Skip to content

Commit

Permalink
Merge pull request #3052 from mercedes-benz/feature-2773-fsb-java21
Browse files Browse the repository at this point in the history 
FindSecurityBugs works with java 21 #2773
  • Loading branch information
@sven-dmlr
sven-dmlr committed Apr 9, 2024
2 parents 52655cd + f73b2f9 commit a23864f
Show file tree
Hide file tree
Showing 8 changed files with 163 additions and 50 deletions.
1 change: 1 addition & 0 deletions .github/workflows/_build+publish-pds-solution.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ jobs:
export CHECKMARX_WRAPPER_VERSION
export CLOC_VERSION
export FINDSECURITYBUGS_VERSION
export SPOTBUGS_VERSION
export GITLEAKS_VERSION
export GOSEC_VERSION
export OWASPZAP_VERSION
Expand Down
11 changes: 5 additions & 6 deletions .github/workflows/build+publish-all-pds-solutions.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,12 +20,11 @@ jobs:
pds-solution: checkmarx
pds-version: ${{ inputs.pds-version }}

# 2023-06-12: findsecuritybugs deactivated due to upstream fix is not yet released
# call_build_pds-findsecuritybugs:
# uses: mercedes-benz/sechub/.github/workflows/_build+publish-pds-solution.yml@develop
# with:
# pds-solution: findsecuritybugs
# pds-version: ${{ inputs.pds-version }}
call_build_pds-findsecuritybugs:
uses: mercedes-benz/sechub/.github/workflows/_build+publish-pds-solution.yml@develop
with:
pds-solution: findsecuritybugs
pds-version: ${{ inputs.pds-version }}

call_build_pds-gitleaks:
uses: mercedes-benz/sechub/.github/workflows/_build+publish-pds-solution.yml@develop
Expand Down
28 changes: 19 additions & 9 deletions sechub-pds-solutions/findsecuritybugs/10-create-image.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ REGISTRY="$1"
VERSION="$2"
BASE_IMAGE="$3"

DEFAULT_BUILD_TYPE=build

usage() {
cat - <<EOF
usage: $0 <docker registry> <version tag> <base image>
Expand All @@ -15,7 +17,9 @@ for <docker registry> with tag <version tag>.
Required: <base image> ; for example ghcr.io/mercedes-benz/sechub/pds-base
Additionally these environment variables can be defined:
- FINDSECURITYBUGS_VERSION - version of FindSecurityBugs to use. E.g. 1.12.0
- BUILD_TYPE - Can be "build" or "download" (download only until fsb 1.12.0)
- FINDSECURITYBUGS_VERSION - version of FindSecurityBugs to use. E.g. 1.13.0
- SPOTBUGS_VERSION - version of SpotBugs to use. E.g. 4.8.3
EOF
}

Expand Down Expand Up @@ -47,17 +51,23 @@ echo ">> Base image: $BASE_IMAGE"
if [[ ! -z "$FINDSECURITYBUGS_VERSION" ]] ; then
echo ">> FindSecurityBugs version: $FINDSECURITYBUGS_VERSION"
BUILD_ARGS+=" --build-arg FINDSECURITYBUGS_VERSION=$FINDSECURITYBUGS_VERSION"
fi

if [[ -z "$FINDSECURITYBUGS_SHA256SUM" ]] ; then
echo "FATAL: Please define sha256 checksum in FINDSECURITYBUGS_SHA256SUM environment variable"
exit 1
fi

echo ">> FindSecurityBugs sha256sum: $FINDSECURITYBUGS_SHA256SUM"
BUILD_ARGS+=" --build-arg FINDSECURITYBUGS_SHA256SUM=$FINDSECURITYBUGS_SHA256SUM"
if [[ ! -z "$SPOTBUGS_VERSION" ]] ; then
echo ">> SpotBugs version: $SPOTBUGS_VERSION"
BUILD_ARGS+=" --build-arg SPOTBUGS_VERSION=$SPOTBUGS_VERSION"
fi

[ -z "$BUILD_TYPE" ] && BUILD_TYPE="$DEFAULT_BUILD_TYPE"
echo ">> build type: $BUILD_TYPE"
BUILD_ARGS+=" --build-arg BUILD_TYPE=$BUILD_TYPE"

echo "Copying install-java scripts into the docker directory"
cp -rf ../../sechub-solutions-shared/install-java/ docker/

export BUILDKIT_PROGRESS=plain
export DOCKER_BUILDKIT=1
docker build --pull --no-cache $BUILD_ARGS \
--tag "$REGISTRY:$VERSION" \
--file docker/FindSecurityBugs-Debian.dockerfile docker/
docker tag "$REGISTRY:$VERSION" "$REGISTRY:latest"
docker tag "$REGISTRY:$VERSION" "$REGISTRY:latest"
1 change: 1 addition & 0 deletions sechub-pds-solutions/findsecuritybugs/docker/.gitignore
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
copy/**
!copy/README.adoc
/install-java
130 changes: 104 additions & 26 deletions sechub-pds-solutions/findsecuritybugs/docker/FindSecurityBugs-Debian.dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,103 @@

