From 63beace25d14ca0b8918b467dbfe7bc0f3281742 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Mon, 14 Feb 2022 11:16:12 +0530 Subject: [PATCH 01/36] added github_token permission --- deployments/terraform.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/terraform.yml b/deployments/terraform.yml index 589f1f3..b7cbc3a 100644 --- a/deployments/terraform.yml +++ b/deployments/terraform.yml @@ -50,6 +50,9 @@ on: - $default-branch pull_request: +permissions: + contents: read + jobs: terraform: name: 'Terraform' From fd8ffb3d9c4336e2e4584baebffce4196086e794 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Mon, 14 Feb 2022 13:01:38 +0530 Subject: [PATCH 02/36] Update aws.yml --- deployments/aws.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/aws.yml b/deployments/aws.yml index dab851f..65f445f 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -41,6 +41,9 @@ env: CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the # containerDefinitions section of your task definition +permissions: + contents: read + jobs: deploy: name: Deploy From 8bcdd73aa893896b02a33bf844682a4a632c099a Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Tue, 15 Feb 2022 13:36:24 +0530 Subject: [PATCH 03/36] added github_token permission --- deployments/alibabacloud.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index ded9178..c783305 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -40,6 +40,9 @@ env: ACR_EE_IMAGE: repo ACR_EE_TAG: ${{ github.sha }} +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest From 8c75e2d11fd9040bc7a3492d7bcfcb4c92a194d7 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Thu, 17 Feb 2022 08:57:59 +0530 Subject: [PATCH 04/36] Update pmd.yml --- code-scanning/pmd.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 0604734..cf4b01d 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -13,8 +13,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: pmd-code-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 From 0b1f2442e511ac2e36f9c551899079d28f0fade5 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 14:58:57 +0100 Subject: [PATCH 05/36] Create sonarcloud.yml --- code-scanning/sonarcloud.yml | 51 ++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 code-scanning/sonarcloud.yml diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml new file mode 100644 index 0000000..d15db93 --- /dev/null +++ b/code-scanning/sonarcloud.yml @@ -0,0 +1,51 @@ +This workflow helps you trigger a SonarCloud analysis of your code. +name: SonarCloud analysis + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + + workflow_dispatch: + +jobs: + Analysis: + runs-on: ubuntu-latest + + steps: + + - name: Analyze with SonarCloud + + # 1. Import your project to SonarCloud. + # 2. Import it on SonarCloud + # * Open sonarcloud.io, connect with your GitHub account and add your GitHub organization and your repository as a new project. + # * Please note that your project might be ready for AutoScan which means that it will be analysed without the need for GitHub Actions (it will be built automatically). + # * This behavior can be changed in Administration > Analysis Method. + # + # 3. Copy/paste the Projet Key and the Organization Key in the args below + # * On SonarCloud, click on Information at the bottom left + # 4. Generate a new token and add it to your Github's repository Secrets as SONAR_TOKEN + # * On SonarCloud, click on your avatar on top-right > My account > Security + + # You may pin to the exact commit or the version. + # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + uses: SonarSource/sonarcloud-github-action@v1.6 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) + with: + # Additional arguments to the sonarcloud scanner + args: > + # Set the sonar.projectBaseDir analysis property + projectBaseDir: . # optional, default is . + # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu) + -Dsonar.projectKey= # mandatory + # Unique organisation key of your project. You can find it in SonarCloud > Information (bottom-left menu) + -Dsonar.organization= # mandatory + # Comma-separated paths to directories containing main source files. + -Dsonar.sources= # optional, default is project base directory + # Comma-separated paths to directories containing test source files. + -Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + -Dsonar.verbose= # optional, default is false From b80e458c6205c8b77c2a7bd419be52d6a82fc64f Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:29:12 +0100 Subject: [PATCH 06/36] Added documentation links --- code-scanning/sonarcloud.yml | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index d15db93..387f34c 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -1,4 +1,19 @@ -This workflow helps you trigger a SonarCloud analysis of your code. +# This workflow helps you trigger a SonarCloud analysis of your code. + +# 1. Login to SonarCloud.io using your GitHub account +# 2. Import your project on SonarCloud +# * Add your GitHub organization first, then add your repository as a new project. +# * Please note that your project might be ready for Automatic Analysis, which means that it could be analysed without the need for GitHub Actions (it will be built automatically). +# * This behavior can be changed in Administration > Analysis Method. +# +# 3. Copy/paste the Projet Key and the Organization Key in the args parameter below +# * You'll find those info on SonarCloud. Click on "Information" at the bottom left +# 4. