Skip to content

Commit

Permalink
Feat/groh/integrate scanoss json
Browse files Browse the repository at this point in the history 
* feat:SP-1918 Use scanoss-py policies

* feat: SP-1919 Add skip snippet and scanoss setting flags

* chore: SP-1920 Use scanoss-py copyleft policy

* chore: SP-1922 Integrates undeclared components policy from scanoss-py

* chore: SP-1924 Adds copyleft policy unit tests

* chore: SP-1927 Adds undeclared component unit tests

* chore: SP-1964 Removes sbom.json feature

* chore: SP-1957 Upgrades scanoss.py version to v1.18.1

* chore: Fixes linter warnings

* chore: SP-1979 Removes sbom.json export format

* chore: SP-1980 Add warning when SCANOSS settings is not enabled

* chore: SP-1977 Adds breaking change documentation v1.0.1

* chore:  SP-1978 Upgrades default runtime container version to v1.19.0
  • Loading branch information
@agustingroh
agustingroh authored Dec 20, 2024
1 parent 15a506c commit 010b9a3
Show file tree
Hide file tree
Showing 27 changed files with 1,657 additions and 530 deletions.
1 change: 1 addition & 0 deletions .eslintignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,4 @@ lib/
dist/
node_modules/
coverage/

4 changes: 2 additions & 2 deletions .github/linters/.eslintrc.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ rules:
'@typescript-eslint/func-call-spacing': ['error', 'never'],
'@typescript-eslint/no-array-constructor': 'error',
'@typescript-eslint/no-empty-interface': 'error',
'@typescript-eslint/no-explicit-any': 'warn',
'@typescript-eslint/no-explicit-any': 'off',
'@typescript-eslint/no-extraneous-class': 'error',
'@typescript-eslint/no-for-in-array': 'error',
'@typescript-eslint/no-inferrable-types': 'error',
Expand All @@ -82,5 +82,5 @@ rules:
'@typescript-eslint/type-annotation-spacing': 'error',
'@typescript-eslint/unbound-method': 'error',
'github/array-foreach' : 'off',
'eslint-comments/no-unlimited-disable': 'off'
'eslint-comments/no-unlimited-disable': 'off',
}
4 changes: 3 additions & 1 deletion .github/workflows/linter.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ permissions:
jobs:
lint:
name: Lint Codebase
runs-on: ubuntu-latest
runs-on: ubuntu-22.04

steps:
- name: Checkout
Expand Down Expand Up @@ -45,3 +45,5 @@ jobs:
VALIDATE_JSCPD: false
VALIDATE_MARKDOWN: false
VALIDATE_NATURAL_LANGUAGE: false
SUPPRESS_FILE_TYPE_WARN: true
VALIDATE_JSON: false
79 changes: 58 additions & 21 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,42 @@ vulnerabilities and license compliance with configurable policies.

</div>

## Breaking change v1.0.1

- Default runtime container updated to `ghcr.io/scanoss/scanoss-py:v1.19.0`
- Removed parameters:
- `sbom.enabled`
- `sbom.filepath`
- `sbom.type`

### Converting from sbom.json to scanoss.json
The SBOM configuration format has changed and the file name must be updated from **sbom.json** to **scanoss.json**. Here's how to convert your existing configuration:

Old format (sbom.json):
```json
{
"components": [
{
"purl": "pkg:github/scanoss/scanner.c"
}
]
}
```

New format (scanoss.json):
```json
{
"bom": {
"include": [
{
"purl": "pkg:github/scanoss/scanner.c"
}
]
}
}
```


