Add Reports to Mend Scans (#586)

* Update mend.config * Update mend_scan.yaml * Update mend.config * Update mend_scan.yaml * Update mend_scan.yaml * Update mend_scan.yaml * Update mend_scan.yaml * Update mend_scan.yaml * Add Repo name
open-component-model · Nov 23, 2023 · 21a0d66 · 21a0d66
1 parent 4252fd4
commit 21a0d66
Show file tree

Hide file tree

Showing 2 changed files with 171 additions and 12 deletions.
diff --git a/.github/workflows/mend.config b/.github/workflows/mend.config
@@ -2,7 +2,8 @@
 # WhiteSource Unified-Agent configuration file for GO
 # GENERAL SCAN MODE: Package Managers only
 ####################################################################
-
+#Configuration Reference: https://docs.mend.io/bundle/unified_agent/page/unified_agent_configuration_parameters.html#General
+
 # !!! Important for WhiteSource "DIST - *" Products:
 # Please set 
 #   checkPolicies=false
@@ -21,33 +22,38 @@ failErrorLevel=ALL
 # failBuildOnPolicyViolation:
 # If the flag is true, the Unified Agent exit code will be the result of the policy check.
 # If the flag is false, the Unified Agent exit code will be the result of the scan.
-forceUpdate.failBuildOnPolicyViolation=false
+forceUpdate.failBuildOnPolicyViolation=true
 # offline parameter is important and need to be false
 offline=false
 
 # ignoreSourceFiles parameter is important and need to be true
 # IMPORTANT: This parameter is going to be deprecated in future
 #            and will be replaced by a new parameter, fileSystemScan. 
-ignoreSourceFiles=true
+# ignoreSourceFiles=true
 # fileSystemScan parameter is important and need to be false as a 
 # replacement for ignoreSourceFiles=true and overrides the 
-# soon-to-be-deprecated ignoreSourceFiles.
-fileSystemScan=false
+# soon-to-be-deprecated ignoreSourceFiles. To scan source files, we need to enable it.
+fileSystemScan=true
 # resolveAllDependencies is important and need to be false
 resolveAllDependencies=false
 
 #wss.connectionTimeoutMinutes=60
 # URL to your WhiteSource server.
 # wss.url=https://sap.whitesourcesoftware.com/agent
-
+
+####################################################################
+# GO Configuration 
+####################################################################
+
 # resolveDependencies parameter is important and need to be true
 #if you are using 'modules' as a dependency manager, then the go.resolveDependencies is set to false.
 #For any other dependency manager, this value is set to true.
 
 go.resolveDependencies=true
 #defaut value for ignoreSourceFiles  is set to false
 # ignoreSourceFiles parameter is important and need to be true
-go.ignoreSourceFiles=true
+# To scan source files, we need to disable it.
+go.ignoreSourceFiles=false
 go.collectDependenciesAtRuntime=false
 # dependencyManager: Determines the Go dependency manager to use when scanning a Go project.
 # Valid values are 'dep', 'godep', 'vndr', 'gogradle', 'glide', 'govendor', 'gopm' and 'vgo' 
@@ -61,12 +67,13 @@ go.collectDependenciesAtRuntime=false
 #Please comment these below 4 lines that has 'go.modules' prefix if you are not using the 'modules' dependency manager.
 # Default value is true. If set to true, it resolves Go Modules dependencies.
 go.modules.resolveDependencies=true
-#default value is true. If set to true, this will ignore Go source files during the scan.
-#go.modules.ignoreSourceFiles=true
+#default value is true. If set to true, this will ignore Go source files during the scan. 
+#To scan source files, we need to disable it.
+go.modules.ignoreSourceFiles=false
 #default value is true. If set to true, removes duplicate dependencies during Go Modules dependency resolution.
 #go.modules.removeDuplicateDependencies=false
 #default value is false. if set to true, scans Go Modules project test dependencies.
-#go.modules.includeTestDependencies=true
+go.modules.includeTestDependencies=true
 ######################
 
