Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat/groh/integrate scanoss json #73

Merged
merged 16 commits into from
Dec 20, 2024
Merged

Feat/groh/integrate scanoss json #73

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
6b51153
feat:SP-1918 Use scanoss-py policies
agustingroh Dec 9, 2024
1c3a77a
feat: SP-1919 Add skip snippet and scanoss setting flags
agustingroh Dec 9, 2024
003335c
chore:SP-1920 Use scanoss-py copyleft policy
agustingroh Dec 9, 2024
4cbecae
chore:SP-1922 Integrates undeclared components policy from scanoss-py
agustingroh Dec 9, 2024
f22e879
chore:SP-1924 Adds copyleft policy unit tests
agustingroh Dec 10, 2024
166bbbe
chore:SP-1927 Adds undeclared component unit tests
agustingroh Dec 10, 2024
f7f5381
Upgrades version to 0.2.4
agustingroh Dec 10, 2024
f66f2f1
Fixes linter warnings
agustingroh Dec 18, 2024
1ddcbb6
chore:SP-1964 Removes sbom.json feature
agustingroh Dec 18, 2024
2ba72ff
chore:SP-1957 Upgrades scanoss.py version to v1.18.1
agustingroh Dec 19, 2024
bf275ec
chore:Fix linter warnings
agustingroh Dec 19, 2024
66815e3
Changes linter.yml file
agustingroh Dec 19, 2024
d9c1aa9
chore: SP-1979 Removes sbom.json export format
agustingroh Dec 20, 2024
c241976
chore: SP-1980 Add warning when SCANOSS settings is not enabled
agustingroh Dec 20, 2024
754bd8b
chore:SP-1977 Adds breaking change documentation v1.0.1
agustingroh Dec 20, 2024
2d16be6
chore: SP-1978 Upgrades default runtime container version to v1.19.0
agustingroh Dec 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .eslintignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,4 @@ lib/
dist/
node_modules/
coverage/

4 changes: 2 additions & 2 deletions .github/linters/.eslintrc.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ rules:
'@typescript-eslint/func-call-spacing': ['error', 'never'],
'@typescript-eslint/no-array-constructor': 'error',
'@typescript-eslint/no-empty-interface': 'error',
'@typescript-eslint/no-explicit-any': 'warn',
'@typescript-eslint/no-explicit-any': 'off',
'@typescript-eslint/no-extraneous-class': 'error',
'@typescript-eslint/no-for-in-array': 'error',
'@typescript-eslint/no-inferrable-types': 'error',
Expand All @@ -82,5 +82,5 @@ rules:
'@typescript-eslint/type-annotation-spacing': 'error',
'@typescript-eslint/unbound-method': 'error',
'github/array-foreach' : 'off',
'eslint-comments/no-unlimited-disable': 'off'
'eslint-comments/no-unlimited-disable': 'off',
}
4 changes: 3 additions & 1 deletion .github/workflows/linter.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ permissions:
jobs:
lint:
name: Lint Codebase
runs-on: ubuntu-latest
runs-on: ubuntu-22.04

steps:
- name: Checkout
Expand Down Expand Up @@ -45,3 +45,5 @@ jobs:
VALIDATE_JSCPD: false
VALIDATE_MARKDOWN: false
VALIDATE_NATURAL_LANGUAGE: false
SUPPRESS_FILE_TYPE_WARN: true
VALIDATE_JSON: false
79 changes: 58 additions & 21 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,42 @@ vulnerabilities and license compliance with configurable policies.

