Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial Snyk integraiton #24

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+178 −0
Open

Initial Snyk integraiton #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
93855f9
Initial Snyk integraiton
isavov Mar 21, 2023
a058dbd
Add setup for nodejs
isavov Apr 20, 2023
297f594
Don't run snyk on forks
isavov Apr 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 66 additions & 0 deletions .github/workflows/comp-compile-pbj-code.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,16 @@ on:
type: boolean
required: false
default: false
enable-snyk-scan:
description: "Snyk Scan Enabled"
type: boolean
required: false
default: false
enable-snyk-monitor:
description: "Snyk Monitor Enabled"
type: boolean
required: false
default: false
java-distribution:
description: "Java JDK Distribution:"
type: string
Expand Down Expand Up @@ -50,6 +60,9 @@ on:
sonar-token:
description: "The SonarCloud access token used by the SonarQube agent to report an analysis."
required: false
snyk-token:
description: "The Snyk access token is used by Snyk to analyze the code for vulnerabilities."
required: false

defaults:
run:
Expand Down Expand Up @@ -94,6 +107,12 @@ jobs:
notifications
jdks

- name: Setup Node.js
uses: actions/setup-node@v3
if: ${{ inputs.enable-snyk-scan && !cancelled() && always()}}
with:
node-version: 18

- name: Gradle Assemble (PBJ Core)
id: gradle-build
uses: gradle/gradle-build-action@v2
Expand Down Expand Up @@ -168,6 +187,53 @@ jobs:
build-root-directory: ${{ env.PBJ_INTEGRATION_TESTS }}
arguments: jmh --scan

- name: Gradle Snyk Test (PBJ Core)
id: gradle-snyk-test
uses: gradle/gradle-build-action@v2
if: ${{ inputs.enable-snyk-scan && !cancelled() && always()}}
with:
gradle-version: ${{ inputs.gradle-version }}
build-root-directory: ${{ env.PBJ_CORE }}
arguments: snyk-test
env:
SNYK_TOKEN: ${{ secrets.snyk-token }}

- name: Gradle Snyk Code Test (PBJ Core)
id: gradle-snyk-code
uses: gradle/gradle-build-action@v2
if: ${{ inputs.enable-snyk-scan && !cancelled() && always()}}
with:
gradle-version: ${{ inputs.gradle-version }}
build-root-directory: ${{ env.PBJ_CORE }}
arguments: snyk-code
env:
SNYK_TOKEN: ${{ secrets.snyk-token }}

- name: Setup Snyk Reports
if: ${{ inputs.enable-snyk-scan && !cancelled() && always()}}
run: npm install -g snyk-to-html @wcj/html-to-markdown-cli

- name: Publish Snyk Results
if: ${{ inputs.enable-snyk-scan && !cancelled() && always()}}
run: |
snyk-to-html -i build/reports/snyk-test.json -o build/reports/snyk-test.html && \
html-to-markdown build/reports/snyk-test.html -o build/reports/snyk && \
cat build/reports/snyk/snyk-test.html.md >> $GITHUB_STEP_SUMMARY
snyk-to-html -i build/reports/snyk-code.sarif -o build/reports/snyk-code.html && \
html-to-markdown build/reports/snyk-code.html -o build/reports/snyk && \
cat build/reports/snyk/snyk-code.html.md >> $GITHUB_STEP_SUMMARY
working-directory: ${{ env.PBJ_CORE }}

- name: Gradle Snyk Monitor(PBJ Core)
id: gradle-snyk-monitor
uses: gradle/gradle-build-action@v2
if: ${{ inputs.enable-snyk-monitor && !cancelled() && always()}}
with:
gradle-version: ${{ inputs.gradle-version }}
build-root-directory: ${{ env.PBJ_CORE }}
arguments: snyk-monitor
env:
SNYK_TOKEN: ${{ secrets.snyk-token }}
# - name: SonarCloud Options
# id: sonar-cloud
# env:
Expand Down
13 changes: 13 additions & 0 deletions .github/workflows/flow-pull-request-checks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,3 +43,16 @@ jobs:
secrets:
access-token: ${{ secrets.GITHUB_TOKEN }}
sonar-token: ${{ secrets.SONAR_TOKEN }}

snyk-scan:
name: Snyk Scan
uses: ./.github/workflows/comp-compile-pbj-code.yaml
if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
with:
custom-job-label: Standard
enable-integration-tests: false
enable-sonar-analysis: false
enable-snyk-scan: true
secrets:
access-token: ${{ secrets.GITHUB_TOKEN }}
snyk-token: ${{ secrets.SNYK_TOKEN }}
31 changes: 31 additions & 0 deletions .github/workflows/flow-snyk-monitor.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
name: "Snyk Monitor"

on:
push:
branches:
- main
workflow_dispatch:

permissions:
contents: read
security-events: write
checks: write
issues: read
pull-requests: write
statuses: write
id-token: write

defaults:
run:
shell: bash

jobs:
snyk-monitor:
name: Snyk Monitor
uses: ./.github/workflows/comp-compile-pbj-code.yaml
with:
custom-job-label: Standard
enable-snyk-monitor: true
secrets:
access-token: ${{ secrets.GITHUB_TOKEN }}
snyk-token: ${{ secrets.SNYK_TOKEN }}
3 changes: 3 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -706,3 +706,6 @@ Temporary Items

