Merge remote-tracking branch 'origin/2.9.x' into fortify #140
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: test | |
on: | |
push: | |
branches: | |
- fortify | |
pull_request: | |
branches: | |
- fortify | |
jobs: | |
test: | |
strategy: | |
fail-fast: false | |
matrix: | |
java: [11, 17, 21] | |
scala: [2.13.x, 3.x] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: coursier/cache-action@v6 | |
- uses: actions/setup-java@v4 | |
with: | |
distribution: temurin | |
java-version: ${{matrix.java}} | |
- uses: actions/cache@v4 | |
env: | |
cache-name: fortify | |
with: | |
path: ./Fortify | |
key: fortify-23.1.1 | |
# https://github.com/gruntwork-io/fetch | |
- uses: Homebrew/actions/setup-homebrew@master | |
- name: Install Fetch | |
run: brew install fetch | |
- name: Install secrets | |
env: | |
LIGHTBEND_LICENSE: ${{secrets.LIGHTBEND_LICENSE}} | |
FORTIFY_LICENSE: ${{secrets.FORTIFY_LICENSE}} | |
run: | | |
mkdir -p ~/.lightbend | |
echo "$LIGHTBEND_LICENSE" > ~/.lightbend/license | |
echo "$FORTIFY_LICENSE" > fortify.license | |
# The easiest way I could think of to make the Fortify installer available to CI | |
# was to attach it as a release asset to a tag in a private repo. | |
- name: Install Fortify | |
run: | | |
if [[ ! -d Fortify ]] ; then | |
GITHUB_OAUTH_TOKEN=${{secrets.FORTIFY_INSTALLER_TOKEN}} fetch --repo="https://github.com/lightbend/scala-fortify" --tag="23.1.1_linux_x64" --release-asset="Fortify_SCA_23.1.1_linux_x64.run" . | |
chmod +x Fortify_SCA_23.1.1_linux_x64.run | |
mkdir Fortify | |
echo installdir=`pwd`/Fortify/Fortify_SCA_23.1.1 > Fortify_SCA_23.1.1_linux_x64.run.options | |
echo fortify_license_path=`pwd`/fortify.license >> Fortify_SCA_23.1.1_linux_x64.run.options | |
./Fortify_SCA_23.1.1_linux_x64.run --mode unattended | |
# download the Scala security rules; VersionTests makes sure they're the ones we expect | |
./Fortify/Fortify_SCA_23.1.1/bin/fortifyupdate | |
# otherwise we get some false positives from sample files | |
rm -rf ./Fortify/Fortify_SCA_23.1.1/Samples | |
fi | |
- name: Test | |
run: | | |
sbt ++${{matrix.scala}} compile | |
rm -f target/vulnerabilities-actual-${{matrix.scala}}.txt | |
./Fortify/Fortify_SCA_23.1.1/bin/sourceanalyzer \ | |
-b play-webgoat \ | |
-logfile target/scan.log \ | |
-scan \ | |
| tail -n +4 > target/vulnerabilities-actual-${{matrix.scala}}.txt | |
cat target/scan.log | |
sum vulnerabilities-${{matrix.scala}}.txt target/vulnerabilities-actual-${{matrix.scala}}.txt | |
diff -u vulnerabilities-${{matrix.scala}}.txt target/vulnerabilities-actual-${{matrix.scala}}.txt |