</div>

## Breaking change v1.0.1

- Default runtime container updated to `ghcr.io/scanoss/scanoss-py:v1.19.0`
- Removed parameters:
- `sbom.enabled`
- `sbom.filepath`
- `sbom.type`

### Converting from sbom.json to scanoss.json
The SBOM configuration format has changed and the file name must be updated from **sbom.json** to **scanoss.json**. Here's how to convert your existing configuration:

Old format (sbom.json):
```json
{
"components": [
{
"purl": "pkg:github/scanoss/scanner.c"
}
]
}
```

New format (scanoss.json):
```json
{
"bom": {
"include": [
{
"purl": "pkg:github/scanoss/scanner.c"
}
]
}
}
```


## Usage

To begin using this action, you'll need to set up a basic GitHub workflow and define a job within it:
Expand Down Expand Up @@ -53,24 +89,25 @@ For example workflow runs, check out our

### Action Input Parameters

| **Parameter** | **Description** | **Required** | **Default** |
|----------------------------|------------------------------------------------------------------------------------------------------|--------------|---------------------------------------|
| output.filepath | Scan output file name. | Optional | `results.json` |
| sbom.enabled | Enable or disable scanning based on the SBOM file | Optional | `true` |
| sbom.filepath | Filepath of the SBOM file to be used for scanning | Optional | `sbom.json` |
| sbom.type | Type of SBOM operation: either 'identify' or 'ignore | Optional | `identify` |
| dependencies.enabled | Option to enable or disable scanning of dependencies. | Optional | `false` |
| dependencies.scope | Gets development or production dependencies (scopes: prod - dev) | Optional | - |
| dependencies.scope.include | Custom list of dependency scopes to be included. Provide scopes as a comma-separated list. | Optional | - |
| dependencies.scope.exclude | Custom list of dependency scopes to be excluded. Provide scopes as a comma-separated list. | Optional | - |
| policies | List of policies separated by commas, options available are: copyleft, undeclared. | Optional | - |
| policies.halt_on_failure | Halt check on policy failure. If set to false checks will not fail. | Optional | `true` |
| api.url | SCANOSS API URL | Optional | `https://osskb.org/api/scan/direct` |
| api.key | SCANOSS API Key | Optional | - |
| licenses.copyleft.include | List of Copyleft licenses to append to the default list. Provide licenses as a comma-separated list. | Optional | - |
| licenses.copyleft.exclude | List of Copyleft licenses to remove from default list. Provide licenses as a comma-separated list. | Optional | - |
| licenses.copyleft.explicit | Explicit list of Copyleft licenses to consider. Provide licenses as a comma-separated list. | Optional | - |
| runtimeContainer | Runtime URL | Optional | `ghcr.io/scanoss/scanoss-py:v1.15.0` |
| **Parameter** | **Description** | **Required** | **Default** |
|----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|--------------------------------------|
| output.filepath | Scan output file name. | Optional | `results.json` |
| dependencies.enabled | Option to enable or disable scanning of dependencies. | Optional | `false` |
| dependencies.scope | Gets development or production dependencies (scopes: prod - dev) | Optional | - |
| dependencies.scope.include | Custom list of dependency scopes to be included. Provide scopes as a comma-separated list. | Optional | - |
| dependencies.scope.exclude | Custom list of dependency scopes to be excluded. Provide scopes as a comma-separated list. | Optional | - |
| policies | List of policies separated by commas, options available are: copyleft, undeclared. | Optional | - |
| policies.halt_on_failure | Halt check on policy failure. If set to false checks will not fail. | Optional | `true` |
| api.url | SCANOSS API URL | Optional | `https://osskb.org/api/scan/direct` |
| api.key | SCANOSS API Key | Optional | - |
| licenses.copyleft.include | List of Copyleft licenses to append to the default list. Provide licenses as a comma-separated list. | Optional | - |
| licenses.copyleft.exclude | List of Copyleft licenses to remove from default list. Provide licenses as a comma-separated list. | Optional | - |
| licenses.copyleft.explicit | Explicit list of Copyleft licenses to consider. Provide licenses as a comma-separated list. | Optional | - |
| runtimeContainer | Runtime URL | Optional | `ghcr.io/scanoss/scanoss-py:v1.19.0` |
| skipSnippets | Skip the generation of snippets. (scanFiles option must be enabled) | Optional | `false` |
| scanFiles | Enable or disable file and snippet scanning | Optional | `true` |
| scanossSettings | Settings file to use for scanning. See the SCANOSS settings [documentation](https://scanoss.readthedocs.io/projects/scanoss-py/en/latest/#settings-file) | Optional | `true` |
| settingsFilepath | Filepath of the SCANOSS settings to be used for scanning | Optional | `scanoss.json` |

