Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Code Scan Action #797

Merged
merged 2 commits into from
Nov 30, 2023
Merged

Add Code Scan Action #797

merged 2 commits into from
Nov 30, 2023

Conversation

Duan-0916
Copy link
Contributor

Motivation:
为了增强代码审查流程并确保代码的安全性和合规性,我新增了代码安全扫描和开源组件扫描。通过加入这些扫描,我们可以识别潜在的漏洞,并确保代码库符合开源项目治理标准化的要求。

Modification:
新增了cloud_code_scan.yml模板,添加了代码安全扫描和开源组件扫描步骤。这些步骤将作为工作流的一部分进行执行,以执行必要的安全检查和合规性验证。通过添加这些扫描,我们可以积极解决安全问题,并确保遵守开源许可协议。

Result:
通过引入代码安全扫描和开源组件扫描,增强了代码审查流程。它有助于识别安全漏洞,并确保符合开源许可要求。这一改进有助于提高代码库的整体质量和安全性。

Copy link

codecov bot commented Nov 30, 2023

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (361d445) 68.77% compared to head (d74db26) 68.98%.

Additional details and impacted files
@@             Coverage Diff              @@
##             master     #797      +/-   ##
============================================
+ Coverage     68.77%   68.98%   +0.21%     
  Complexity      754      754              
============================================
  Files           161      161              
  Lines          6658     6658              
  Branches        987      987              
============================================
+ Hits           4579     4593      +14     
+ Misses         1590     1575      -15     
- Partials        489      490       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copy link
Collaborator

@lvjing2 lvjing2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@lvjing2 lvjing2 merged commit 584ac7c into sofastack:master Nov 30, 2023
5 checks passed
lvjing2 pushed a commit that referenced this pull request Jan 11, 2024
Co-authored-by: leo james <leojames.googol@gmail.com>
(cherry picked from commit 584ac7c)
lvjing2 pushed a commit that referenced this pull request Jan 11, 2024
Co-authored-by: leo james <leojames.googol@gmail.com>
(cherry picked from commit 584ac7c)
lvjing2 added a commit that referenced this pull request Feb 1, 2024
* Ark2.0 support Netty plugin (#653)

* Ark support Netty plugin

* fix mvn issue

* fix pom issue

---------

Co-authored-by: Xuhao Wang <1023605039@qq.com>
Co-authored-by: leo james <leojames.googol@gmail.com>
Co-authored-by: yuanyuancin <yuancin@163.com>

(cherry picked from commit 362f9a8)

* Bump org.springframework.boot:spring-boot-starter-webflux from 2.1.0.RELEASE to 2.5.12 in /sofa-ark-plugin/netty-ark-plugin (#785)

* Bump org.springframework.boot:spring-boot-starter-webflux

Bumps [org.springframework.boot:spring-boot-starter-webflux](https://github.com/spring-projects/spring-boot) from 2.1.0.RELEASE to 2.5.12.
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v2.1.0.RELEASE...v2.5.12)

---
updated-dependencies:
- dependency-name: org.springframework.boot:spring-boot-starter-webflux
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update pom.xml

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: leo james <leojames.googol@gmail.com>
(cherry picked from commit 6a9f471)

* support spring cloud for base (#784)

* support .* for exclude

* support .* for exclude

* support spring cloud

* update to 2.2.5-SNAPSHOT

* remove duplicate version properties setting

* update to 2.2.5

(cherry picked from commit cefc679)

* update guava or netty (#788)

* support .* for exclude

* support .* for exclude

* update version

(cherry picked from commit ef684f6)

* Optimize to support spring webflux in ark (#798)

* extend ArkNettyReactiveWebServerFactory

* fix biz override master ReactorHttpHandlerAdapter

* fix Port in use

* fix base service faile when biz uninstalled

* fix the biz service is still accessible after biz was uninstalled

* change version to 2.2.5

* remove unuse code

* disposableServer dispose when master stopping

* fix ut,sofa-ark-springboot-starter dependent reactor-netty, change netty-handler version

* fix ci check

---------

Co-authored-by: yuanyuan <fengjun.zfj@antgroup.com>
Co-authored-by: leo james <leojames.googol@gmail.com>

(cherry picked from commit 361d445)

* Create cloud_code_scan.yml (#797)

Co-authored-by: leo james <leojames.googol@gmail.com>
(cherry picked from commit 584ac7c)

* Add a newFile method to handle file paths with spaces. (#803)

(cherry picked from commit 9c37315)

* enable override for plugin (#790)

* support .* for exclude

* support .* for exclude

* enable override for plugin

* optimize static import

* enable classpath for plugin

* add test for override

* remove unused import

* format

* update 2.2.5-SNAPSHOT

(cherry picked from commit 7de1384)

* Export plugin project classes by default (#799)

* feat: export plugin classes by default.

