From 96b534a0fd8d71dd0ba7eeaae679f331e00b3aeb Mon Sep 17 00:00:00 2001 From: Chris Breiding Date: Wed, 30 Aug 2023 11:29:33 -0400 Subject: [PATCH 1/4] chore: change how tsconfig is aliased in webpack-batteries-included-preprocessor --- npm/webpack-batteries-included-preprocessor/index.js | 4 ++-- npm/webpack-batteries-included-preprocessor/package.json | 2 +- yarn.lock | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/npm/webpack-batteries-included-preprocessor/index.js b/npm/webpack-batteries-included-preprocessor/index.js index 604889973222..28126d1dab83 100644 --- a/npm/webpack-batteries-included-preprocessor/index.js +++ b/npm/webpack-batteries-included-preprocessor/index.js @@ -27,8 +27,8 @@ const addTypeScriptConfig = (file, options) => { const TsconfigPathsPlugin = require('tsconfig-paths-webpack-plugin') // node will try to load a projects tsconfig.json instead of the node - // package using require('tsconfig'), so we alias it as 'tsconfig-package' - const configFile = require('tsconfig-package').findSync(path.dirname(file.filePath)) + // package using require('tsconfig'), so we alias it as 'tsconfig-aliased-for-wbip' + const configFile = require('tsconfig-aliased-for-wbip').findSync(path.dirname(file.filePath)) webpackOptions.module.rules.push({ test: /\.tsx?$/, diff --git a/npm/webpack-batteries-included-preprocessor/package.json b/npm/webpack-batteries-included-preprocessor/package.json index 101153b9a6fb..2a9698d7cdfc 100644 --- a/npm/webpack-batteries-included-preprocessor/package.json +++ b/npm/webpack-batteries-included-preprocessor/package.json @@ -37,7 +37,7 @@ "stream-http": "^3.2.0", "timers-browserify": "^2.0.12", "ts-loader": "9.4.4", - "tsconfig-package": "npm:tsconfig@^7.0.0", + "tsconfig-aliased-for-wbip": "npm:tsconfig@^7.0.0", "tsconfig-paths-webpack-plugin": "^3.5.2", "tty-browserify": "^0.0.1", "url": "^0.11.1", diff --git a/yarn.lock b/yarn.lock index 488688f2672f..ad00c41d7d45 100644 --- a/yarn.lock +++ b/yarn.lock @@ -28700,7 +28700,7 @@ ts-pnp@^1.1.6: resolved "https://registry.yarnpkg.com/ts-pnp/-/ts-pnp-1.1.6.tgz#389a24396d425a0d3162e96d2b4638900fdc289a" integrity sha512-CrG5GqAAzMT7144Cl+UIFP7mz/iIhiy+xQ6GGcnjTezhALT02uPMRw7tgDSESgB5MsfKt55+GPWw4ir1kVtMIQ== -"tsconfig-package@npm:tsconfig@^7.0.0": +"tsconfig-aliased-for-wbip@npm:tsconfig@^7.0.0": version "7.0.0" resolved "https://registry.yarnpkg.com/tsconfig/-/tsconfig-7.0.0.tgz#84538875a4dc216e5c4a5432b3a4dec3d54e91b7" integrity sha512-vZXmzPrL+EmC4T/4rVlT2jNVMWCi/O4DIiSj3UHg1OE5kCKbk4mfrXc6dZksLgRM/TZlKnousKH9bbTazUWRRw== From 26f592dbbad3a5dbd7b53d5179f56dac5ca9a8fb Mon Sep 17 00:00:00 2001 From: Chris Breiding Date: Wed, 30 Aug 2023 13:55:00 -0400 Subject: [PATCH 2/4] use --target-reference so snyk analyzes current branch --- .github/workflows/snyk_sca_scan.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/snyk_sca_scan.yaml b/.github/workflows/snyk_sca_scan.yaml index d729b0413694..41873eaec768 100644 --- a/.github/workflows/snyk_sca_scan.yaml +++ b/.github/workflows/snyk_sca_scan.yaml @@ -1,15 +1,15 @@ name: Snyk Software Composition Analysis Scan -# This git workflow leverages Snyk actions to perform a Software Composition +# This git workflow leverages Snyk actions to perform a Software Composition # Analysis scan on our Opensource libraries upon Pull Requests to the -# "develop" branch. We use this as a control to prevent vulnerable packages -# from being introduced into the codebase. +# "develop" branch. We use this as a control to prevent vulnerable packages +# from being introduced into the codebase. # Enhancements were made to this action to build the yarn packages to reduce -# Snyk scan errors that were complaining about the yarn.locks etc. Also +# Snyk scan errors that were complaining about the yarn.locks etc. Also # implemented PAT token for actions