### Action Output Parameters

Expand All @@ -88,8 +125,8 @@ The SCANOSS Code Scan Action includes two configurable policies:
1. Copyleft: This policy checks if any component or code snippet is associated with a copyleft license. If such a
license is detected, the pull request (PR) is rejected. The default list of Copyleft licenses is defined in the following [file](https://github.com/scanoss/gha-code-scan/blob/main/src/utils/license.utils.ts).

2. Undeclared: This policy compares the components detected in the repository against those declared in an sbom.json
file (customizable through the sbom.filepath parameter). If there are undeclared components, the PR is rejected.
2. Undeclared: This policy compares the components detected in the repository against those declared in scanoss.json
file (customizable through the settingsFilepath parameter). If there are undeclared components, the PR is rejected.

In this scenario, a classic policy is executed that will fail if copyleft licenses are found within the results:

Expand Down Expand Up @@ -129,7 +166,7 @@ jobs:
id: scanoss-code-scan-step
uses: scanoss/code-scan-action@v0
with:
policies: copyleft, undeclared #NOTE: undeclared policy requires a sbom.json in the project root
policies: copyleft, undeclared
dependencies.enabled: true
# api-url: <YOUR_API_URL>
# api-key: <YOUR_API_KEY>
Expand Down
116 changes: 116 additions & 0 deletions __tests__/copyleft-argument-builder.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
import { CopyLeftArgumentBuilder } from '../src/policies/argument_builders/copyleft-argument-builder';
import { RUNTIME_CONTAINER } from '../src/app.input';

jest.mock('../src/app.input', () => ({
...jest.requireActual('../src/app.input'),
REPO_DIR: 'scanoss',
OUTPUT_FILEPATH: 'results.json',
COPYLEFT_LICENSE_EXCLUDE: '',
COPYLEFT_LICENSE_EXPLICIT: '',
COPYLEFT_LICENSE_INCLUDE: ''
}));
describe('CopyleftArgumentBuilder', () => {
// Store the module for direct manipulation
const appInput = jest.requireMock('../src/app.input');

afterEach(() => {
appInput.COPYLEFT_LICENSE_EXPLICIT = '';
appInput.COPYLEFT_LICENSE_EXCLUDE = '';
appInput.COPYLEFT_LICENSE_INCLUDE = '';
});

it('Copyleft explicit test', async () => {
appInput.COPYLEFT_LICENSE_EXPLICIT = 'MIT,Apache-2.0';
appInput.COPYLEFT_LICENSE_EXCLUDE = 'MIT,Apache-2.0';
const builder = new CopyLeftArgumentBuilder();
const cmd = await builder.build();
expect(cmd).toEqual([
'run',
'-v',
'scanoss:/scanoss',
RUNTIME_CONTAINER,
'inspect',
'copyleft',
'--input',
'results.json',
'--format',
'md',
'--explicit',
'MIT,Apache-2.0'
]);
});

it('Copyleft exclude test', async () => {
appInput.COPYLEFT_LICENSE_EXCLUDE = 'MIT,Apache-2.0';
const builder = new CopyLeftArgumentBuilder();
const cmd = await builder.build();
expect(cmd).toEqual([
'run',
'-v',
'scanoss:/scanoss',
RUNTIME_CONTAINER,
'inspect',
'copyleft',
'--input',
'results.json',
'--format',
'md',
'--exclude',
'MIT,Apache-2.0'
]);
});

