Merge pull request #2864 from mercedes-benz/gha_feature-2441-provide-…

…multiple-scantypes Gha feature 2441 provide multiple scantypes
mercedes-benz · Apr 9, 2024 · ae265a7 · ae265a7
2 parents a23864f + 8322e64
commit ae265a7
Show file tree

Hide file tree

Showing 84 changed files with 6,412 additions and 15,971 deletions.
diff --git a/.github/workflows/github-action-scan.yml b/.github/workflows/github-action-scan.yml
@@ -1,7 +1,10 @@
 # SPDX-License-Identifier: MIT
-name: Build SecHub GitHub Action
+name: Build SecHub GHA (scan)
 
-on: workflow_dispatch
+on:
+ push:
+ branches:
+ - 'gha_*'
 
 jobs:
  build-scan:
@@ -19,14 +22,94 @@ jobs:
  # We do not define a dedicated node version here, we just use the default environment
  # which should be the default environment for the github actions runtime as well
  uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65
- 
+
  - name: Clean install
  run: npm ci 
 
  - name: Build
  run: npm run build --if-present
 
- - name: Run tests
+ - name: Run unit tests
  run: npm test
-
+
+ # We store git status - why? Here we see, if index.js has been changed - if so, a developer
+ # forgot to commit the changes - means the action cannot be used productive! 
+ - name: Store git status
+ run: |
+ git status
+ mkdir "${{ github.workspace }}/build" -p
+ git status >> "${{ github.workspace }}/build/git-status.txt"
+ - name: Define integration test setup
+ id : version-selector
+ run: |
+ echo "sechub_server_version=1.8.0" >> "$GITHUB_ENV"
+ echo "sechub_server_port=8443" >> "$GITHUB_ENV"
+ echo "pds_version=1.5.0" >> "$GITHUB_ENV"
+ echo "pds_port=8444" >> "$GITHUB_ENV"
+
+ - name: Cache SecHub server download 
+ # Cache V4 release: 13aacd865c20de90d75de3b17ebe84f7a17d57d2
+ uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 
+ with:
+ path: ./build/sechub-runtime/server/${{ env.sechub_server_version }}/
+ key: ${{ runner.os }}-sechub-server-${{ env.sechub_server_version }}
+
+ - name: Cache PDS download 
+ # Cache V4 release: 13aacd865c20de90d75de3b17ebe84f7a17d57d2
+ uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 
+ with:
+ path: ./build/sechub-runtime/pds/${{ env.pds_version }}/
+ key: ${{ runner.os }}-pds-${{ env.pds_version }}
+
+ - name: Set up JDK 17 (to run servers)
+ uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
+ with:
+ java-version: 17
+ distribution: temurin
 
+
+ - name: Start integration test servers
+ working-directory: ./github-actions/scan/__test__/integrationtest/
+ run: ./01-start.sh $sechub_server_version $sechub_server_port $pds_version $pds_port
+
+ - name: Init integration test data
+ working-directory: ./github-actions/scan/__test__/integrationtest/
+ run: ./03-init_sechub_data.sh $sechub_server_port $pds_port
+
+ - name: Run integration tests
+ run: npm run integration-test
+
+ - name: Cleanup integration tests
+ working-directory: ./github-actions/scan/__test__/integrationtest/
+ run: ./05-stop.sh $sechub_server_port $pds_port
+
+ # ------------------------------------ Archive git status-------------------
+ - name: Archive git status
+ if: always()
+ uses: actions/upload-artifact@v3
+ with:
+ name: git-status
+ path: "${{ github.workspace }}/build/git-status.txt"
+ retention-days: 14
+
+ # ------------------------------------ Archive runtime logs-------------------
+ - name: Archive runtime logs
+ if: always()
+ uses: actions/upload-artifact@v3
+ with:
+ name: sechub-runtime-logiles
+ path: ./build/sechub-runtime/**/*.log
+ retention-days: 14
+ # ------------------------------------ Archive reports -----------------------
+ - name: Archive reports
+ if: always()
+ uses: actions/upload-artifact@v3
+ with:
+ name: sechub-reports
+ path: |
+ ./github-actions/scan/sechub_report*.*
+ ./sechub_report*.*
+ retention-days: 14
+
+
+
diff --git a/.gitignore b/.gitignore
@@ -22,6 +22,9 @@ src-gen/
 # vscode parts
 .vscode/
 
+# theia parts
+.theia/
+
 # gradle parts
 .gradle/
 
@@ -66,3 +69,7 @@ copy/
 
 # Node
 node_modules/
+
+# github-action integration test
+.sechub-gha/
+generated-sechub.json
diff --git a/github-actions/scan/.gitignore b/github-actions/scan/.gitignore
@@ -0,0 +1 @@
+runtime/
diff --git a/github-actions/scan/README.adoc b/github-actions/scan/README.adoc
@@ -1,16 +1,20 @@
 // SPDX-License-Identifier: MIT
+:toc:
+:toclevels: 5
 
 == GitHub Action for SecHub scan
 
 This GitHub action uses the SecHub cli to scan the repository for security issues.
 