to resolve an issue with the action not # running and reporting back to the PR status checks on: pull_request_target: - branches: + branches: - develop jobs: Snyk_SCA_Scan: @@ -38,6 +38,6 @@ jobs: - name: Perform SCA Scan continue-on-error: false run: | - snyk test --all-projects --strict-out-of-sync=false --detection-depth=6 --exclude=system-tests,tooling,docker,Dockerfile --severity-threshold=critical + snyk test --all-projects --strict-out-of-sync=false --detection-depth=6 --exclude=system-tests,tooling,docker,Dockerfile --severity-threshold=critical--target-reference="$(git branch --show-current)" env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} From 847f2c652fe15eb2b74e6eb2119ecd6391b0ef74 Mon Sep 17 00:00:00 2001 From: Chris Breiding Date: Wed, 30 Aug 2023 14:08:08 -0400 Subject: [PATCH 3/4] fix missing space --- .github/workflows/snyk_sca_scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk_sca_scan.yaml b/.github/workflows/snyk_sca_scan.yaml index 41873eaec768..5aed36c4d1d2 100644 --- a/.github/workflows/snyk_sca_scan.yaml +++ b/.github/workflows/snyk_sca_scan.yaml @@ -38,6 +38,6 @@ jobs: - name: Perform SCA Scan continue-on-error: false run: | - snyk test --all-projects --strict-out-of-sync=false --detection-depth=6 --exclude=system-tests,tooling,docker,Dockerfile --severity-threshold=critical--target-reference="$(git branch --show-current)" + snyk test --all-projects --strict-out-of-sync=false --detection-depth=6 --exclude=system-tests,tooling,docker,Dockerfile --severity-threshold=critical --target-reference="$(git branch --show-current)" env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} From 852dd3b1dc6d4a27a4630ca50f37533eed0149d2 Mon Sep 17 00:00:00 2001 From: Chris Breiding Date: Thu, 31 Aug 2023 09:11:39 -0400 Subject: [PATCH 4/4] use pull_request instead of pull_request_target for snyk actions --- .github/workflows/snyk_sca_scan.yaml | 4 ++-- .github/workflows/snyk_static_analysis_scan.yaml | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/snyk_sca_scan.yaml b/.github/workflows/snyk_sca_scan.yaml index 5aed36c4d1d2..0c7823a5a1fc 100644 --- a/.github/workflows/snyk_sca_scan.yaml +++ b/.github/workflows/snyk_sca_scan.yaml @@ -8,7 +8,7 @@ name: Snyk Software Composition Analysis Scan # implemented PAT token for actions to resolve an issue with the action not # running and reporting back to the PR status checks on: - pull_request_target: + pull_request: branches: - develop jobs: @@ -38,6 +38,6 @@ jobs: - name: Perform SCA Scan continue-on-error: false run: | - snyk test --all-projects --strict-out-of-sync=false --detection-depth=6 --exclude=system-tests,tooling,docker,Dockerfile --severity-threshold=critical --target-reference="$(git branch --show-current)" + snyk test --all-projects --strict-out-of-sync=false --detection-depth=6 --exclude=system-tests,tooling,docker,Dockerfile --severity-threshold=critical env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} diff --git a/.github/workflows/snyk_static_analysis_scan.yaml b/.github/workflows/snyk_static_analysis_scan.yaml index 4908fcb98c86..b5a983397f7f 100644 --- a/.github/workflows/snyk_static_analysis_scan.yaml +++ b/.github/workflows/snyk_static_analysis_scan.yaml @@ -1,11 +1,11 @@ name: Snyk Static Analysis Scan -# This git workflow leverages Snyk actions to perform a Static Application +# This git workflow leverages Snyk actions to perform a Static Application # Testing scan (SAST) on our first-party code upon Pull Requests to the -# "develop" branch. We use this as a control to prevent vulnerabilities -# from being introduced into the codebase. +# "develop" branch. We use this as a control to prevent vulnerabilities +# from being introduced into the codebase. on: - pull_request_target: - branches: + pull_request: + branches: - develop jobs: Snyk_SAST_Scan :