ci: Add Sonarqube & Defectdojo analysis

.github/workflows/main.yml

@@ -1,7 +1,12 @@
-name: Iroha 2 main branch workflow
+name: Iroha2::Main
+
 on:
   push:
     branches: [main]
+
+env:
+  TOOLCHAIN_VER: nightly-2024-09-09
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -16,9 +21,9 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
       - name: Install correct rust version
-        run: rustup install nightly-2024-09-09 && rustup component add rust-src --toolchain nightly-2024-09-09
+        run: rustup install ${{ env.TOOLCHAIN_VER }} && rustup component add rust-src --toolchain ${{ env.TOOLCHAIN_VER }}
       - name: Set toolchain
-        run: rustup default nightly-2024-09-09
+        run: rustup default ${{ env.TOOLCHAIN_VER }}
       - name: Maturin build
         run: |
           pip install maturin

.github/workflows/pr-pytests.yml

@@ -1,11 +1,15 @@
-name: Iroha 2 pull request pytests
+name: Iroha2:PR::Pytests
 
 on:
   repository_dispatch:
     types: [dispatch-event]
   pull_request:
     branches: [main]
 
+env:
+  TOOLCHAIN_VER: nightly-2024-09-09
+  IROHA_BRANCH: 2.0.0-rc.1
+
 jobs:
   pytest:
     runs-on: ubuntu-latest
@@ -22,11 +26,11 @@ jobs:
       - name: Install dependencies
         run: pip install poetry tomli-w
       - name: Checkout irohad repo code
-        run: git clone --depth 1 https://github.com/hyperledger-iroha/iroha.git -b 2.0.0-rc.1 iroha_daemon
+        run: git clone --depth 1 https://github.com/hyperledger-iroha/iroha.git -b ${{ env.IROHA_BRANCH }} iroha_daemon
       - name: Install correct rust version
-        run: rustup install nightly-2024-09-09 && rustup component add rust-src --toolchain nightly-2024-09-09
+        run: rustup install ${{ env.TOOLCHAIN_VER }} && rustup component add rust-src --toolchain ${{ env.TOOLCHAIN_VER }}
       - name: Set toolchain
-        run: rustup default nightly-2024-09-09
+        run: rustup default ${{ env.TOOLCHAIN_VER }}
       - name: Build irohad
         run: cd iroha_daemon && cargo build --release && mkdir target/debug -p && cp target/release/irohad target/debug/irohad && cp target/release/iroha target/debug/iroha
       - name: Build kagami
@@ -39,8 +43,15 @@ jobs:
                         cd iroha_daemon && scripts/test_env.py setup && cd .. &&
                         python -m venv .venv &&
                         source .venv/bin/activate &&
-                        pip install pytest faker allure-pytest &&
+                        pip install pytest faker allure-pytest pytest-cov &&
                         pip install --break-system-packages target/wheels/iroha2-*.whl &&
-                        python -m pytest tests/"
+                        python -m pytest --cov=. --cov-report xml:coverage-reports/coverage.xml tests/"
       - name: Tear down the network
+        if: always()
         run: cd iroha_daemon && scripts/test_env.py cleanup
+      - name: Upload coverage report
+        uses: actions/upload-artifact@v4
+        with:
+          name: report-coverage
+          path: coverage-reports/coverage.xml
+          retention-days: 1

.github/workflows/sonar-dojo.yml

@@ -0,0 +1,55 @@
+name: Iroha2::Sonar-Dojo
+
+on:
+  workflow_run:
+    workflows: ["Iroha2:PR::Pytests"]
+    types: [completed]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.actor }}
+  cancel-in-progress: true
+
+jobs:
+  sonarqube-defectdojo:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download coverage report
+        uses: actions/download-artifact@v4
+        with:
+          path: coverage-reports
+          pattern: report-coverage
+          merge-multiple: true
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run Bandit analysis
+        continue-on-error: true
+        run: | 
+          pip install bandit
+          bandit -r tests/ examples/ docs-recipes/ -f json -o bandit-report.json
+      - name: Run Pylint analysis
+        continue-on-error: true
+        run: |
+          pip install pylint
+          python -m pylint tests/ examples/ docs-recipes/ -r n --output-format=parseable > pylint-report.txt
+      - name: SonarQube
+        if: always()
+        uses: sonarsource/sonarqube-scan-action@master
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+      - name: DefectDojo
+        if: always()
+        uses: C4tWithShell/[email protected]
+        with:
+          token: ${{ secrets.DEFECTOJO_TOKEN }}
+          defectdojo_url: ${{ secrets.DEFECTOJO_URL }}
+          product_type: iroha2
+          engagement: ${{ github.ref_name }}
+          tools: "SonarQube API Import,Github Vulnerability Scan"
+          sonar_projectKey: hyperledger-iroha:iroha-python
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_repository: ${{ github.repository }}
+          product: ${{ github.repository }}
+          environment: Test
+          reports: '{"Github Vulnerability Scan": "github.json"}'

sonar-project.properties

@@ -0,0 +1,5 @@
+sonar.projectKey = hyperledger-iroha:iroha-python
+sonar.language = py
+sonar.python.coverage.reportPaths = coverage-reports/coverage.xml
+sonar.python.bandit.reportPaths = bandit-report.json
+sonar.python.pylint.reportPaths = pylint-report.txt