From 6c03ce1e4cc1cff1420b3645714b08eed1be44c3 Mon Sep 17 00:00:00 2001 From: Sina Madani Date: Mon, 25 Nov 2024 15:09:25 +0000 Subject: [PATCH] ci: Improve repo security (#551) --- .github/CODEOWNERS | 3 ++ .github/dependabot.yml | 10 +++++ .github/workflows/build.yml | 29 +++++-------- .github/workflows/codeql.yml | 42 +++++++++++++++++++ .github/workflows/publish.yml | 20 +++------ .github/workflows/scorecard.yml | 73 +++++++++++++++++++++++++++++++++ README.md | 4 +- SECURITY.md | 13 ++++++ 8 files changed, 161 insertions(+), 33 deletions(-) create mode 100644 .github/CODEOWNERS create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/scorecard.yml create mode 100644 SECURITY.md diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 000000000..9594c44ca --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,3 @@ +# Tooling Team +* @Vonage/server-sdk +* @SMadani diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..1d74f38a5 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,10 @@ +# Please see the documentation for all configuration options: +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file +version: 2 +updates: + - package-ecosystem: "maven" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "build" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 013a47042..21d60d7fa 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,21 +5,14 @@ on: - main pull_request: -permissions: - actions: write - checks: write - contents: read - deployments: read - issues: none - discussions: none - packages: none - pages: read - pull-requests: read - security-events: write - statuses: write +permissions: read-all jobs: - build_only: + compile: + permissions: + contents: read + checks: write + statuses: write runs-on: ${{ matrix.os }} strategy: fail-fast: false @@ -28,9 +21,9 @@ jobs: os: [ubuntu-latest, macos-latest, windows-latest] steps: - name: Checkout the repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: Setup Java - uses: actions/setup-java@v4 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b with: distribution: 'corretto' java-version: ${{ matrix.java }} @@ -47,9 +40,9 @@ jobs: os: [ubuntu-latest, macos-latest, windows-latest] steps: - name: Checkout the repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: Setup Java - uses: actions/setup-java@v4 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b with: distribution: 'zulu' java-version: ${{ matrix.java }} @@ -57,4 +50,4 @@ jobs: - name: Test with Maven run: mvn -e --batch-mode verify -T 1C - name: Run Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@288befbd1044bd1756afb0bdae077549e0ddb31f diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..de4cbbf9e --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,42 @@ +name: "CodeQL" +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '35 2 * * 2' + +permissions: read-all + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: 'ubuntu-latest' + permissions: + # required for all workflows + security-events: write + # required to fetch internal or private CodeQL packs + packages: read + + strategy: + fail-fast: false + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@cbe18979603527f12c7871a6eb04833ecf1548c7 + with: + languages: java-kotlin + build-mode: none + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@cbe18979603527f12c7871a6eb04833ecf1548c7 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 5e876e2ee..becc8627f 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -3,29 +3,21 @@ on: release: types: [published] -permissions: - actions: write - checks: write - contents: read - deployments: read - issues: none - discussions: none - packages: write - pages: read - pull-requests: none - security-events: write - statuses: write +permissions: read-all jobs: publish: + permissions: + contents: read + packages: write runs-on: ubuntu-latest steps: - name: Checkout the repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: ref: ${{ github.event.release.target_commitish }} - name: Setup Java - uses: actions/setup-java@v4 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b with: java-version: 21 distribution: 'temurin' diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 000000000..d55ae4def --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,73 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '16 23 * * 2' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@86b04fb0e47484f7282357688f21d5d0e32175fe + with: + sarif_file: results.sarif diff --git a/README.md b/README.md index 3a9fdfc08..95c20cee7 100644 --- a/README.md +++ b/README.md @@ -3,11 +3,13 @@ ![Java](https://img.shields.io/badge/java-8%2B-red) [![Version](https://img.shields.io/maven-central/v/com.vonage/server-sdk)](https://central.sonatype.com/artifact/com.vonage/server-sdk) [![Build Status](https://github.com/Vonage/vonage-java-sdk/actions/workflows/build.yml/badge.svg)](https://github.com/Vonage/vonage-java-sdk/actions/workflows/build.yml) +![CodeQL](https://github.com/Vonage/vonage-java-sdk/actions/workflows/codeql.yml/badge.svg) [![codecov](https://codecov.io/gh/vonage/vonage-java-sdk/branch/main/graph/badge.svg)](https://codecov.io/gh/vonage/vonage-java-sdk) ![SLOC](https://sloc.xyz/github/vonage/vonage-java-sdk/) +[![Snyk](https://snyk.io/test/github/vonage/vonage-java-sdk/badge.svg)](https://snyk.io/test/github/vonage/vonage-java-sdk) +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/Vonage/vonage-java-sdk/badge)](https://scorecard.dev/viewer/?uri=github.com/Vonage/vonage-kotlin-sdk) [![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-v2.1%20adopted-ff69b4.svg)](CODE_OF_CONDUCT.md) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE.txt) -[![Snyk](https://snyk.io/test/github/vonage/vonage-java-sdk/badge.svg)](https://snyk.io/test/github/vonage/vonage-java-sdk) Nexmo is now known as Vonage diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..1054594a3 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,13 @@ +# Security Policy +Ths file describes how security issues are handled in the Vonage Java SDK. + +## Supported Versions +Only the latest version of the SDK is supported. The timeline for fixing issues is within the next two releases +of it being reported and fixed. This is to cover the scenario where an issue is reported just before or after +a planned release, to allow time for the fix to be included in the next release. + +## Reporting a Vulnerability +To report a security concern, use the "[Report a Vulnerability](https://github.com/Vonage/vonage-java-sdk/security/advisories/new)" tab. +You can also contact the Developer Relations team directly via [email](devrel@vonage.com) for more private disclosure. +You can also [raise an Issue](https://github.com/Vonage/vonage-java-sdk/issues/new/choose) and/or create a [Pull Request](https://github.com/Vonage/vonage-java-sdk/pulls) from your fork of the repo. +Please include as much detail as possible, an indication of severity and, ideally, a minimal reproducible example to demonstrate the issue if possible.