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN +# * On SonarCloud, click on your avatar on top-right > My account > Security + +# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) +# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) + name: SonarCloud analysis on: @@ -15,18 +30,7 @@ jobs: steps: - - name: Analyze with SonarCloud - - # 1. Import your project to SonarCloud. - # 2. Import it on SonarCloud - # * Open sonarcloud.io, connect with your GitHub account and add your GitHub organization and your repository as a new project. - # * Please note that your project might be ready for AutoScan which means that it will be analysed without the need for GitHub Actions (it will be built automatically). - # * This behavior can be changed in Administration > Analysis Method. - # - # 3. Copy/paste the Projet Key and the Organization Key in the args below - # * On SonarCloud, click on Information at the bottom left - # 4. Generate a new token and add it to your Github's repository Secrets as SONAR_TOKEN - # * On SonarCloud, click on your avatar on top-right > My account > Security + - name: Analyze with SonarCloud # You may pin to the exact commit or the version. # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 @@ -36,15 +40,15 @@ jobs: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) with: # Additional arguments to the sonarcloud scanner - args: > - # Set the sonar.projectBaseDir analysis property - projectBaseDir: . # optional, default is . + args: # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu) -Dsonar.projectKey= # mandatory # Unique organisation key of your project. You can find it in SonarCloud > Information (bottom-left menu) -Dsonar.organization= # mandatory # Comma-separated paths to directories containing main source files. -Dsonar.sources= # optional, default is project base directory + # When you need the analysis to take place in a directory other than the one from which it was launched + -Dsonar.projectBaseDir= # optional, default is . # Comma-separated paths to directories containing test source files. -Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. From c5a70f040535fbdb74601570225b59bc8516a3b7 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:29:42 +0100 Subject: [PATCH 07/36] Removed extra spaces --- code-scanning/sonarcloud.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 387f34c..3441617 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -21,15 +21,13 @@ on: branches: [ master ] pull_request: branches: [ master ] - workflow_dispatch: jobs: Analysis: runs-on: ubuntu-latest - + steps: - - name: Analyze with SonarCloud # You may pin to the exact commit or the version. From 429537d3207f07a271ed289b60a664da53be9b86 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:36:07 +0100 Subject: [PATCH 08/36] Added workflow variables for branches --- code-scanning/sonarcloud.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 3441617..97f364d 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -18,9 +18,9 @@ name: SonarCloud analysis on: push: - branches: [ master ] + branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ master ] + branches: [ $default-branch ] workflow_dispatch: jobs: From b48f15df6228157c0181ee9fdca8f52f091a3703 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:36:37 +0100 Subject: [PATCH 09/36] Added space between paragraph --- code-scanning/sonarcloud.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 97f364d..0b58f05 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -1,6 +1,7 @@ # This workflow helps you trigger a SonarCloud analysis of your code. # 1. Login to SonarCloud.io using your GitHub account + # 2. Import your project on SonarCloud # * Add your GitHub organization first, then add your repository as a new project. # * Please note that your project might be ready for Automatic Analysis, which means that it could be analysed without the need for GitHub Actions (it will be built automatically). @@ -8,6 +9,7 @@ # # 3. Copy/paste the Projet Key and the Organization Key in the args parameter below # * You'll find those info on SonarCloud. Click on "Information" at the bottom left + # 4. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN # * On SonarCloud, click on your avatar on top-right > My account > Security From fb2b1099ec558e4666229e557860eb8a8dd58ac7 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Tue, 1 Mar 2022 16:39:07 +0100 Subject: [PATCH 10/36] Fixed intro text --- code-scanning/sonarcloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 0b58f05..c4ab0e4 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -1,4 +1,4 @@ -# This workflow helps you trigger a SonarCloud analysis of your code. +# This workflow helps you trigger a SonarCloud analysis of your code and populates GitHub Code Scanning alerts with the vulnerabilities found. # 1. Login to SonarCloud.io using your GitHub account From f6596c95685b9d20a9cd83bf0d9df24153043b69 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 10 Mar 2022 09:41:26 +0100 Subject: [PATCH 11/36] Update sonarcloud.yml --- code-scanning/sonarcloud.