## Usage

To begin using this action, you'll need to set up a basic GitHub workflow and define a job within it:
Expand Down Expand Up @@ -53,24 +89,25 @@ For example workflow runs, check out our
### Action Input Parameters
| **Parameter** | **Description** | **Required** | **Default** |
|----------------------------|------------------------------------------------------------------------------------------------------|--------------|---------------------------------------|
| output.filepath | Scan output file name. | Optional | `results.json` |
| sbom.enabled | Enable or disable scanning based on the SBOM file | Optional | `true` |
| sbom.filepath | Filepath of the SBOM file to be used for scanning | Optional | `sbom.json` |
| sbom.type | Type of SBOM operation: either 'identify' or 'ignore | Optional | `identify` |
| dependencies.enabled | Option to enable or disable scanning of dependencies. | Optional | `false` |
| dependencies.scope | Gets development or production dependencies (scopes: prod - dev) | Optional | - |
| dependencies.scope.include | Custom list of dependency scopes to be included. Provide scopes as a comma-separated list. | Optional | - |
| dependencies.scope.exclude | Custom list of dependency scopes to be excluded. Provide scopes as a comma-separated list. | Optional | - |
| policies | List of policies separated by commas, options available are: copyleft, undeclared. | Optional | - |
| policies.halt_on_failure | Halt check on policy failure. If set to false checks will not fail. | Optional | `true` |
| api.url | SCANOSS API URL | Optional | `https://osskb.org/api/scan/direct` |
| api.key | SCANOSS API Key | Optional | - |
| licenses.copyleft.include | List of Copyleft licenses to append to the default list. Provide licenses as a comma-separated list. | Optional | - |
| licenses.copyleft.exclude | List of Copyleft licenses to remove from default list. Provide licenses as a comma-separated list. | Optional | - |
| licenses.copyleft.explicit | Explicit list of Copyleft licenses to consider. Provide licenses as a comma-separated list. | Optional | - |
| runtimeContainer | Runtime URL | Optional | `ghcr.io/scanoss/scanoss-py:v1.15.0` |
| **Parameter** | **Description** | **Required** | **Default** |
|----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|--------------------------------------|
| output.filepath | Scan output file name. | Optional | `results.json` |
| dependencies.enabled | Option to enable or disable scanning of dependencies. | Optional | `false` |
| dependencies.scope | Gets development or production dependencies (scopes: prod - dev) | Optional | - |
| dependencies.scope.include | Custom list of dependency scopes to be included. Provide scopes as a comma-separated list. | Optional | - |
| dependencies.scope.exclude | Custom list of dependency scopes to be excluded. Provide scopes as a comma-separated list. | Optional | - |
| policies | List of policies separated by commas, options available are: copyleft, undeclared. | Optional | - |
| policies.halt_on_failure | Halt check on policy failure. If set to false checks will not fail. | Optional | `true` |
| api.url | SCANOSS API URL | Optional | `https://osskb.org/api/scan/direct` |
| api.key | SCANOSS API Key | Optional | - |
| licenses.copyleft.include | List of Copyleft licenses to append to the default list. Provide licenses as a comma-separated list. | Optional | - |
| licenses.copyleft.exclude | List of Copyleft licenses to remove from default list. Provide licenses as a comma-separated list. | Optional | - |
| licenses.copyleft.explicit | Explicit list of Copyleft licenses to consider. Provide licenses as a comma-separated list. | Optional | - |
| runtimeContainer | Runtime URL | Optional | `ghcr.io/scanoss/scanoss-py:v1.19.0` |
| skipSnippets | Skip the generation of snippets. (scanFiles option must be enabled) | Optional | `false` |
| scanFiles | Enable or disable file and snippet scanning | Optional | `true` |
| scanossSettings | Settings file to use for scanning. See the SCANOSS settings [documentation](https://scanoss.readthedocs.io/projects/scanoss-py/en/latest/#settings-file) | Optional | `true` |
| settingsFilepath | Filepath of the SCANOSS settings to be used for scanning | Optional | `scanoss.json` |

### Action Output Parameters

Expand All @@ -88,8 +125,8 @@ The SCANOSS Code Scan Action includes two configurable policies:
1. Copyleft: This policy checks if any component or code snippet is associated with a copyleft license. If such a
license is detected, the pull request (PR) is rejected. The default list of Copyleft licenses is defined in the following [file](https://github.com/scanoss/gha-code-scan/blob/main/src/utils/license.utils.ts).

2. Undeclared: This policy compares the components detected in the repository against those declared in an sbom.json
file (customizable through the sbom.filepath parameter). If there are undeclared components, the PR is rejected.
2. Undeclared: This policy compares the components detected in the repository against those declared in scanoss.json
file (customizable through the settingsFilepath parameter). If there are undeclared components, the PR is rejected.

In this scenario, a classic policy is executed that will fail if copyleft licenses are found within the results:

Expand Down Expand Up @@ -129,7 +166,7 @@ jobs:
id: scanoss-code-scan-step
uses: scanoss/code-scan-action@v0
with:
policies: copyleft, undeclared #NOTE: undeclared policy requires a sbom.json in the project root
policies: copyleft, undeclared
dependencies.enabled: true
# api-url: <YOUR_API_URL>
# api-key: <YOUR_API_KEY>
Expand Down
116 changes: 116 additions & 0 deletions __tests__/copyleft-argument-builder.test.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
import { CopyLeftArgumentBuilder } from '../src/policies/argument_builders/copyleft-argument-builder';
import { RUNTIME_CONTAINER } from '../src/app.input';

jest.mock('../src/app.input', () => ({
...jest.requireActual('../src/app.input'),
REPO_DIR: 'scanoss',
OUTPUT_FILEPATH: 'results.json',
COPYLEFT_LICENSE_EXCLUDE: '',
COPYLEFT_LICENSE_EXPLICIT: '',
COPYLEFT_LICENSE_INCLUDE: ''
}));
describe('CopyleftArgumentBuilder', () => {
// Store the module for direct manipulation
const appInput = jest.requireMock('../src/app.input');