* feat: export plugin classes by default.

* feat: export plugin classes by default.

* feat: export plugin package by default.

* feat: export plugin package by default.

* default add all packages for plugin

* format

---------

Co-authored-by: yanhuai.yh <yanhuai.yh@antgroup.com>
Co-authored-by: leojames <leojames.googol@gmail.com>
(cherry picked from commit 4ade973)

* 插件内部将参数解析成set,避免对maven版本有要求 (#805)

(cherry picked from commit a491814)

* support biz multi context for logback (#807)

Co-authored-by: yuanyuan <fengjun.zfj@antgroup.com>

(cherry picked from commit 52910e5)

* Add ut 1221 (#813)

* add ut

* add tests

* update test

* update format

* update test

* update jarutils test

* update tests

* update tests

* update web server test

* update tests

* update tests

* update test

* update test

* update tests

* update tests

* update format

* update tests

* update test

---------

Co-authored-by: LiuYu <ly109106@alibaba-inc.com>
(cherry picked from commit bb17be2)

* Avoid biz logger context being attached early,support for logback (#816)

* Avoid biz logger context being attached early,support for logback

* format

* fix ut

---------

Co-authored-by: yuanyuan <fengjun.zfj@antgroup.com>
(cherry picked from commit 3fca4a6)

* default exclude pack rules (#814)

* default exclude pack rules

* formar

---------

Co-authored-by: yuanyuan <fengjun.zfj@antgroup.com>
Co-authored-by: leo james <leojames.googol@gmail.com>
(cherry picked from commit 7ec6184)

* Add ut 1221 (#817)

* add ut

* add tests

* update test

* update format

* update test

* update jarutils test

* update tests

* update tests

* update web server test

* update tests

* update tests

* update test

* update test

* update tests

* update tests

* update format

* update tests

* update test

* update tests

* update test

* Delete sofa-ark-parent/core/common/C:\temp dir\b\c directory

* update test

* update test

---------

Co-authored-by: LiuYu <ly109106@alibaba-inc.com>
(cherry picked from commit dfef361)

* support delegate from classLoaderHook for getResourceAsStream (#811)

* support delegate from classLoaderHook for getResourceAsStream

* rm guice-multibinding

* remove guice multi binding lib

* Revert "support delegate from classLoaderHook for getResourceAsStream"

This reverts commit 5bd306b.

* fix typo

* remove guice-multibinding

* fix format

(cherry picked from commit 3bcf96f)

* plugin default export package without activator, modify to set (#818)

* support delegate from classLoaderHook for getResourceAsStream

* Revert "support delegate from classLoaderHook for getResourceAsStream"

This reverts commit 5bd306b.

* fix typo

* plugin default export package without activator, modify to set

* fix format

(cherry picked from commit 9c5ce37)

* modify plugin export with classes as default (#819)

* support delegate from classLoaderHook for getResourceAsStream

* Revert "support delegate from classLoaderHook for getResourceAsStream"

This reverts commit 5bd306b.

* fix typo

* plugin default export package without activator, modify to set

* fix format

* export class for plugin as default

(cherry picked from commit ef9584d)

* Add ut 1221 (#820)

* add ut

* add tests

* update test

* update format

* update test

* update jarutils test

* update tests

* update tests

* update web server test

* update tests

* update tests

* update test

* update test

* update tests

* update tests

* update format

* update tests

* update test

* update tests

* update test

* Delete sofa-ark-parent/core/common/C:\temp dir\b\c directory

* update test

* update test

* update tesst

* update test

* update test

* update test

* update test

* update test

* update test

* update test

---------

Co-authored-by: LiuYu <ly109106@alibaba-inc.com>
(cherry picked from commit c3192d0)