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index c4ab0e4..084feca 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -4,14 +4,15 @@ # 2. Import your project on SonarCloud # * Add your GitHub organization first, then add your repository as a new project. -# * Please note that your project might be ready for Automatic Analysis, which means that it could be analysed without the need for GitHub Actions (it will be built automatically). +# * Please note that many languages are eligible for automatic analysis, which means that the analysis will start automatically without the need to set up GitHub Actions. # * This behavior can be changed in Administration > Analysis Method. # -# 3. Copy/paste the Projet Key and the Organization Key in the args parameter below -# * You'll find those info on SonarCloud. Click on "Information" at the bottom left - -# 4. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN -# * On SonarCloud, click on your avatar on top-right > My account > Security +# 3. Follow the SonarCloud's online tutorial +# * a. Copy/paste the Projet Key and the Organization Key in the args parameter below +# (You'll find those info on SonarCloud. Click on "Information" at the bottom left) +# +# * b. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN +# (On SonarCloud, click on your avatar on top-right > My account > Security) # Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) # or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) From 8fd84d60c85e501ce9d34a7c694fda9f3822daab Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 10 Mar 2022 09:42:52 +0100 Subject: [PATCH 12/36] Create sonarcloud.properties.json --- code-scanning/properties/sonarcloud.properties.json | 1 + 1 file changed, 1 insertion(+) create mode 100644 code-scanning/properties/sonarcloud.properties.json diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/code-scanning/properties/sonarcloud.properties.json @@ -0,0 +1 @@ + From 6f8fa063712f344fab4c84487b2c885fca2f61a3 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 10 Mar 2022 09:45:15 +0100 Subject: [PATCH 13/36] Update sonarcloud.properties.json --- code-scanning/properties/sonarcloud.properties.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json index 8b13789..88e2dbf 100644 --- a/code-scanning/properties/sonarcloud.properties.json +++ b/code-scanning/properties/sonarcloud.properties.json @@ -1 +1,7 @@ - +{ + "name": "SonarCloud Security Scan", + "creator": "SonarSource", + "description": "Free, out-of-the-box, security analysis provided by multiple open source static analysis tools.", + "iconName": "sonarcloud", + "categories": ["Code Scanning", "apex", "bash", "c", "coffeescript", "c++", "c#", "crystal", "dockerfile", "elixir", "go", "groovy", "java", "javascript", "jsp", "kotlin", "markdown", "php", "plsql", "powershell", "python", "ruby", "scala", "swift", "tsql", "typescript", "velocity", "vba", "xml"] +} From c944a105460e766a441f6bc07dc9f798bbb4bc1c Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 10 Mar 2022 17:15:34 +0100 Subject: [PATCH 14/36] Update sonarcloud.properties.json --- code-scanning/properties/sonarcloud.properties.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json index 88e2dbf..428d899 100644 --- a/code-scanning/properties/sonarcloud.properties.json +++ b/code-scanning/properties/sonarcloud.properties.json @@ -1,7 +1,7 @@ { - "name": "SonarCloud Security Scan", - "creator": "SonarSource", - "description": "Free, out-of-the-box, security analysis provided by multiple open source static analysis tools.", + "name": "SonarCloud", + "creator": "Sonar", + "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Free for open source projects", "iconName": "sonarcloud", - "categories": ["Code Scanning", "apex", "bash", "c", "coffeescript", "c++", "c#", "crystal", "dockerfile", "elixir", "go", "groovy", "java", "javascript", "jsp", "kotlin", "markdown", "php", "plsql", "powershell", "python", "ruby", "scala", "swift", "tsql", "typescript", "velocity", "vba", "xml"] + "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] } From d955f56f6791a99e9264a41707cd43f1ff228d67 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 10 Mar 2022 17:17:43 +0100 Subject: [PATCH 15/36] Add files via upload --- icons/sonarcloud.svg | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 icons/sonarcloud.svg diff --git a/icons/sonarcloud.svg b/icons/sonarcloud.svg new file mode 100644 index 0000000..5f946d2 --- /dev/null +++ b/icons/sonarcloud.svg @@ -0,0 +1,20 @@ + + + + +SonarCloud icon + + + + From 3b2d5d9c43c2889e9aaed43da59a7332ee5e51b7 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 17 Mar 2022 18:07:03 +0100 Subject: [PATCH 16/36] Added small fixes --- code-scanning/sonarcloud.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 084feca..d627b96 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -13,6 +13,7 @@ # # * b. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN # (On SonarCloud, click on your avatar on top-right > My account > Security) +# (or go directly to https://sonarcloud.io/account/security/) # Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) # or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) @@ -44,13 +45,13 @@ jobs: args: # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu) -Dsonar.projectKey= # mandatory - # Unique organisation key of your project. You can find it in SonarCloud > Information (bottom-left menu) + # Unique organization key of your project. You can find it in SonarCloud > Information (bottom-left menu) -Dsonar.organization= # mandatory # Comma-separated paths to directories containing main source files. - -Dsonar.sources= # optional, default is project base directory + #-Dsonar.sources= # optional, default is project base directory # When you need the analysis to take place in a directory other than the one from which it was launched - -Dsonar.projectBaseDir= # optional, default is . + #-Dsonar.projectBaseDir= # optional, default is . # Comma-separated paths to directories containing test source files. - -Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ - # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. - -Dsonar.verbose= # optional, default is false + #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + #-Dsonar.verbose= # optional, default is false From 75a7f2983bbe23e5ab84449c61053dfc20206b74 Mon Sep 17 00:00:00 2001 From: Peeter Piegaze <61758048+peeter-piegaze-sonarsource@users.noreply.github.com> Date: Fri, 18 Mar 2022 11:13:00 +0100 Subject: [PATCH 17/36] Update sonarcloud.yml Fix phrasing/word-choice --- code-scanning/sonarcloud.yml | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index d627b96..69eac6a 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -1,19 +1,21 @@ -# This workflow helps you trigger a SonarCloud analysis of your code and populates GitHub Code Scanning alerts with the vulnerabilities found. +# This workflow helps you trigger a SonarCloud analysis of your code and populates +# GitHub Code Scanning alerts with the vulnerabilities found. # 1. Login to SonarCloud.io using your GitHub account # 2. Import your project on SonarCloud # * Add your GitHub organization first, then add your repository as a new project. -# * Please note that many languages are eligible for automatic analysis, which means that the analysis will start automatically without the need to set up GitHub Actions. +# * Please note that many languages are eligible for automatic analysis, +# which means that the analysis will start automatically without the need to set up GitHub Actions. # * This behavior can be changed in Administration > Analysis Method. # -# 3. Follow the SonarCloud's online tutorial -# * a. Copy/paste the Projet Key and the Organization Key in the args parameter below -# (You'll find those info on SonarCloud. Click on "Information" at the bottom left) +# 3. Follow the SonarCloud in-product tutorial +# * a. Copy/paste the Project Key and the Organization Key into the args parameter below +# (You'll find this information in SonarCloud. Click on "Information" at the bottom left) # -# * b. Generate a new token and add it to your Github's repository Secrets with the name SONAR_TOKEN -# (On SonarCloud, click on your avatar on top-right > My account > Security) -# (or go directly to https://sonarcloud.io/account/security/) +# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# (On SonarCloud, click on your avatar on top-right > My account > Security +# or go directly to https://sonarcloud.io/account/security/) # Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) # or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) @@ -34,14 +36,14 @@ jobs: steps: - name: Analyze with SonarCloud - # You may pin to the exact commit or the version. + # You can pin the exact commit or the version. # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 uses: SonarSource/sonarcloud-github-action@v1.6 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) with: - # Additional arguments to the sonarcloud scanner + # Additional arguments for the sonarcloud scanner args: # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu) -Dsonar.projectKey= # mandatory From a1fe90c10dbf737fb1787b358028b5e33641dcc0 Mon Sep 17 00:00:00 2001 From: Shubham malik Date: Sat, 19 Mar 2022 16:00:04 +0530 Subject: [PATCH 18/36] Update tencent.yml --- deployments/tencent.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deployments/tencent.yml b/deployments/tencent.yml index 83bde94..165981a 100644 --- a/deployments/tencent.yml +++ b/deployments/tencent.yml @@ -27,6 +27,9 @@ env: TKE_CLUSTER_ID: cls-mywebapp DEPLOYMENT_NAME: tke-test +permissions: + contents: read + jobs: setup-build-publish-deploy: name: Setup, Build, Publish, and Deploy From 9ab1bbfdcc4ce2235ab206d529853732f82c40d2 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Mon, 21 Mar 2022 10:08:04 +0100 Subject: [PATCH 19/36] Added Github disclaimer --- code-scanning/sonarcloud.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index 69eac6a..d0cc73b 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -1,3 +1,8 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + # This workflow helps you trigger a SonarCloud analysis of your code and populates # GitHub Code Scanning alerts with the vulnerabilities found. From 1e0060ae0f820f0e350f84c656ca66e287005124 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Wed, 30 Mar 2022 10:27:25 +0200 Subject: [PATCH 20/36] Added mention to free plan --- code-scanning/sonarcloud.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index d0cc73b..bd6a3e1 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -5,6 +5,7 @@ # This workflow helps you trigger a SonarCloud analysis of your code and populates # GitHub Code Scanning alerts with the vulnerabilities found. +# Free for open source project. # 1. Login to SonarCloud.io using your GitHub account From 589aeb1674483e39ab864dd33cfa5cf63882462a Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Thu, 31 Mar 2022 10:34:04 +0200 Subject: [PATCH 21/36] Added restrictive permissions for GITHUB_TOKEN --- code-scanning/sonarcloud.