 

diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml
@@ -3,11 +3,28 @@ name: Mend Security Scan
 on:
   schedule:
     - cron:  '0 0 * * 0'
-
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:    
+      - main
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: 'Log level'
+        required: true
+        default: 'debug'
+        type: choice
+        options:
+        - info
+        - warning
+        - debug
 jobs:
   mend-scan:
     runs-on: ubuntu-latest
-
+    permissions:
+      pull-requests: write
     steps:
     - name: Checkout Code  
       uses: actions/checkout@v4
@@ -23,6 +40,11 @@ jobs:
       with:
         go-version-file: '${{ github.workspace }}/go.mod'
 
+    - name: 'Setup jq'
+      uses: dcarbone/[email protected]
+      with:
+        version: '1.7'
+
     - name: Download Mend Universal Agent
       run: curl https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o ./wss-unified-agent.jar
 
@@ -34,4 +56,134 @@ jobs:
         WSS_URL: ${{ secrets.MEND_URL }}
         API_KEY: ${{ secrets.MEND_API_TOKEN }}
         CONFIG_FILE: './.github/workflows/mend.config'
+
+    - name: Generate Report
+      env:
+        USER_KEY: ${{ secrets.MEND_API_USER_KEY }}
+        PROJECT_TOKEN: ${{ secrets.MEND_PROJECT_TOKEN_OCM }}
+        API_KEY: ${{ secrets.MEND_API_ORG_TOKEN }}
+        EMAIL: ${{ secrets.MEND_API_EMAIL }}
+      id: report
+      run: |
+        data=$(cat <<EOF
+        {
+            "email": "${EMAIL}",
+            "orgToken": "${API_KEY}",
+            "userKey": "${USER_KEY}"
+        }
+        EOF
+        )
+        
+        login_token=$(curl -X POST 'https://api-sap.whitesourcesoftware.com/api/v2.0/login' \
+        --header 'Content-Type: application/json' --silent \
+        --data "${data}" | jq -r .retVal.jwtToken )
+        
+        security_vulnerability=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/alerts/security?search=status%3Aequals%3AACTIVE%3Bscore%3Abetween%3A6%2C10%3B" \
+        --header 'Content-Type: application/json' --silent \
+        --header "Authorization: Bearer ${login_token}")
+        
+        major_updates_pending=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/alerts/legal?search=status%3Aequals%3AACTIVE%3BavailableVersionType%3Aequals%3AMAJOR" \
+        --header 'Content-Type: application/json' --silent \
+        --header "Authorization: Bearer ${login_token}" )
+        
+        requires_review=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?search=license%3Aequals%3ARequires%20Review" \
+        --header 'Content-Type: application/json' --silent \
+        --header "Authorization: Bearer ${login_token}")
+        
+        high_license_risk=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?pageSize=1000" \
+        --header 'Content-Type: application/json' --silent \
+        --header "Authorization: Bearer ${login_token}")
+        
+        security_vulnerability_no=$(echo "${security_vulnerability}" | jq .additionalData.totalItems )
+        major_updates_pending_no=$(echo "${major_updates_pending}" | jq -r .additionalData.totalItems )
+        requires_review_no=$(echo "${requires_review}" |jq -r .additionalData.totalItems )
+        high_license_risk_no=$(echo "${high_license_risk}" | jq -r '.retVal[].riskScore.riskScore | select( . != null ) > 52 | select(.==true)'| wc -l )
+        
+        function print {
+          printf "############################################\n$1\n############################################\nMend Scan Tool: https://sap.whitesourcesoftware.com/Wss/WSS.html#!login \n"
+        }
         
+        function restricted_license {
+          declare -a sap_restricted_licenses=("LGPL" "GPL" "Affero%20GPL" "MPL" "CDDL" "EPL")
+          ret_val=""
+          issue_count=0
+          for key in "${!sap_restricted_licenses[@]}"; do
+            api_resp=$(curl -X GET "https://api-sap.whitesourcesoftware.com/api/v2.0/projects/${PROJECT_TOKEN}/libraries/licenses?search=license%3Aequals%3A${sap_restricted_licenses[$key]}" \
+              --header 'Content-Type: application/json' --silent \
+              --header "Authorization: Bearer ${login_token}")
+        
+            api_resp_no=$(echo "${api_resp}" | jq .additionalData.totalItems )
+            issue_count=$((issue_count+api_resp_no))
+        
+            if [[ $api_resp_no -gt 0 ]]
+            then
+              val=$(echo "${api_resp}" | jq -r .retVal[] )
+              ret_val="$ret_val$val"
+            fi
+          done
+          export VIOLATIONS_VERBOSE="${ret_val}"
+          export VIOLATIONS="${issue_count}"
+        }
+        
+        print "HIGH/CRITICAL SECURITY VULNERABILITIES: ${security_vulnerability_no}"
+        if [[ $security_vulnerability_no -gt 0 ]]
+        then
+          echo "${security_vulnerability}" | jq -r .retVal[]
+        fi
+        
+        print "MAJOR UPDATES AVAILABLE: ${major_updates_pending_no}"
+        if [[ $major_updates_pending_no -gt 0 ]]
+        then
+          echo "${major_updates_pending}" | jq -r .retVal[]
+        fi
+        
+        print "LICENSE REQUIRES REVIEW: ${requires_review_no}" "Visit the Mend UI and add correct license"
+        if [[ $requires_review_no -gt 0 ]]
+        then
+          echo "${requires_review}" | jq -r .retVal[]
+        fi
+        
+        print "LICENSE RISK HIGH: ${high_license_risk_no}"
+        if [[ high_license_risk_no -gt 0 ]]
+        then
+          echo "Visit the Mend UI and check High Risk Licenses. Understand Risk Score: https://docs.mend.io/bundle/sca_user_guide/page/understanding_risk_score_attribution_and_license_analysis.html"
+        fi
+        
+        restricted_license
+        
+        print "RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY: ${VIOLATIONS}"
+        if [[ $VIOLATIONS -gt 0 ]]
+        then
+          echo "${VIOLATIONS_VERBOSE}" | jq .
+        fi
+        
+        echo "security_vulnerability_no=$security_vulnerability_no" >> $GITHUB_OUTPUT 
+        echo "major_updates_pending_no=$major_updates_pending_no" >> $GITHUB_OUTPUT
+        echo "requires_review_no=$requires_review_no" >> $GITHUB_OUTPUT
+        echo "high_license_risk_no=$high_license_risk_no" >> $GITHUB_OUTPUT
+        echo "violations=$VIOLATIONS" >> $GITHUB_OUTPUT
+        
+        if [[ $security_vulnerability_no -gt 0 ]] || [[ $major_updates_pending_no -gt 0 ]] || [[ $requires_review_no -gt 0 ]] || [[ high_license_risk_no -gt 0 ]] || [[ violations -gt 0 ]]
+        then
+          echo "status=x" >> $GITHUB_OUTPUT
+        else 
+          echo "status=white_check_mark" >> $GITHUB_OUTPUT
+        fi
+        
+    - name: Comment Mend Status on PR
+      uses: thollander/[email protected]
+      with:
+        message: |
+          ## Mend Scan Summary: :${{ steps.report.outputs.status }}:
+          ### Repository: ${{ github.repository }}
+          | VIOLATION DESCRIPTION                        | NUMBER OF VIOLATIONS        |
+          | -------------------------------------------- | --------------------------- |
+          | HIGH/CRITICAL SECURITY VULNERABILITIES       | ${{ steps.report.outputs.security_vulnerability_no }} |
+          | MAJOR UPDATES AVAILABLE                      | ${{ steps.report.outputs.major_updates_pending_no }}  |
+          | LICENSE REQUIRES REVIEW                      | ${{ steps.report.outputs.requires_review_no }}        |
+          | LICENSE RISK HIGH                            | ${{ steps.report.outputs.high_license_risk_no }}      |
+          | RESTRICTIED LICENSE FOR ON-PREMISE DELIVERY  | ${{ steps.report.outputs.VIOLATIONS }}                |
+          
+          [Detailed Logs: mend-scan-> Generate Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
+          [Mend UI](https://sap.whitesourcesoftware.com/Wss/WSS.html#!login)
+        comment_tag: tag_mend_scan