# The image argument needs to be placed on top
ARG BASE_IMAGE

# Arguments
# The FindSecurityBugs version to use. See https://github.com/find-sec-bugs/find-sec-bugs/releases
ARG FINDSECURITYBUGS_VERSION="1.13.0"
# The Spotbugs version to use. See https://github.com/spotbugs/spotbugs/releases
ARG SPOTBUGS_VERSION="4.8.3"
# Build type can be "build" or "download"
ARG BUILD_TYPE="build"
# The base image of the builder
ARG BUILDER_BASE_IMAGE="debian:12-slim"
ARG ARTIFACT_FOLDER="/artifacts"


#-------------------
# Builder Download
#-------------------
# (downloads a released FindSecurityBugs bundle)

FROM ${BUILDER_BASE_IMAGE} AS builder-download

ARG ARTIFACT_FOLDER
ARG FINDSECURITYBUGS_VERSION

RUN mkdir -p "$ARTIFACT_FOLDER"

RUN export DEBIAN_FRONTEND=noninteractive && \
apt-get update && \
apt-get -y install dos2unix unzip wget && \
apt-get clean

# Download the Xray Wrapper (beware: this works only until version 1.12.0)
RUN cd "/tmp" && \
# download pds
wget --no-verbose "https://github.com/find-sec-bugs/find-sec-bugs/releases/download/version-$FINDSECURITYBUGS_VERSION/findsecbugs-cli-$FINDSECURITYBUGS_VERSION.zip" && \
mv findsecbugs-cli-$FINDSECURITYBUGS_VERSION.zip "$ARTIFACT_FOLDER"


#-------------------
# Builder Build
#-------------------
# (downloads a released FindSecurityBugs bundle)

FROM ${BUILDER_BASE_IMAGE} AS builder-build

ARG ARTIFACT_FOLDER
ARG FINDSECURITYBUGS_VERSION
ARG SPOTBUGS_VERSION
ARG JAVA_DISTRIBUTION="temurin"
ARG JAVA_VERSION="17"

ENV DOWNLOAD_FOLDER="/downloads"
ENV BUILD_FOLDER="/build"

RUN mkdir -p "$ARTIFACT_FOLDER" "$DOWNLOAD_FOLDER" "$BUILD_FOLDER"

RUN export DEBIAN_FRONTEND=noninteractive && \
apt-get update && \
apt-get -y install dos2unix git gradle unzip && \
apt-get clean

COPY --chmod=755 install-java/debian "$DOWNLOAD_FOLDER/install-java/"

# Install Java
RUN cd "$DOWNLOAD_FOLDER/install-java/" && \
./install-java.sh "$JAVA_DISTRIBUTION" "$JAVA_VERSION" jdk

# Copy clone script
COPY --chmod=755 clone.sh "$BUILD_FOLDER/clone.sh"

RUN cd "$BUILD_FOLDER" && \
./clone.sh https://github.com/find-sec-bugs/find-sec-bugs.git master version-$FINDSECURITYBUGS_VERSION && \
cd "find-sec-bugs/cli/" && \
echo "fsbVersion=$FINDSECURITYBUGS_VERSION" > gradle.properties && \
echo "spotbugsVersion=$SPOTBUGS_VERSION" >> gradle.properties && \
gradle packageCli && \
mv findsecbugs-cli-$FINDSECURITYBUGS_VERSION.zip "$ARTIFACT_FOLDER"


#-------------------
# Builder
#-------------------

FROM builder-${BUILD_TYPE} as builder

ARG ARTIFACT_FOLDER
ARG FINDSECURITYBUGS_VERSION
RUN echo "build stage - unpacking zip" && \
cd "$ARTIFACT_FOLDER" && \
unzip -q "findsecbugs-cli-$FINDSECURITYBUGS_VERSION.zip" && \
dos2unix "$ARTIFACT_FOLDER/findsecbugs.sh" && \
chmod +x "$ARTIFACT_FOLDER/findsecbugs.sh" && \
rm -f "findsecbugs-cli-$FINDSECURITYBUGS_VERSION.zip"


#------------------------------
# PDS + FindSecurityBugs Image
#------------------------------
FROM ${BASE_IMAGE}

# The remaining arguments need to be placed after the `FROM`
Expand All @@ -13,8 +110,8 @@ LABEL org.opencontainers.image.description="A container which combines FindSecur
LABEL maintainer="SecHub FOSS Team"

# Arguments
ARG FINDSECURITYBUGS_VERSION="1.12.0"
ARG FINDSECURITYBUGS_SHA256SUM="a50bd4741a68c6886bbc03d20da9ded44bce4dd7d0d2eee19ceb338dd644cd55"
ARG ARTIFACT_FOLDER
ARG FINDSECURITYBUGS_VERSION