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index bd6a3e1..dade659 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -35,6 +35,9 @@ on: branches: [ $default-branch ] workflow_dispatch: +permissions: + pull-requests: read # allows SonarCloud to decorate PRs with analysis results + jobs: Analysis: runs-on: ubuntu-latest @@ -46,7 +49,7 @@ jobs: # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 uses: SonarSource/sonarcloud-github-action@v1.6 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) with: # Additional arguments for the sonarcloud scanner From 3f1969e60bade312dd53ca604e2479900b6a6a5f Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Wed, 6 Apr 2022 10:26:21 +0200 Subject: [PATCH 22/36] Update sonarcloud.properties.json --- code-scanning/properties/sonarcloud.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json index 428d899..8835ff8 100644 --- a/code-scanning/properties/sonarcloud.properties.json +++ b/code-scanning/properties/sonarcloud.properties.json @@ -1,7 +1,7 @@ { "name": "SonarCloud", "creator": "Sonar", - "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Free for open source projects", + "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start analyzing your code in minutes!", "iconName": "sonarcloud", "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] } From 1132fdda5ded5388ebc46d62f1892bece49f3c26 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Wed, 6 Apr 2022 10:43:06 +0200 Subject: [PATCH 23/36] Update sonarcloud.properties.json --- code-scanning/properties/sonarcloud.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/sonarcloud.properties.json b/code-scanning/properties/sonarcloud.properties.json index 8835ff8..9b88a78 100644 --- a/code-scanning/properties/sonarcloud.properties.json +++ b/code-scanning/properties/sonarcloud.properties.json @@ -1,7 +1,7 @@ { "name": "SonarCloud", "creator": "Sonar", - "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start analyzing your code in minutes!", + "description": "Static analysis of code for vulnerability detection, covering 26+ languages. Start cleaning your code in minutes!", "iconName": "sonarcloud", "categories": ["Code Scanning","abap","apex","c","cobol","cpp","cloudformation","csharp","css","flex","go","java","javascript","kotlin","objectivec","php","plsql","ruby","scala","swift","terraform","tsql","typescript","vb","vba","xml"] } From 50c02af8cf04a5cba88c5f47d64db3d2860ddcff Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Wed, 6 Apr 2022 10:59:27 +0200 Subject: [PATCH 24/36] changed version to exact SHA Co-authored-by: Sampark Sharma --- code-scanning/sonarcloud.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index dade659..fe9afb4 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -47,7 +47,7 @@ jobs: # You can pin the exact commit or the version. # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 - uses: SonarSource/sonarcloud-github-action@v1.6 + uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) From 090ead86a92181d20a19219314dd1858ec87a787 Mon Sep 17 00:00:00 2001 From: Christophe H <65390576+christophe-havard-sonarsource@users.noreply.github.com> Date: Wed, 6 Apr 2022 14:51:15 +0200 Subject: [PATCH 25/36] Update syntax for validation --- code-scanning/sonarcloud.yml | 42 ++++++++++++++++++------------------ 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/code-scanning/sonarcloud.yml b/code-scanning/sonarcloud.yml index fe9afb4..ff388c8 100644 --- a/code-scanning/sonarcloud.yml +++ b/code-scanning/sonarcloud.yml @@ -45,24 +45,24 @@ jobs: steps: - name: Analyze with SonarCloud - # You can pin the exact commit or the version. - # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 - uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) - with: - # Additional arguments for the sonarcloud scanner - args: - # Unique key of your project. You can find it in SonarCloud > Information (bottom-left menu) - -Dsonar.projectKey= # mandatory - # Unique organization key of your project. You can find it in SonarCloud > Information (bottom-left menu) - -Dsonar.organization= # mandatory - # Comma-separated paths to directories containing main source files. - #-Dsonar.sources= # optional, default is project base directory - # When you need the analysis to take place in a directory other than the one from which it was launched - #-Dsonar.projectBaseDir= # optional, default is . - # Comma-separated paths to directories containing test source files. - #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ - # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. - #-Dsonar.verbose= # optional, default is false + # You can pin the exact commit or the version. + # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) + with: + # Additional arguments for the sonarcloud scanner + args: + # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) + # mandatory + -Dsonar.projectKey= + -Dsonar.organization= + # Comma-separated paths to directories containing main source files. + #-Dsonar.sources= # optional, default is project base directory + # When you need