 
+
+
 === Usage
 
 To be able to use this action you need a SecHub project. Check the https://mercedes-benz.github.io/sechub/[documentation] on how to set one up.
 
-```yaml
-
+[source,yaml]
+----
 - uses: mercedes-benz/sechub/github-actions/scan@72a27282da80952e6fadcef452c6a9085971c688
  with:
  # OPTIONAL: Path to sechub.json for manual configuration. If no value is set the input parameters will be used to create it for the scan.'
@@ -29,19 +33,34 @@ To be able to use this action you need a SecHub project. Check the https://merce
  project-name: ${{ secrets.SECHUB_PROJECT }}
 
  # OPTIONAL: Which version of the SecHub cli to use
- # DEFAULT: 1.2.0
- version: '1.2.0'
-
+ # DEFAULT: 1.4.0
+ version: '1.4.0'
+ 
+ # OPTIONAL: A list of scan types that shall be used when a sechub configuration file is generated.
+ # Allowed values: codeScan, secretScan and licenseScan - If you want other scan types you 
+ # have to create a sechub configuration file and provide it by the config-path attribute
+ # (ignored in the case of a custom configuration file)
+ # DEFAULT: codeScan
+ scan-types: codeScan, secretScan
+
+ # OPTIONAL: A definition of the content type which shall be used for sechub configuration file generation.
+ # Allowed values: source,binaries. Cannot be combined.
+ # (ignored in the case of a custom configuration file)
+ # DEFAULT: source
+ content-type: source
+ 
  # OPTIONAL: A list of folders to be included. Multiple folders can be separated by ,
+ # (ignored in the case of a custom configuration file)
  include-folders: 'src,lib'
 
  # OPTIONAL: A list of folders to be excluded. Multiple folders can be separated by ,
+ # (ignored in the case of a custom configuration file)
  # DEFAULT: empty (see SecHub documentation for default excludes)
  exclude-folders: 'bin,build,dist'
 
  # REQUIRED: The formats in which the report should be downloaded. Multiple values can be separatd by ,
  # DEFAULT: json,html
- report-formats: 'json,html'
+ report-formats: 'json,html,spdx-json'
 
  # OPTIONAL: SecHub debug output on/off.
  # DEFAULT: false
@@ -88,9 +107,60 @@ It's necessary to execute the build after every change of the sources and you ha
 
 === Test
 
-To run the tests you have to run this command:
+==== Unit tests
+To run the unit tests you have to execute this command:
 
 [source,npm]
 ----
 npm run test
 ----
+
+
+==== Integration-Test
+As a precondition to run the integration tests locally you have to 
+
+- execute `__test__/01-start.sh $secHubServerVersion $sechubServerPortNr $pdsVersion $pdsPortNr`
+
+TIP: You can also start a SecHub server and a PDS (both in integration test mode) instead of using the `01-start` script.
+
+After the script has been executed, you can execute integration tests multiple times via following command:
+
+[source,npm]
+----
+npm run integration-test
+----
+
+To enable full debug output in integration tests please execute following before running the integration tests:
+[source,npm]
+----
+export SECHUB_DEBUG=true
+----
+
+==== Debug tests
+The unit and also the integration tests are written with `jest` test framework.
+
+===== Setup
+====== VSCodium
+
+Used extensions
+
+- Test explorer
+- Jest Test explorer
+- Jest
+
+In this setup the tests can be executed from sidebar and from links created inside the editor.
+
+[TIP]
+==== 
+Unfortunately, the Jest UI integration works only for npm script "test". But to handle integration tests different (the tests shall only be executed when all is build and servers are started) they are not executed by "test" script.
+
+If you want to **debug an integration test**, there is a temporary workaround necessary while you debug the test:
+
+- open `package.json` and look into section `scripts`
+- remove 'test' entry + copy `test-with-integrationtests` entry and rename copied part to `test`
+ (but please do not push this - otherwise build will fail on integration test!)
+- restart your VSCode/VSCodium instance (only necessary if integration tests are not listed in test explorer)
+- debug the parts, fix it etc.
+- remove 'test' entry + copy `test-without-integrationtests` entry and rename copied part to `test`
+- if necessary push fixes/changes to remote...
+====