# Environment variables in container
ENV FINDSECURITYBUGS_VERSION="${FINDSECURITYBUGS_VERSION}"
Expand All @@ -24,26 +121,9 @@ USER root
RUN export DEBIAN_FRONTEND=noninteractive && \
apt-get update && \
apt-get --assume-yes upgrade && \
apt-get --assume-yes install dos2unix unzip wget libxml2-utils && \
apt-get --assume-yes install libxml2-utils temurin-21-jre && \
apt-get --assume-yes clean

# Install FindSecurityBugs
RUN cd "$DOWNLOAD_FOLDER" && \
# download pds
wget --no-verbose "https://github.com/find-sec-bugs/find-sec-bugs/releases/download/version-$FINDSECURITYBUGS_VERSION/findsecbugs-cli-$FINDSECURITYBUGS_VERSION.zip" && \
# create sha256sum
echo "$FINDSECURITYBUGS_SHA256SUM findsecbugs-cli-$FINDSECURITYBUGS_VERSION.zip" > "findsecbugs-cli-$FINDSECURITYBUGS_VERSION.zip.sha256sum" && \
# verify that the checksum and the checksum of the file are same
sha256sum --check "findsecbugs-cli-$FINDSECURITYBUGS_VERSION.zip.sha256sum" && \
# extract FindSecurityBugs
unzip -q "findsecbugs-cli-$FINDSECURITYBUGS_VERSION.zip" -d "$TOOL_FOLDER" && \
# Convert Windows format to Unix
dos2unix "$TOOL_FOLDER/findsecbugs.sh" && \
# make FindSecurityBugs executable
chmod +x "$TOOL_FOLDER/findsecbugs.sh" && \
# Cleanup download folder
rm --recursive --force "$DOWNLOAD_FOLDER"/*

# Copy PDS configfile
COPY pds-config.json "$PDS_FOLDER/pds-config.json"

Expand All @@ -53,16 +133,14 @@ RUN chmod +x "$TOOL_FOLDER/findsecbugs_sechub.sh"

# Copy scripts
COPY scripts "$SCRIPT_FOLDER"
RUN chmod --recursive +x "$SCRIPT_FOLDER"
RUN chmod +x "$SCRIPT_FOLDER"/*.sh

# Mock folder
COPY mocks "$MOCK_FOLDER"

# TODO: Remove the lines below in the future
# This is a workaround as long as Spotbugs does not support taxonomies
# https://github.com/spotbugs/spotbugs/issues/2321
COPY copy/spotbugs.jar "$TOOL_FOLDER/lib/spotbugs.jar"
COPY copy/spotbugs-annotations.jar "$TOOL_FOLDER/lib/spotbugs-annotations.jar"
# Install FindSecurityBugs
# Copy artifacts from builder
COPY --from=builder "$ARTIFACT_FOLDER" "$TOOL_FOLDER"

# Set workspace
WORKDIR "$WORKSPACE"
Expand Down
28 changes: 28 additions & 0 deletions sechub-pds-solutions/findsecuritybugs/docker/clone.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
#!/usr/bin/env sh
# SPDX-License-Identifier: MIT

GIT_URL="$1"
BRANCH="$2"
TAG="$3"

if [ -z "$GIT_URL" ]
then
echo "No Git url provided" 1>&2
exit 1
fi

git_args=""

if [ ! -z "$TAG" ]
then
echo "Tag: $TAG"
git_args="--branch $TAG"
elif [ ! -z "$BRANCH" ]
then
echo "Branch: $BRANCH"
git_args="--branch $BRANCH"
else
echo "Cloning default branch"
fi

git clone --depth 1 $git_args "$GIT_URL"
2 changes: 1 addition & 1 deletion sechub-pds-solutions/findsecuritybugs/docker/findsecbugs_sechub.sh
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/usr/bin/env bash
#!/usr/bin/bash
# SPDX-License-Identifier: MIT

# This is copied from the findsecbugs.sh folder
Expand Down
12 changes: 4 additions & 8 deletions sechub-pds-solutions/findsecuritybugs/env
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,4 @@
# See: https://github.com/find-sec-bugs/find-sec-bugs/releases
FINDSECURITYBUGS_VERSION="1.12.0"

# The base image to use
# uncomment to use local image
# BASE_IMAGE="pds-base_pds"
BASE_IMAGE="ghcr.io/mercedes-benz/sechub/pds-base"

# The FindSecurityBugs version to use. See: https://github.com/find-sec-bugs/find-sec-bugs/releases
FINDSECURITYBUGS_VERSION="1.13.0"
# The Spotbugs version to use. See https://github.com/spotbugs/spotbugs/releases
SPOTBUGS_VERSION="4.8.3"

0 comments on commit a23864f

Please sign in to comment.