the analysis to take place in a directory other than the one from which it was launched + #-Dsonar.projectBaseDir= # optional, default is . + # Comma-separated paths to directories containing test source files. + #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + #-Dsonar.verbose= # optional, default is false From cca97c83b88349992531d905e3456a9227e2a391 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Sat, 9 Apr 2022 01:28:14 -0700 Subject: [PATCH 26/36] Add rust-clippy starter workflow (#1462) * Add rust-clippy starter workflow * fix parameter `wait-for-processing` indent of action github/codeql-action/upload-sarif@v1 * Use commit sha instead of tag * addressing pr comments * Update creator * Add comments --- .../properties/rust-clippy.properties.json | 10 ++++ code-scanning/rust-clippy.yml | 54 +++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 code-scanning/properties/rust-clippy.properties.json create mode 100644 code-scanning/rust-clippy.yml diff --git a/code-scanning/properties/rust-clippy.properties.json b/code-scanning/properties/rust-clippy.properties.json new file mode 100644 index 0000000..ea5c871 --- /dev/null +++ b/code-scanning/properties/rust-clippy.properties.json @@ -0,0 +1,10 @@ +{ + "name": "rust-clippy", + "creator": "Rust", + "description": "A collection of lints to catch common mistakes and improve your Rust code.", + "iconName": "rust", + "categories": [ + "Code Scanning", + "rust" + ] +} \ No newline at end of file diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml new file mode 100644 index 0000000..e9c426a --- /dev/null +++ b/code-scanning/rust-clippy.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# rust-clippy is a tool that runs a bunch of lints to catch common +# mistakes in your Rust code and help improve your Rust code. +# More details at https://github.com/rust-lang/rust-clippy +# and https://rust-lang.github.io/rust-clippy/ + +name: rust-clippy analyze + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + rust-clippy-analyze: + name: Run rust-clippy analyzing + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Install Rust toolchain + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af #@v1 + with: + profile: minimal + toolchain: stable + components: clippy + override: true + + - name: Install required cargo + run: cargo install clippy-sarif sarif-fmt + + - name: Run rust-clippy + run: + cargo clippy + --all-features + --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: rust-clippy-results.sarif + wait-for-processing: true \ No newline at end of file From 769950ce816c2f79f8df05cf138640f9aa08625d Mon Sep 17 00:00:00 2001 From: Sampark Sharma Date: Sun, 10 Apr 2022 17:20:15 +0530 Subject: [PATCH 27/36] Removing code-scanning/shiftleft as per author request (#1513) Co-authored-by: Bishal Prasad --- .../properties/shiftleft.properties.json | 7 --- code-scanning/shiftleft.yml | 47 ------------------- icons/shiftleft.svg | 6 --- 3 files changed, 60 deletions(-) delete mode 100644 code-scanning/properties/shiftleft.properties.json delete mode 100644 code-scanning/shiftleft.yml delete mode 100644 icons/shiftleft.svg diff --git a/code-scanning/properties/shiftleft.properties.json b/code-scanning/properties/shiftleft.properties.json deleted file mode 100644 index 1cb36c9..0000000 --- a/code-scanning/properties/shiftleft.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Scan", - "creator": "ShiftLeft", - "description": "Scan is a free open-source security tool for modern DevOps teams from ShiftLeft.", - "iconName": "shiftleft", - "categories": ["Code Scanning"] -} \ No newline at end of file diff --git a/code-scanning/shiftleft.yml b/code-scanning/shiftleft.yml deleted file mode 100644 index b042670..0000000 --- a/code-scanning/shiftleft.yml +++ /dev/null @@ -1,47 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow integrates Scan with GitHub's code scanning feature -# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft -# Visit https://slscan.io/en/latest/integrations/code-scan for help -name: SL Scan - -on: - push: - branches: [ $default-branch, $protected-branches ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ $default-branch ] - schedule: - - cron: $cron-weekly - -jobs: - Scan-Build: - # Scan runs on ubuntu, mac and windows - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - # Instructions - # 1. Setup JDK, Node.js, Python etc depending on your project type - # 2. Compile or build the project before invoking scan - # Example: mvn compile, or npm install or pip install goes here - # 3. Invoke Scan with the github token. Leave the workspace empty to use relative url - - - name: Perform Scan - uses: ShiftLeftSecurity/scan-action@39af9e54bc599c8077e710291d790175c9231f64 - env: - WORKSPACE: "" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SCAN_AUTO_BUILD: true - with: - output: reports - # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type - # type: credscan,java - # type: python - - - name: Upload report - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: reports diff --git a/icons/shiftleft.svg b/icons/shiftleft.svg deleted file mode 100644 index f8e944a..0000000 --- a/icons/shiftleft.svg +++ /dev/null @@ -1,6 +0,0 @@ - - - - - - From 31b35634e10474dd37c3d2929577d2778e781cbf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Andr=C3=A9?