afterEach(() => {
appInput.COPYLEFT_LICENSE_EXPLICIT = '';
appInput.COPYLEFT_LICENSE_EXCLUDE = '';
appInput.COPYLEFT_LICENSE_INCLUDE = '';
});

it('Copyleft explicit test', async () => {
appInput.COPYLEFT_LICENSE_EXPLICIT = 'MIT,Apache-2.0';
appInput.COPYLEFT_LICENSE_EXCLUDE = 'MIT,Apache-2.0';
const builder = new CopyLeftArgumentBuilder();
const cmd = await builder.build();
expect(cmd).toEqual([
'run',
'-v',
'scanoss:/scanoss',
RUNTIME_CONTAINER,
'inspect',
'copyleft',
'--input',
'results.json',
'--format',
'md',
'--explicit',
'MIT,Apache-2.0'
]);
});

it('Copyleft exclude test', async () => {
appInput.COPYLEFT_LICENSE_EXCLUDE = 'MIT,Apache-2.0';
const builder = new CopyLeftArgumentBuilder();
const cmd = await builder.build();
expect(cmd).toEqual([
'run',
'-v',
'scanoss:/scanoss',
RUNTIME_CONTAINER,
'inspect',
'copyleft',
'--input',
'results.json',
'--format',
'md',
'--exclude',
'MIT,Apache-2.0'
]);
});

it('Copyleft include test', async () => {
appInput.COPYLEFT_LICENSE_INCLUDE = 'MIT,Apache-2.0,LGPL-3.0-only';
const builder = new CopyLeftArgumentBuilder();
const cmd = await builder.build();
expect(cmd).toEqual([
'run',
'-v',
'scanoss:/scanoss',
RUNTIME_CONTAINER,
'inspect',
'copyleft',
'--input',
'results.json',
'--format',
'md',
'--include',
'MIT,Apache-2.0,LGPL-3.0-only'
]);
});

it('Copyleft empty parameters test', async () => {
const builder = new CopyLeftArgumentBuilder();
const cmd = await builder.build();
expect(cmd).toEqual([
'run',
'-v',
'scanoss:/scanoss',
RUNTIME_CONTAINER,
'inspect',
'copyleft',
'--input',
'results.json',
'--format',
'md'
]);
});

it('Build Command test', async () => {
const builder = new CopyLeftArgumentBuilder();
const cmd = await builder.build();
expect(cmd).toEqual([
'run',
'-v',
'scanoss:/scanoss',
RUNTIME_CONTAINER,
'inspect',
'copyleft',
'--input',
'results.json',
'--format',
'md'
]);
});
});
112 changes: 78 additions & 34 deletions __tests__/copyleft-policy-check.test.ts
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,15 @@
import path from 'path';
import { CopyleftPolicyCheck } from '../src/policies/copyleft-policy-check';
import { CONCLUSION, PolicyCheck } from '../src/policies/policy-check';
import { ScannerResults } from '../src/services/result.interfaces';
import { resultsMock } from './results.mock';
import { CONCLUSION } from '../src/policies/policy-check';

jest.mock('../src/app.input', () => ({
...jest.requireActual('../src/app.input'),
REPO_DIR: '',
OUTPUT_FILEPATH: 'results.json',
COPYLEFT_LICENSE_EXCLUDE: '',
COPYLEFT_LICENSE_EXPLICIT: '',
COPYLEFT_LICENSE_INCLUDE: ''
}));

// Mock the @actions/github module
jest.mock('@actions/github', () => ({
Expand All @@ -14,49 +22,85 @@ jest.mock('@actions/github', () => ({
getOctokit: jest.fn().mockReturnValue({
rest: {
checks: {
update: jest.fn().mockResolvedValue({})
update: jest.fn().mockResolvedValue({}),
create: jest.fn().mockReturnValue({
data: {
id: 1
}
})
}
}
})
}));

describe('CopyleftPolicyCheck', () => {
let scannerResults: ScannerResults;
let policyCheck: CopyleftPolicyCheck;
const appInput = jest.requireMock('../src/app.input');

afterEach(() => {
appInput.COPYLEFT_LICENSE_EXPLICIT = '';
appInput.COPYLEFT_LICENSE_EXCLUDE = '';
appInput.COPYLEFT_LICENSE_INCLUDE = '';
});

beforeEach(() => {
jest.clearAllMocks();
it('Copyleft policy check fail', async () => {
const TEST_DIR = __dirname;
const TEST_REPO_DIR = path.join(TEST_DIR, 'data');
const TEST_RESULTS_FILE = 'results.json';

