chore: add workflow for dependency-track #1654
Conversation
|
🚀 Deployed on https://pr-1654--dhis2-ui.netlify.app |
martinakraus
force-pushed
the
feat/integrate-dependecy-track
branch
from
ee4fd80 to
0fb7ac7
Compare
There was a problem hiding this comment.
Generally looks good! Added a few comments.
It would also probably be a good idea to move this to a shared workflow (see https://github.com/dhis2/workflows-platform) and then refer to it from any repositories where we want to track the BOM
| - name: Install CycloneDX CLI | ||
| run: | | ||
| curl -s https://api.github.com/repos/CycloneDX/cyclonedx-cli/releases/latest | grep "browser_download_url.*linux.x64" | cut -d '"' -f 4 | wget -i - | ||
| sudo mv cyclonedx-linux-x64 /usr/local/bin/ | ||
| sudo chmod +x /usr/local/bin/cyclonedx-linux-x64 |
There was a problem hiding this comment.
@martinakraus is the downloading of this binary necessary since we install cdxgen using npm in the next step..?
It seems to me that we should prefer npm install, as they do in this CycloneDX github action (though using a slightly different tool, the goal of creating a node_modules BOM looks the same...) https://github.com/CycloneDX/gh-node-module-generatebom/blob/master/index.js#L28
There was a problem hiding this comment.
We have two repositories for shared workflows, https://github.com/dhis2/workflows (not necessarily reusable workflows) and https://github.com/dhis2/workflows-platform where we currently keep reusable workflows that apply across most of our apps
There was a problem hiding this comment.
@amcgee I would love to do both. But there are two issues:
https://www.npmjs.com/package/%40cyclonedx/yarn-plugin-cyclonedx is used for creating SBOMS with CycloneDX github action. This required Yarn > 3.
There are some frontend repos (for example dashboard-app which are still on Yarn 1.2.2
So in order to move it to a common Workflow Repo and use this Workflow everywhere, I believe a common Yarn version is required.
Or I can use the CycloneDX Github action at least justin those frontend Repos which are at least on Yarn version 3
There was a problem hiding this comment.
We only support yarn v1 for the moment, so there won't be any repos that have yarn v3 unfortunately.
There was a problem hiding this comment.
It still seems that the binrary download here isn't necessary though right? Or is that a prerequisite for npm install -g @cyclonedx/cdxgen in the next step? Otherwise I'm not sure where this downloaded binary executable is being used?
There was a problem hiding this comment.
Thanks so much @amcgee you are absolutely right - this was totally unused.
The CycloneDX CLI can be used to merge SBOMs together in one - I have used it for dhis2-core. There I have created a SBOM for each project and in the enc I merged them in one SBOM.
But not necessary at all here - this was just copy + paste confusion. Sorry for that!
| - uses: c-hive/gha-yarn-cache@v1 | ||
| - run: yarn install --frozen-lockfile |
There was a problem hiding this comment.
This is probably fine, and likely comes from some of our other actions in this repository. We don't use this in our more modern standard repos, though, so might not be necessary to have this dependency.
There was a problem hiding this comment.
Sounds good to me. Is there some docs about the configuration about the 'modern standard repos'?
There was a problem hiding this comment.
So I removed the c-hive/gha-yarn-cache@v1 Workflow as well :)
| --fail-with-body \ | ||
| -H "Content-Type: multipart/form-data" \ | ||
| -H "X-Api-Key: ${{ secrets.DEPENDENCYTRACK_APIKEY }}" \ | ||
| -F "project=53c6ea2f-413f-45b9-a360-e366f917277d" \ |
There was a problem hiding this comment.
If we make this project ID a repository variable we can extract this whole workflow and call it from individual repositories - see for example https://github.com/dhis2/route-manager-app/blob/main/.github/workflows/comment-and-close.yml
There was a problem hiding this comment.
I agree and would love that but please find my considerations above (regarding Yarn version)
| - name: Install CycloneDX CLI | ||
| run: | | ||
| curl -s https://api.github.com/repos/CycloneDX/cyclonedx-cli/releases/latest | grep "browser_download_url.*linux.x64" | cut -d '"' -f 4 | wget -i - | ||
| sudo mv cyclonedx-linux-x64 /usr/local/bin/ | ||
| sudo chmod +x /usr/local/bin/cyclonedx-linux-x64 |
There was a problem hiding this comment.
We have two repositories for shared workflows, https://github.com/dhis2/workflows (not necessarily reusable workflows) and https://github.com/dhis2/workflows-platform where we currently keep reusable workflows that apply across most of our apps
| npm install -g @cyclonedx/cdxgen | ||
| cdxgen -o sbom.json |
There was a problem hiding this comment.
(minor) Technically I think this could be just npx @cyclonedx/cdxgen -o sbom.json, so you don't need to install anything globally
martinakraus
force-pushed
the
feat/integrate-dependecy-track
branch
from
0fb7ac7 to
686f333
Compare
martinakraus
force-pushed
the
feat/integrate-dependecy-track
branch
from
686f333 to
ad1bae8
Compare
martinakraus
force-pushed
the
feat/integrate-dependecy-track
branch
from
ad1bae8 to
1d513a0
Compare
|
Implements SEC-60
Key features
Description
Dependency Track will scan the created SBOM and analyze for CVEs and open vulnerabilities.
Those reports will be evaluated by the security team and will be brought back to the dev teams if something crucial pops up