SDKS-3771 Setup Mend SAST scan #474
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## develop #474 +/- ##
=============================================
+ Coverage 64.43% 64.44% +0.01%
- Complexity 1677 1679 +2
=============================================
Files 257 257
Lines 8676 8676
Branches 924 924
=============================================
+ Hits 5590 5591 +1
- Misses 2672 2673 +1
+ Partials 414 412 -2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
spetrov
force-pushed
the
SDKS-3771
branch
24 times, most recently
from
3e5bd02 to
33bfcd9
Compare
| @@ -25,14 +25,6 @@ jobs: | |||
| repository: ${{github.event.pull_request.head.repo.full_name}} | |||
| fetch-depth: 0 | |||
|
|
|||
| # Setup JDK and cache and restore dependencies. | |||
There was a problem hiding this comment.
There is no need to setup JDK on the runner for Mend CLI scans... and thus I removed this part...
| @@ -49,45 +41,118 @@ jobs: | |||
| - if: ${{ steps.cache-mend.outputs.cache-hit != 'true' }} | |||
| name: Download Mend CLI executable (cache miss...) | |||
| continue-on-error: true | |||
| shell: bash | |||
There was a problem hiding this comment.
Even though GitHub defaults to bash on Ubuntu runners, it's safer to be explicit for portability...
| - name: Fail if Critical or High SCA vulnerabilities are found | ||
| shell: bash | ||
| run: | | ||
| if [ "$MEND_SCA_CRITICAL_COUNT" -gt 0 ] || [ "$MEND_SCA_HIGH_COUNT" -gt 0 ]; then |
There was a problem hiding this comment.
Note that the job fails only if some Critical or High vulnerabilities are found! Mediums and Lows won't fail the pipeline!
| MEND_URL: ${{ vars.MEND_SERVER_URL }} | ||
| shell: bash | ||
| run: | | ||
| mend code --report --filename ${{ vars.MEND_SAST_REPORT_NAME }} --formats json,pdf --non-interactive --scope ${{ vars.MEND_PRODUCT_NAME }}//${{ vars.MEND_PROJECT_NAME }} > mend-sast-scan-result.txt |
There was a problem hiding this comment.
We run the mend SAST scan and produce 2 files - json and pdf + the report is published to Mend under ${{ vars.MEND_PRODUCT_NAME }}//${{ vars.MEND_PROJECT_NAME }}
The json file is used to parse the results. The pdf is attached to the pipeline run... (see below...)
| run: | | ||
| if [ '${{ env.MEND_CRITICAL_COUNT }}' -gt '0' ] || [ '${{ env.MEND_HIGH_COUNT }}' -gt '0' ]; then | ||
| if [ "$MEND_SAST_CRITICAL_COUNT" -gt 0 ] || [ "$MEND_SAST_HIGH_COUNT" -gt 0 ]; then |
There was a problem hiding this comment.
Again, the job fails only if some Critical or High vulnerabilities are found! Mediums and Lows won't fail the pipeline!
* SDKS-3843 WebAuthn supports new response payload * Add mend SAST scan (#474) * SDKS-3641 Clearly define external guidelines for PRs against SDKs (#473) * SDKS-3641 Clearly define external guidelines for PRs against SDKs * Addressing comments from Chris and Stoyan * SDKS-3684 Handle push device token updates (#471) * SDKS-3684 Handle push device token updates * SDKS-3684 Handle push device token updates * Addressing comments from Andy * Updating copyright, enhancing unit tests * Minor change to align behavior with iOS implementation * SDKS-3961 Update logic to handle push device token updates * Fixing issue with unit tests * SDKS-3990 Address missing error and warning exception logging. This change ensures these critical events are properly recorded. (#476) * SDKS-3993 Avoid crash upon user returning from centralize login after app process was killed and restored. (#477) * ForgeRock Android SDK 4.8.0 Release preparation (#475) * ForgeRock Android SDK 4.8.0 Release preparation * SDKS-3819 Update copyright header to reference Ping Identity and current year * Updated changelog --------- Co-authored-by: Rodrigo Reis <[email protected]> * Disable Mend reports temporary (#479) --------- Co-authored-by: Andy Witrisna <[email protected]> Co-authored-by: Rodrigo Reis <[email protected]> Co-authored-by: Andy Witrisna <[email protected]>
JIRA Ticket
SDKS-3771 Setup Mends SAST scan
Description
Setup Mend SAST scan.
A few notes:
.builddirectory is excluded from the scans. This is controlled by theMEND_SAST_PATH_EXCLUSIONSenv variable. To modify the list we can simply change the github action variableMEND_SAST_PATH_EXCLUSIONShere...