it('Copyleft include test', async () => {
appInput.COPYLEFT_LICENSE_INCLUDE = 'MIT,Apache-2.0,LGPL-3.0-only';
const builder = new CopyLeftArgumentBuilder();
const cmd = await builder.build();
expect(cmd).toEqual([
'run',
'-v',
'scanoss:/scanoss',
RUNTIME_CONTAINER,
'inspect',
'copyleft',
'--input',
'results.json',
'--format',
'md',
'--include',
'MIT,Apache-2.0,LGPL-3.0-only'
]);
});

it('Copyleft empty parameters test', async () => {
const builder = new CopyLeftArgumentBuilder();
const cmd = await builder.build();
expect(cmd).toEqual([
'run',
'-v',
'scanoss:/scanoss',
RUNTIME_CONTAINER,
'inspect',
'copyleft',
'--input',
'results.json',
'--format',
'md'
]);
});

it('Build Command test', async () => {
const builder = new CopyLeftArgumentBuilder();
const cmd = await builder.build();
expect(cmd).toEqual([
'run',
'-v',
'scanoss:/scanoss',
RUNTIME_CONTAINER,
'inspect',
'copyleft',
'--input',
'results.json',
'--format',
'md'
]);
});
});
112 changes: 78 additions & 34 deletions __tests__/copyleft-policy-check.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,15 @@
import path from 'path';
import { CopyleftPolicyCheck } from '../src/policies/copyleft-policy-check';
import { CONCLUSION, PolicyCheck } from '../src/policies/policy-check';
import { ScannerResults } from '../src/services/result.interfaces';
import { resultsMock } from './results.mock';
import { CONCLUSION } from '../src/policies/policy-check';

jest.mock('../src/app.input', () => ({
...jest.requireActual('../src/app.input'),
REPO_DIR: '',
OUTPUT_FILEPATH: 'results.json',
COPYLEFT_LICENSE_EXCLUDE: '',
COPYLEFT_LICENSE_EXPLICIT: '',
COPYLEFT_LICENSE_INCLUDE: ''
}));

// Mock the @actions/github module
jest.mock('@actions/github', () => ({
Expand All @@ -14,49 +22,85 @@ jest.mock('@actions/github', () => ({
getOctokit: jest.fn().mockReturnValue({
rest: {
checks: {
update: jest.fn().mockResolvedValue({})
update: jest.fn().mockResolvedValue({}),
create: jest.fn().mockReturnValue({
data: {
id: 1
}
})
}
}
})
}));

describe('CopyleftPolicyCheck', () => {
let scannerResults: ScannerResults;
let policyCheck: CopyleftPolicyCheck;
const appInput = jest.requireMock('../src/app.input');

afterEach(() => {
appInput.COPYLEFT_LICENSE_EXPLICIT = '';
appInput.COPYLEFT_LICENSE_EXCLUDE = '';
appInput.COPYLEFT_LICENSE_INCLUDE = '';
});

beforeEach(() => {
jest.clearAllMocks();
it('Copyleft policy check fail', async () => {
const TEST_DIR = __dirname;
const TEST_REPO_DIR = path.join(TEST_DIR, 'data');
const TEST_RESULTS_FILE = 'results.json';

policyCheck = new CopyleftPolicyCheck();
jest.spyOn(PolicyCheck.prototype, 'uploadArtifact').mockImplementation(async () => {
appInput.REPO_DIR = TEST_REPO_DIR;
appInput.OUTPUT_FILEPATH = TEST_RESULTS_FILE;

