.0.0.1:" prefix
- ports:
- - 127.0.0.1:9001:9000
- - 127.0.0.1:9000:9000
+## This configuration is intended for development purpose, it's **your** responsibility to harden it for production
+#name: scaleup
+#services:
+# sonar:
+# container_name: sonarqube
+# image: sonarqube:10.5.1-community
+# # Forced authentication redirect for UI is turned off for out of the box experience while trying out SonarQube
+# # For real use cases delete SONAR_FORCEAUTHENTICATION variable or set SONAR_FORCEAUTHENTICATION=true
+# environment:
+# - SONAR_FORCEAUTHENTICATION=false
+# # If you want to expose these ports outside your dev PC,
+# # remove the "127.0.0.1:" prefix
+# ports:
+# - 127.0.0.1:9001:9000
+# - 127.0.0.1:9000:9000