policyCheck = new CopyleftPolicyCheck();
jest.spyOn(PolicyCheck.prototype, 'uploadArtifact').mockImplementation(async () => {
appInput.REPO_DIR = TEST_REPO_DIR;
appInput.OUTPUT_FILEPATH = TEST_RESULTS_FILE;

jest.spyOn(CopyleftPolicyCheck.prototype, 'uploadArtifact').mockImplementation(async () => {
return Promise.resolve({ id: 123456 });
});
jest.spyOn(PolicyCheck.prototype, 'initStatus').mockImplementation();
jest.spyOn(PolicyCheck.prototype, 'finish').mockImplementation();
});
jest.spyOn(CopyleftPolicyCheck.prototype, 'initStatus').mockImplementation();
jest.spyOn(CopyleftPolicyCheck.prototype, 'updateCheck').mockImplementation();
const copyleftPolicyCheck = new CopyleftPolicyCheck();
await copyleftPolicyCheck.start(1);
await copyleftPolicyCheck.run();
//neutral cause policy policy halt on failure is not set
expect(copyleftPolicyCheck.conclusion).toEqual(CONCLUSION.Neutral);
}, 50000);

it('should pass the policy check when no copyleft components are found', async () => {
scannerResults = JSON.parse(resultsMock[0].content);
await policyCheck.run(scannerResults);
expect(policyCheck.conclusion).toEqual(CONCLUSION.Success);
});
it('Copyleft policy empty results', async () => {
const TEST_DIR = __dirname;
const TEST_REPO_DIR = path.join(TEST_DIR, 'data');
const TEST_RESULTS_FILE = 'results.json';

it('should fail the policy check when copyleft components are found', async () => {
scannerResults = JSON.parse(resultsMock[2].content);
await policyCheck.run(scannerResults);
expect(policyCheck.conclusion).toEqual(CONCLUSION.Neutral);
});
appInput.REPO_DIR = TEST_REPO_DIR;
appInput.OUTPUT_FILEPATH = TEST_RESULTS_FILE;
appInput.COPYLEFT_LICENSE_EXCLUDE = 'GPL-2.0-only';

it('should fail the policy check when copyleft dependencies are found', async () => {
scannerResults = JSON.parse(resultsMock[4].content);
await policyCheck.run(scannerResults);
// NEUTRAL is the same as failure in this context. See inputs.POLICIES_HALT_ON_FAILURE. (Default FALSE)
expect(policyCheck.conclusion).toEqual(CONCLUSION.Neutral);
});
jest.spyOn(CopyleftPolicyCheck.prototype, 'uploadArtifact').mockImplementation(async () => {
return Promise.resolve({ id: 123456 });
});
jest.spyOn(CopyleftPolicyCheck.prototype, 'initStatus').mockImplementation();
jest.spyOn(CopyleftPolicyCheck.prototype, 'updateCheck').mockImplementation();
const copyleftPolicyCheck = new CopyleftPolicyCheck();
await copyleftPolicyCheck.start(1);
await copyleftPolicyCheck.run();
//neutral cause policy policy halt on failure is not set
expect(copyleftPolicyCheck.conclusion).toEqual(CONCLUSION.Success);
}, 50000);

it('should pass the copyleft policy check', async () => {
scannerResults = JSON.parse(resultsMock[5].content);
await policyCheck.run(scannerResults);
expect(policyCheck.conclusion).toEqual(CONCLUSION.Success);
});
it('Copyleft policy explicit licenses', async () => {
const TEST_DIR = __dirname;
const TEST_REPO_DIR = path.join(TEST_DIR, 'data');
const TEST_RESULTS_FILE = 'results.json';

appInput.REPO_DIR = TEST_REPO_DIR;
appInput.OUTPUT_FILEPATH = TEST_RESULTS_FILE;
appInput.COPYLEFT_LICENSE_EXPLICIT = 'MIT,Apache-2.0';

jest.spyOn(CopyleftPolicyCheck.prototype, 'uploadArtifact').mockImplementation(async () => {
return Promise.resolve({ id: 123456 });
});
jest.spyOn(CopyleftPolicyCheck.prototype, 'initStatus').mockImplementation();
jest.spyOn(CopyleftPolicyCheck.prototype, 'updateCheck').mockImplementation();
const copyleftPolicyCheck = new CopyleftPolicyCheck();
await copyleftPolicyCheck.start(1);
await copyleftPolicyCheck.run();
//neutral cause policy policy halt on failure is not set
expect(copyleftPolicyCheck.conclusion).toEqual(CONCLUSION.Neutral);
}, 30000);
});
Loading

0 comments on commit 010b9a3

Please sign in to comment.