diff --git a/.github/workflows/nvd_scanner.yml b/.github/workflows/nvd_scanner.yml index d46f39f..6026d6b 100644 --- a/.github/workflows/nvd_scanner.yml +++ b/.github/workflows/nvd_scanner.yml @@ -17,24 +17,64 @@ jobs: steps: - uses: actions/checkout@v4 - - name: Setup - uses: ./.github/workflows/shared-setup + - name: Setup Java + uses: actions/setup-java@v4 with: - jdk: '11' + distribution: 'temurin' + java-version: 21 - - name: Get Date - id: get-date + - name: Install Clojure Tools + uses: DeLaGuardo/setup-clojure@12.5 + with: + cli: 'latest' + bb: 'latest' + + - name: Generate Cache Key run: | - echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT - shell: bash + bb --version + bb latest-release nvd-clojure | tee nvd_check_helper_project/nvd-clojure-version.txt - - name: Cache NVD Database - uses: actions/cache@v4 + - name: Restore NVD DB & Clojure Deps Cache + # nvd caches its db under ~/.m2/repository/org/owasp so that it can + # conveniently be cached with deps + uses: actions/cache/restore@v4 with: - path: /home/runner/.nvd-cache/ - key: nvd-cache-we-are-happy-to-share-across-branches-${{ steps.get-date.outputs.date }} + path: | + ~/.m2/repository + ~/.deps.clj + ~/.gitlibs + # because we are using a RELEASE version of nvd-clojure + # we also include its version + restore-keys: | + nvd-${{ hashFiles( + 'nvd_check_helper_project/nvd-clojure-version.txt', + 'nvd_check_helper_project/deps.edn', + 'nvd_check_helper_project/bb.edn', + 'bb.edn') }} + nvd- + + - name: Download Clojure deps + run: clojure -X:deps prep + working-directory: nvd_check_helper_project - name: Run NVD Scanner env: NVD_API_TOKEN: ${{ secrets.NVD_API_TOKEN }} run: bb nvd-scan + + - name: Save NVD DB & Clojure Deps Cache + if: always() # always cache regardless of outcome of nvd scan + uses: actions/cache/save@v4 + with: + path: | + ~/.m2/repository + ~/.deps.clj + ~/.gitlibs + # we tack on github.run_id to uniquely identify the cache + # the next cache restore will find the best (and most current) match + key: | + nvd-${{ hashFiles( + 'nvd_check_helper_project/nvd-clojure-version.txt', + 'nvd_check_helper_project/deps.edn', + 'nvd_check_helper_project/bb.edn', + 'bb.edn') }}-${{ github.run_id }} diff --git a/bb.edn b/bb.edn index 71a5983..7fd60d8 100644 --- a/bb.edn +++ b/bb.edn @@ -5,10 +5,17 @@ version-clj/version-clj {:mvn/version "2.0.2"}} :tasks {;; setup :requires ([babashka.fs :as fs] + [babashka.http-client :as http] + [clojure.edn :as edn] [clojure.string :as string] [lread.status-line :as status]) - :enter (let [{:keys [name]} (current-task)] (status/line :head "TASK %s %s" name (string/join " " *command-line-args*))) - :leave (let [{:keys [name]} (current-task)] (status/line :detail "\nTASK %s done." name)) + + :enter (let [{:keys [name task-decoration] :as f} (current-task)] + (when-not (= :none task-decoration) + (status/line :head "TASK %s" name))) + :leave (let [{:keys [name task-decoration] :as f} (current-task)] + (when-not (= :none task-decoration) + (status/line :detail "\nTASK %s done." name))) ;; tasks clean @@ -47,16 +54,24 @@ lint {:doc "Run all lints" :depends [lint-kondo lint-eastwood]} + latest-release + {:doc "Return latest clojars release of given artifact" + :task-decoration :none + ;; we use RELEASE for nvd-clojure, so use its version as our cache key + :task (let [artifact (first *command-line-args*)] + (-> (http/get (str "https://clojars.org/api/artifacts/" artifact) + {:headers {"Accept" "application/edn"}}) + :body + edn/read-string + :latest_release + println))} nvd-scan {:doc "Check for security vulnerabilities in dependencies" - :task (let [config (if (System/getenv "CI") - "./github_actions_config.json" ;; to support CI caching - "./local_config.json")] - (status/line :detail "Using config: %s" config) + :task (let [cp (with-out-str (clojure "-Spath"))] (clojure {:dir "./nvd_check_helper_project"} "-J-Dclojure.main.report=stderr -M -m nvd.task.check" - config - (with-out-str (clojure "-Spath"))))} + "./config.json" + cp))} pubcheck {:doc "run only publish checks (without publishing)" :task publish/pubcheck} diff --git a/nvd_check_helper_project/local_config.json b/nvd_check_helper_project/config.json similarity index 100% rename from nvd_check_helper_project/local_config.json rename to nvd_check_helper_project/config.json diff --git a/nvd_check_helper_project/deps.edn b/nvd_check_helper_project/deps.edn index a55cef8..7d4325c 100644 --- a/nvd_check_helper_project/deps.edn +++ b/nvd_check_helper_project/deps.edn @@ -2,4 +2,6 @@ ;; it is generally considered bad practice to use RELEASE, but we always want the latest ;; security tooling #_:clj-kondo/ignore - {:mvn/version "RELEASE"}}} + {:mvn/version "RELEASE"} + ;; temporarily try bumping transitive dep to current release + org.owasp/dependency-check-maven {:mvn/version "10.0.0"}}} diff --git a/nvd_check_helper_project/github_actions_config.json b/nvd_check_helper_project/github_actions_config.json deleted file mode 100644 index 220ebf8..0000000 --- a/nvd_check_helper_project/github_actions_config.json +++ /dev/null @@ -1,3 +0,0 @@ -{"delete-config?": false, - "nvd": {"suppression-file": "./suppressions.xml", - "data-directory": "/home/runner/.nvd-cache/"}}