= Date: Sun, 10 Apr 2022 15:07:11 +0200 Subject: [PATCH 28/36] Fix pull request trigger in greetings.yml (#1518) --- automation/greetings.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/greetings.yml b/automation/greetings.yml index ee1cb11..18ba13f 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -1,6 +1,6 @@ name: Greetings -on: [pull_request, issues] +on: [pull_request_target, issues] jobs: greeting: From d80712faf41487f0d71d06018ec3bae11b859987 Mon Sep 17 00:00:00 2001 From: Anthony Roussel Date: Sun, 10 Apr 2022 15:29:47 +0200 Subject: [PATCH 29/36] Disable Terraform interactive prompts during apply & plan (#1467) --- deployments/terraform.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/terraform.yml b/deployments/terraform.yml index 96e44e0..6142d2c 100644 --- a/deployments/terraform.yml +++ b/deployments/terraform.yml @@ -82,10 +82,10 @@ jobs: # Generates an execution plan for Terraform - name: Terraform Plan - run: terraform plan + run: terraform plan -input=false # On push to $default-branch, build or change infrastructure according to Terraform configuration files # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks - name: Terraform Apply if: github.ref == 'refs/heads/$default-branch' && github.event_name == 'push' - run: terraform apply -auto-approve + run: terraform apply -auto-approve -input=false From 970a7b52557fbdf7dc31c20e64499c21f45deff2 Mon Sep 17 00:00:00 2001 From: dlorenc Date: Sun, 10 Apr 2022 13:06:23 -0500 Subject: [PATCH 30/36] =?UTF-8?q?Update=20the=20cosign-install=20action=20?= =?UTF-8?q?and=20default=20version=20from=201.4.0=20to=201.=E2=80=A6=20(#1?= =?UTF-8?q?452)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Update the cosign-install action and default version from 1.4.0 to 1.5.1. Signed-off-by: Dan Lorenc * Update to 1.7.1 and the latest cosign-installer action. Signed-off-by: Dan Lorenc Co-authored-by: Bishal Prasad --- ci/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 7b6add3..75f9770 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -41,9 +41,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422 + uses: sigstore/cosign-installer@d6a3abf1bdea83574e28d40543793018b6035605 with: - cosign-release: 'v1.4.0' + cosign-release: 'v1.7.1' # Workaround: https://github.com/docker/build-push-action/issues/461 From eeb7d2860d40ef8ccea22e7cc47f0a7088dc886a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Bedran?= Date: Sun, 10 Apr 2022 16:46:50 -0300 Subject: [PATCH 31/36] Removes " Simulator" substring from device name. (#1470) --- ci/ios.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/ios.yml b/ci/ios.yml index 5cec5e7..693a7d5 100644 --- a/ci/ios.yml +++ b/ci/ios.yml @@ -26,7 +26,7 @@ jobs: platform: ${{ 'iOS Simulator' }} run: | # xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959) - device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'` + device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"` if [ $scheme = default ]; then scheme=$(cat default); fi if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi file_to_build=`echo $file_to_build | awk '{$1=$1;print}'` @@ -37,7 +37,7 @@ jobs: platform: ${{ 'iOS Simulator' }} run: | # xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959) - device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}'` + device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"` if [ $scheme = default ]; then scheme=$(cat default); fi if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi file_to_build=`echo $file_to_build | awk '{$1=$1;print}'` From 9e81e73fe1c6c6786692b02864aeb1271734d235 Mon Sep 17 00:00:00 2001 From: Andrew Freckelton <7751633+frecks@users.noreply.github.com> Date: Mon, 11 Apr 2022 15:04:06 -0400 Subject: [PATCH 32/36] chore: Update go version to 1.18 --- ci/go.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/go.yml b/ci/go.yml index 6f498a6..bb3ec96 100644 --- a/ci/go.yml +++ b/ci/go.yml @@ -16,7 +16,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v3 with: - go-version: 1.17 + go-version: 1.18 - name: Build run: go build -v ./... From 66f87f9dfe82ccc8055c7063ef35ee994f1a3ae1 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Mon, 11 Apr 2022 21:41:27 -0700 Subject: [PATCH 33/36] Add clj-watson starter workflow (#1460) * Add clj-watson starter workflow * update permissions * update to latest release * Update clj-watson-action to official release * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> * update categories * update categories * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> * Update code-scanning/properties/clj-watson.properties.json Co-authored-by: Bishal Prasad * Update code-scanning/clj-watson.yml Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> * add comments to yml file * Update clj-watson.properties.json * use codeql-action/upload-sarif v2 Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com> Co-authored-by: Bishal Prasad --- code-scanning/clj-watson.yml | 53 +++++++++++++++++++ .../properties/clj-watson.properties.json | 9 ++++ icons/clj-watson.svg | 1 + 3 files changed, 63 insertions(+) create mode 100644 code-scanning/clj-watson.yml create mode 100644 code-scanning/properties/clj-watson.properties.json create mode 100644 icons/clj-watson.svg diff --git a/code-scanning/clj-watson.yml b/code-scanning/clj-watson.yml new file mode 100644 index 0000000..2e4ab3c --- /dev/null +++ b/code-scanning/clj-watson.yml @@ -0,0 +1,53 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# clj-watson scans dependencies in a clojure deps.edn +# seeking for vulnerable direct/transitive dependencies and +# build a report with all the information needed to help you +# understand how the vulnerability manifest in your software. +# More details at https://github.com/clj-holmes/clj-watson + +name: clj-watson + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + clj-holmes: + name: Run clj-watson scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Dependency scan + uses: clj-holmes/clj-watson-action@39b8ed306f2c125860cf6e69b6939363689f998c + with: + clj-watson-sha: "65d928c" + clj-watson-tag: "v4.0.1" + database-strategy: github-advisory + aliases: clojure-lsp,test + deps-edn-path: deps.edn + suggest-fix: true + output-type: sarif + output-file: clj-watson-results.sarif + fail-on-result: false + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{github.workspace}}/clj-watson-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/properties/clj-watson.properties.json b/code-scanning/properties/clj-watson.properties.json new file mode 100644 index 0000000..966314a --- /dev/null +++ b/code-scanning/properties/clj-watson.properties.json @@ -0,0 +1,9 @@ +{ + "name": "clj-watson", + "description": "Scan Clojure/Clojurescript projects for vulnerable direct/transitive dependencies.", + "iconName": "clj-watson", + "categories": [ + "Code Scanning", + "Clojure" + ] +} diff --git a/icons/clj-watson.svg b/icons/clj-watson.svg new file mode 100644 index 0000000..74459e5 --- /dev/null +++ b/icons/clj-watson.svg @@ -0,0 +1 @@ + \ No newline at end of file From 94d3aff4c62f40e4751c3c71c61b23c4ec02a072 Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Tue, 12 Apr 2022 10:27:04 +0530 Subject: [PATCH 34/36] Remove creator property from rust-clippy This is owned by @josepalafox's BD team in GitHub. --- code-scanning/properties/rust-clippy.properties.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/code-scanning/properties/rust-clippy.properties.json b/code-scanning/properties/rust-clippy.properties.json index ea5c871..4737786 100644 --- a/code-scanning/properties/rust-clippy.properties.json +++ b/code-scanning/properties/rust-clippy.properties.json @@ -1,10 +1,9 @@ { "name": "rust-clippy", - "creator": "Rust", "description": "A collection of lints to catch common mistakes and improve your Rust code.", "iconName": "rust", "categories": [ "Code Scanning", "rust" ] -} \ No newline at end of file +} From ae0ff4dd3a81c243bea35ec3e2035ab14b94bc9e Mon Sep 17 00:00:00 2001 From: Bishal Prasad Date: Tue, 12 Apr 2022 10:29:04 +0530 Subject: [PATCH 35/36] Add Actions team as CODEOWNERS for code-scanning starter workflows --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index 8866d17..91153de 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,3 +1,3 @@ * @actions/starter-workflows -/code-scanning/ @actions/advanced-security-code-scanning +/code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows From 92b20ce19b85f9e2d7eb558aa665eb6ac9287cb5 Mon Sep 17 00:00:00 2001 From: Yong Yan Date: Wed, 13 Apr 2022 23:04:48 -0700 Subject: [PATCH 36/36] Add ESLint starter workflow (#1461) * Add ESLint starter workflow * Specify versions * update permission * Add typescript to categories * Update codeql action to v2; add comments * address review feedbacks * update categories --- code-scanning/eslint.yml | 49 +++++++++++++++++++ .../properties/eslint.properties.json | 11 +++++ icons/eslint.svg | 1 + 3 files changed, 61 insertions(+) create mode 100644 code-scanning/eslint.yml create mode 100644 code-scanning/properties/eslint.properties.json create mode 100644 icons/eslint.svg diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml new file mode 100644 index 0000000..9067a7d --- /dev/null +++ b/code-scanning/eslint.yml @@ -0,0 +1,49 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# ESLint is a tool for identifying and reporting on patterns +# found in ECMAScript/JavaScript code. +# More details at https://github.com/eslint/eslint +# and https://eslint.org + +name: ESLint + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + eslint: + name: Run eslint scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Install ESLint + run: | + npm install eslint@8.10.0 + npm install @microsoft/eslint-formatter-sarif@2.1.7 + + - name: Run ESLint + run: npx eslint . + --config .eslintrc.js + --ext .js,.jsx,.ts,.tsx + --format @microsoft/eslint-formatter-sarif + --output-file eslint-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: eslint-results.sarif + wait-for-processing: true \ No newline at end of file diff --git a/code-scanning/properties/eslint.properties.json b/code-scanning/properties/eslint.properties.json new file mode 100644 index 0000000..a84646a --- /dev/null +++ b/code-scanning/properties/eslint.properties.json @@ -0,0 +1,11 @@ +{ + "name": "ESLint", + "description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.", + "iconName": "eslint", + "categories": [ + "Code Scanning", + "JavaScript", + "EcmaScript", + "TypeScript" + ] +} \ No newline at end of file diff --git a/icons/eslint.svg b/icons/eslint.svg new file mode 100644 index 0000000..23964aa --- /dev/null +++ b/icons/eslint.svg @@ -0,0 +1 @@ + \ No newline at end of file