jest.spyOn(CopyleftPolicyCheck.prototype, 'uploadArtifact').mockImplementation(async () => {
return Promise.resolve({ id: 123456 });
});
jest.spyOn(PolicyCheck.prototype, 'initStatus').mockImplementation();
jest.spyOn(PolicyCheck.prototype, 'finish').mockImplementation();
});
jest.spyOn(CopyleftPolicyCheck.prototype, 'initStatus').mockImplementation();
jest.spyOn(CopyleftPolicyCheck.prototype, 'updateCheck').mockImplementation();
const copyleftPolicyCheck = new CopyleftPolicyCheck();
await copyleftPolicyCheck.start(1);
await copyleftPolicyCheck.run();
//neutral cause policy policy halt on failure is not set
expect(copyleftPolicyCheck.conclusion).toEqual(CONCLUSION.Neutral);
}, 50000);

it('should pass the policy check when no copyleft components are found', async () => {
scannerResults = JSON.parse(resultsMock[0].content);
await policyCheck.run(scannerResults);
expect(policyCheck.conclusion).toEqual(CONCLUSION.Success);
});
it('Copyleft policy empty results', async () => {
const TEST_DIR = __dirname;
const TEST_REPO_DIR = path.join(TEST_DIR, 'data');
const TEST_RESULTS_FILE = 'results.json';

it('should fail the policy check when copyleft components are found', async () => {
scannerResults = JSON.parse(resultsMock[2].content);
await policyCheck.run(scannerResults);
expect(policyCheck.conclusion).toEqual(CONCLUSION.Neutral);
});
appInput.REPO_DIR = TEST_REPO_DIR;
appInput.OUTPUT_FILEPATH = TEST_RESULTS_FILE;
appInput.COPYLEFT_LICENSE_EXCLUDE = 'GPL-2.0-only';

it('should fail the policy check when copyleft dependencies are found', async () => {
scannerResults = JSON.parse(resultsMock[4].content);
await policyCheck.run(scannerResults);
// NEUTRAL is the same as failure in this context. See inputs.POLICIES_HALT_ON_FAILURE. (Default FALSE)
expect(policyCheck.conclusion).toEqual(CONCLUSION.Neutral);
});
jest.spyOn(CopyleftPolicyCheck.prototype, 'uploadArtifact').mockImplementation(async () => {
return Promise.resolve({ id: 123456 });
});
jest.spyOn(CopyleftPolicyCheck.prototype, 'initStatus').mockImplementation();
jest.spyOn(CopyleftPolicyCheck.prototype, 'updateCheck').mockImplementation();
const copyleftPolicyCheck = new CopyleftPolicyCheck();
await copyleftPolicyCheck.start(1);
await copyleftPolicyCheck.run();
//neutral cause policy policy halt on failure is not set
expect(copyleftPolicyCheck.conclusion).toEqual(CONCLUSION.Success);
}, 50000);

it('should pass the copyleft policy check', async () => {
scannerResults = JSON.parse(resultsMock[5].content);
await policyCheck.run(scannerResults);
expect(policyCheck.conclusion).toEqual(CONCLUSION.Success);
});
it('Copyleft policy explicit licenses', async () => {
const TEST_DIR = __dirname;
const TEST_REPO_DIR = path.join(TEST_DIR, 'data');
const TEST_RESULTS_FILE = 'results.json';

appInput.REPO_DIR = TEST_REPO_DIR;
appInput.OUTPUT_FILEPATH = TEST_RESULTS_FILE;
appInput.COPYLEFT_LICENSE_EXPLICIT = 'MIT,Apache-2.0';

jest.spyOn(CopyleftPolicyCheck.prototype, 'uploadArtifact').mockImplementation(async () => {
return Promise.resolve({ id: 123456 });
});
jest.spyOn(CopyleftPolicyCheck.prototype, 'initStatus').mockImplementation();
jest.spyOn(CopyleftPolicyCheck.prototype, 'updateCheck').mockImplementation();
const copyleftPolicyCheck = new CopyleftPolicyCheck();
await copyleftPolicyCheck.start(1);
await copyleftPolicyCheck.run();
//neutral cause policy policy halt on failure is not set
expect(copyleftPolicyCheck.conclusion).toEqual(CONCLUSION.Neutral);
}, 30000);
});
Loading
Loading