* 1. update 2.2.7-SNAPSHOT (#823)

2. support SpringBoot 3.2.0 new LaunchedURLClassLoader class

Co-authored-by: 致节 <hzj266771@antgroup.com>

(cherry picked from commit 11f5507)

* Add ut 1221 (#824)

* add ut

* add tests

* update test

* update format

* update test

* update jarutils test

* update tests

* update tests

* update web server test

* update tests

* update tests

* update test

* update test

* update tests

* update tests

* update format

* update tests

* update test

* update tests

* update test

* Delete sofa-ark-parent/core/common/C:\temp dir\b\c directory

* update test

* update test

* update tesst

* update test

* update test

* update test

* update test

* update test

* update test

* update test

* update test

* update test

* update test

* update test

---------

Co-authored-by: LiuYu <ly109106@alibaba-inc.com>
(cherry picked from commit bc52a4c)

* update javadoc to support multi jdk env

* ut for the target jdk17 branch

* update logback

* remove logback context selector adapter, cause it had beed abandoned by qos-ch/logback#765

* fix autoconfiguration

* ark logger lazy init (#829)

* support delegate from classLoaderHook for getResourceAsStream

* Revert "support delegate from classLoaderHook for getResourceAsStream"

This reverts commit 5bd306b.

* fix typo

* plugin default export package without activator, modify to set

* fix format

* export class for plugin as default

* update to 2.2.6

* ark logger lazy init

* format

(cherry picked from commit 368a8be)

* fix windows mvn goal parse (#831)

* update to 2.2.7

* fix windows mvn goal parse

(cherry picked from commit 6a97493)

* enable sub bundle pom analysis first

* remove unused imports

(cherry picked from commit b3133d4)

* modify github to httpbin

(cherry picked from commit f8d2b07)

* support run mvn tree in test

(cherry picked from commit 34580be)

* 支持对tomcat进行配置 (#839)

Co-authored-by: 巨鹿 <yanwen@cai-inc.com>

(cherry picked from commit 1b2ac68)

* Update inactive_issues_robot.yml (#840)

(cherry picked from commit 4f8c7d6)

* modify test for zip fill to support jdk9+

* fix export import config

* support multi sdk

* format test

* add guice lib

---------

Co-authored-by: FanYang <399284508@qq.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: yuanyuancin <yuancin@163.com>
Co-authored-by: Duan-0916 <76544421+Duan-0916@users.noreply.github.com>
Co-authored-by: FlyAbner <776070848@qq.com>
Co-authored-by: Yan Huai <compasty@163.com>
Co-authored-by: Liu Jing <anderson.liuj@antfin.com>
Co-authored-by: lylingzhen <101314559+lylingzhen@users.noreply.github.com>
Co-authored-by: HzjNeverStop <441627022@qq.com>
Co-authored-by: 巨鹿 <290584697@qq.com>
lvjing2 added a commit that referenced this pull request Feb 1, 2024
* Suit 3.2.0 (#789)

* suit sprignboot 3.2.0

* suit springboot 3.2.0

---------

Co-authored-by: 致节 <hzj266771@antgroup.com>

* Ark2.0 support Netty plugin (#653)

* Ark support Netty plugin

* fix mvn issue

* fix pom issue

---------

Co-authored-by: Xuhao Wang <1023605039@qq.com>
Co-authored-by: leo james <leojames.googol@gmail.com>
Co-authored-by: yuanyuancin <yuancin@163.com>

(cherry picked from commit 362f9a8)

* Bump org.springframework.boot:spring-boot-starter-webflux from 2.1.0.RELEASE to 2.5.12 in /sofa-ark-plugin/netty-ark-plugin (#785)

* Bump org.springframework.boot:spring-boot-starter-webflux

Bumps [org.springframework.boot:spring-boot-starter-webflux](https://github.com/spring-projects/spring-boot) from 2.1.0.RELEASE to 2.5.12.
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v2.1.0.RELEASE...v2.5.12)

---
updated-dependencies:
- dependency-name: org.springframework.boot:spring-boot-starter-webflux
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update pom.xml

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: leo james <leojames.googol@gmail.com>
(cherry picked from commit 6a9f471)

* support spring cloud for base (#784)