### Generated Protobuf Files
/tests/src/main/proto/

### Snyk binary
snyk
1 change: 1 addition & 0 deletions pbj-core/buildSrc/build.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,4 +13,5 @@ dependencies {
implementation("gradle.plugin.lazy.zoo.gradle:git-data-plugin:1.2.2")
implementation("com.adarshr:gradle-test-logger-plugin:3.2.0")
implementation("io.github.gradle-nexus:publish-plugin:1.1.0")
implementation("gradle.plugin.io.snyk.gradle.plugin:snyk:0.4")
}
1 change: 1 addition & 0 deletions pbj-core/buildSrc/src/main/kotlin/com.hedera.pbj.conventions.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ plugins {
id("com.hedera.pbj.spotless-conventions")
id("com.hedera.pbj.spotless-java-conventions")
id("com.hedera.pbj.spotless-kotlin-conventions")
id("com.hedera.pbj.snykcode")
id("com.adarshr.test-logger")
}

Expand Down
63 changes: 63 additions & 0 deletions pbj-core/buildSrc/src/main/kotlin/com.hedera.pbj.snykcode.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
/*-
* ‌
* Hedera Mirror Node
* ​
* Copyright (C) 2019 - 2023 Hedera Hashgraph, LLC
* ​
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
* ‍
*/

plugins {
id("io.snyk.gradle.plugin.snykplugin")
}
abstract class SnykCodeTask : io.snyk.gradle.plugin.SnykTask() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Codacy found a medium Error Prone issue: SnykCodeTask is missing required documentation.

The issue reported by the linter detekt is that the SnykCodeTask abstract class is missing required documentation. In Kotlin, as in many other programming languages, it is considered good practice to document classes, interfaces, functions, etc., especially when they are part of a public API or intended to be used by other developers. This documentation usually takes the form of a comment block above the class declaration that explains the purpose and usage of the class.

To fix this issue, you should add a KDoc comment block above the SnykCodeTask class declaration. KDoc is Kotlin's documentation system, which uses a syntax similar to Java's Javadoc. This comment should provide a clear description of what the class is for and any important information that a developer using this class should know.

Here is an example of how you might document the SnykCodeTask class:

Suggested change
abstract class SnykCodeTask : io.snyk.gradle.plugin.SnykTask() {
/**
* `SnykCodeTask` is an abstract Gradle task for running Snyk Code tests within the build process.
* It extends the `SnykTask` provided by the Snyk Gradle plugin and defines the `doSnykTest` method
* to execute the Snyk Code analysis and handle the results.
*
* The task will perform authentication and then run the Snyk Code test command. If the test
* results in an exit code greater than 0, indicating an issue was found, a `GradleException`
* will be thrown, causing the build to fail.
*/
abstract class SnykCodeTask : io.snyk.gradle.plugin.SnykTask() {
// Class implementation
}

By adding this documentation, you will resolve the linter issue, and other developers will have a better understanding of the purpose and functionality of the SnykCodeTask class.

This comment was generated by an experimental AI tool.

@TaskAction
fun doSnykTest() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Codacy found a medium Error Prone issue: The function doSnykTest is missing documentation.

The issue highlighted by the linter detekt is that the doSnykTest function is missing documentation. In Kotlin, it's considered a good practice to document the public API of your code. This includes classes, interfaces, functions, and their non-private members. Documentation is typically added directly above the declaration using a documentation comment, which starts with /** and ends with */.

To fix this issue, you should add a documentation comment to the doSnykTest function that explains what the function does, its parameters (if any), and what it returns or any side effects it may have (such as throwing an exception). This will help other developers understand the purpose and usage of the function without having to read its implementation details.

Here's an example of how you can add documentation to the doSnykTest function:

Suggested change
fun doSnykTest() {
/**
* Executes the Snyk Code Test task.
* This function authenticates with Snyk, runs the Snyk command for code testing,
* and logs the output. If the command exits with a non-zero exit code,
* a GradleException is thrown indicating that the Snyk Code Test failed.
*
* @throws GradleException if the Snyk Code Test command fails.
*/
fun doSnykTest() {
// Function implementation remains the same
}

Adding documentation comments like the one above will resolve the issue reported by detekt and improve the maintainability of your code.

This comment was generated by an experimental AI tool.

log.debug("Snyk Code Test Task")
authentication()
val output: io.snyk.gradle.plugin.Runner.Result = runSnykCommand("code test")
log.lifecycle(output.output)
if (output.exitcode > 0) {
throw GradleException("Snyk Code Test failed")
}
}
}


tasks.register<SnykCodeTask>("snyk-code") {
dependsOn("snyk-check-binary")
doFirst {
snyk {
setSeverity("high")
setArguments("--all-sub-projects --sarif-file-output=build/reports/snyk-code.sarif")
}
}
}

tasks.`snyk-monitor` {
doFirst {
snyk {
setArguments("--all-sub-projects")
}
}
}

tasks.`snyk-test` {
doFirst {
snyk {
setSeverity("high")
setArguments("--all-sub-projects --json-file-output=build/reports/snyk-test.json")
}
}
}