* support .* for exclude

* support .* for exclude

* support spring cloud

* update to 2.2.5-SNAPSHOT

* remove duplicate version properties setting

* update to 2.2.5

(cherry picked from commit cefc679)

* update guava or netty (#788)

* support .* for exclude

* support .* for exclude

* update version

(cherry picked from commit ef684f6)

* Optimize to support spring webflux in ark (#798)

* extend ArkNettyReactiveWebServerFactory

* fix biz override master ReactorHttpHandlerAdapter

* fix Port in use

* fix base service faile when biz uninstalled

* fix the biz service is still accessible after biz was uninstalled

* change version to 2.2.5

* remove unuse code

* disposableServer dispose when master stopping

* fix ut,sofa-ark-springboot-starter dependent reactor-netty, change netty-handler version

* fix ci check

---------

Co-authored-by: yuanyuan <fengjun.zfj@antgroup.com>
Co-authored-by: leo james <leojames.googol@gmail.com>

(cherry picked from commit 361d445)

* Create cloud_code_scan.yml (#797)

Co-authored-by: leo james <leojames.googol@gmail.com>
(cherry picked from commit 584ac7c)

* Add a newFile method to handle file paths with spaces. (#803)

(cherry picked from commit 9c37315)

* enable override for plugin (#790)

* support .* for exclude

* support .* for exclude

* enable override for plugin

* optimize static import

* enable classpath for plugin

* add test for override

* remove unused import

* format

* update 2.2.5-SNAPSHOT

(cherry picked from commit 7de1384)

* Export plugin project classes by default (#799)

* feat: export plugin classes by default.

* feat: export plugin classes by default.

* feat: export plugin classes by default.

* feat: export plugin package by default.

* feat: export plugin package by default.

* default add all packages for plugin

* format

---------

Co-authored-by: yanhuai.yh <yanhuai.yh@antgroup.com>
Co-authored-by: leojames <leojames.googol@gmail.com>
(cherry picked from commit 4ade973)

* 插件内部将参数解析成set,避免对maven版本有要求 (#805)

(cherry picked from commit a491814)

* support biz multi context for logback (#807)

Co-authored-by: yuanyuan <fengjun.zfj@antgroup.com>

(cherry picked from commit 52910e5)

* Add ut 1221 (#813)

* add ut

* add tests

* update test

* update format

* update test

* update jarutils test

* update tests

* update tests

* update web server test

* update tests

* update tests

* update test

* update test

* update tests

* update tests

* update format

* update tests

* update test

---------

Co-authored-by: LiuYu <ly109106@alibaba-inc.com>
(cherry picked from commit bb17be2)

* Avoid biz logger context being attached early,support for logback (#816)

* Avoid biz logger context being attached early,support for logback

* format

* fix ut

---------

Co-authored-by: yuanyuan <fengjun.zfj@antgroup.com>
(cherry picked from commit 3fca4a6)

* default exclude pack rules (#814)

* default exclude pack rules

* formar

---------

Co-authored-by: yuanyuan <fengjun.zfj@antgroup.com>
Co-authored-by: leo james <leojames.googol@gmail.com>
(cherry picked from commit 7ec6184)

* Add ut 1221 (#817)

* add ut

* add tests

* update test

* update format

* update test

* update jarutils test

* update tests

* update tests

* update web server test

* update tests

* update tests

* update test

* update test

* update tests

* update tests

* update format

* update tests

* update test

* update tests

* update test

* Delete sofa-ark-parent/core/common/C:\temp dir\b\c directory

* update test

* update test

---------

Co-authored-by: LiuYu <ly109106@alibaba-inc.com>
(cherry picked from commit dfef361)

* support delegate from classLoaderHook for getResourceAsStream (#811)

* support delegate from classLoaderHook for getResourceAsStream

* rm guice-multibinding

* remove guice multi binding lib

* Revert "support delegate from classLoaderHook for getResourceAsStream"

This reverts commit 5bd306b.

* fix typo

* remove guice-multibinding

* fix format

(cherry picked from commit 3bcf96f)

* plugin default export package without activator, modify to set (#818)

* support delegate from classLoaderHook for getResourceAsStream

* Revert "support delegate from classLoaderHook for getResourceAsStream"

This reverts commit 5bd306b.

* fix typo

* plugin default export package without activator, modify to set

* fix format

(cherry picked from commit 9c5ce37)

* modify plugin export with classes as default (#819)

* support delegate from classLoaderHook for getResourceAsStream

* Revert "support delegate from classLoaderHook for getResourceAsStream"

This reverts commit 5bd306b.

* fix typo

* plugin default export package without activator, modify to set

* fix format

* export class for plugin as default

(cherry picked from commit ef9584d)

* Add ut 1221 (#820)

* add ut

* add tests

* update test

* update format

* update test

* update jarutils test

* update tests

* update tests

* update web server test

* update tests

* update tests

* update test

* update test

* update tests

* update tests

* update format

* update tests

* update test

* update tests

* update test

* Delete sofa-ark-parent/core/common/C:\temp dir\b\c directory

* update test

* update test

* update tesst

* update test

* update test

* update test

* update test

* update test

* update test

* update test

---------

Co-authored-by: LiuYu <ly109106@alibaba-inc.com>
(cherry picked from commit c3192d0)

* 1. update 2.2.7-SNAPSHOT (#823)

2. support SpringBoot 3.2.0 new LaunchedURLClassLoader class

Co-authored-by: 致节 <hzj266771@antgroup.com>

(cherry picked from commit 11f5507)

* Add ut 1221 (#824)

* add ut

* add tests

* update test

* update format

* update test

* update jarutils test

* update tests

* update tests

* update web server test

* update tests

* update tests

* update test

* update test

* update tests

* update tests

* update format

* update tests

* update test

* update tests

* update test

* Delete sofa-ark-parent/core/common/C:\temp dir\b\c directory

* update test

* update test

* update tesst

* update test

* update test

* update test

* update test

* update test

* update test

* update test

* update test

* update test

* update test

* update test

---------

Co-authored-by: LiuYu <ly109106@alibaba-inc.com>
(cherry picked from commit bc52a4c)

* update javadoc to support multi jdk env

* ut for the target jdk17 branch

* update logback

* remove logback context selector adapter, cause it had beed abandoned by qos-ch/logback#765

* fix autoconfiguration

* ark logger lazy init (#829)

* support delegate from classLoaderHook for getResourceAsStream

* Revert "support delegate from classLoaderHook for getResourceAsStream"

This reverts commit 5bd306b.

* fix typo

* plugin default export package without activator, modify to set

* fix format

* export class for plugin as default

* update to 2.2.6

* ark logger lazy init

* format

(cherry picked from commit 368a8be)

* fix windows mvn goal parse (#831)

* update to 2.2.7

* fix windows mvn goal parse

(cherry picked from commit 6a97493)

* enable sub bundle pom analysis first

* commit

* add etst

* remove unused imports

(cherry picked from commit b3133d4)

* modify github to httpbin

(cherry picked from commit f8d2b07)

* support run mvn tree in test

(cherry picked from commit 34580be)

* log version

* remove log sofa boot starter

* 支持对tomcat进行配置 (#839)

Co-authored-by: 巨鹿 <yanwen@cai-inc.com>

(cherry picked from commit 1b2ac68)

* unit etst

* unit test

* add unit test

* add unit test

* resove application.properties extension

* Update inactive_issues_robot.yml (#840)

(cherry picked from commit 4f8c7d6)

* modify test for zip fill to support jdk9+

* add unit test

* add comment

* fix export import config

* support multi sdk

* format test

* add guice lib

* remove module slimming

* inner test class

* unit test

* commit

* adjust package postion

* unit test

* update version

---------

Co-authored-by: HzjNeverStop <441627022@qq.com>
Co-authored-by: 致节 <hzj266771@antgroup.com>
Co-authored-by: FanYang <399284508@qq.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: leo james <leojames.googol@gmail.com>
Co-authored-by: yuanyuancin <yuancin@163.com>
Co-authored-by: Duan-0916 <76544421+Duan-0916@users.noreply.github.com>
Co-authored-by: FlyAbner <776070848@qq.com>
Co-authored-by: Yan Huai <compasty@163.com>
Co-authored-by: Liu Jing <anderson.liuj@antfin.com>
Co-authored-by: lylingzhen <101314559+lylingzhen@users.noreply.github.com>
Co-authored-by: chaya.cy <chaya.cy@antgroup.com>
Co-authored-by: 巨鹿 <290584697@qq.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants