Trivy, CodeQL and Dependabot integration (#601)

* Automated code scanning using CodeQL * Trivy repository scan configuration * Test directory creation * Configure Fixed Java Version 👷 * Update GA Workflow Config File - Configure cancellation for any previous Workflow runs * Add Submodule Recursion CI Repository Checkout 👷 - Fixes error where properties file not found in the CI Pipeline * Fix Unit Tests ✅ * Adjust cronjobednesday to run every Mon and Wed * Update trivy-repo-scan configuration * Upgrade Dependencies ⬆️ (#604) * Bump up Postgres version⬆️ * Upgrade Spring Core version ⬆️ * Trivy, CodeQL and Dependabot security scanning configurations Signed-off-by: Bonface Shisakha Asunga <basunga@ona.io> * Update Trivy scanning configuration Signed-off-by: Bonface Shisakha Asunga <basunga@ona.io> * Update Trivy and CodeQL configuration Signed-off-by: Bonface Shisakha Asunga <basunga@ona.io> * Update dependencies * Add Corresponding Hashcode Override - Add Hashcode override to StrutureDetails class - Add missing checks in Java Equals contract for override - Unit tests * Add scanning on v2 branches as well as modify scanning strategy to all PRs and push to `master` and `v2` branches Signed-off-by: Bonface Shisakha Asunga <basunga@ona.io> * Modify name of the Trivy repo scan Signed-off-by: Bonface Shisakha Asunga <basunga@ona.io> * Harmonize jackson-versions * Upgrade org.postgresql:postgresql version to 42.5.0 * Reduce number of reviewers * Update dependabot configurations * Limit CodeQL analysis to v2 and master branches Signed-off-by: Bonface Shisakha Asunga <basunga@ona.io> Co-authored-by: Martin Ndegwa <mndegwa@ona.io> Co-authored-by: Martin Ndegwa <ndegwamartin@users.noreply.github.com> Co-authored-by: Ephraim Kigamba <ekigamba@ona.io>
opensrp · Jan 19, 2023 · a67adbe · a67adbe
1 parent 3d1246a
commit a67adbe
Show file tree

Hide file tree

Showing 8 changed files with 258 additions and 10 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,17 @@
+version: 2
+updates:
+  # Keep maven dependencies up-to-date
+  - package-ecosystem: maven
+    # Look for `pom.xml`  in the `root` directory
+    directory: "/"
+    # Check the maven registry for updates every day (weekdays)
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 0
+    target-branch: "master"    
+    # Raise all maven pull requests with custom labels
+    labels:
+      - "dependencies"
+    reviewers:
+      - "hilpitome"
+      - "ekigamba"
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,73 @@
+
+name: "CodeQL Repository scan"
+
+on:
+  push:
+    branches:
+      - master
+      - v2
+  pull_request:      
+  schedule:
+    - cron: '0 3 * * 1,3'     # CodeQL Scan every Monday and Wednesday at 3 AM UTC
+  # wokflow_dispatch option enables for manual scanning
+  workflow_dispatch:
+
+
+jobs:
+  analyze:
+    name: Analyze 
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'java' ]
+
+
+    steps:
+    - name: Cancel previous workflow runs
+      uses: styfle/cancel-workflow-action@0.9.1
+      with:
+        access_token: ${{ github.token }} 
+
+    - name: Checkout repository
+      uses: actions/checkout@v3
+      with:
+       submodules: recursive
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        queries: security-and-quality
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    - name: Autobuild Java Code
+      uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
+    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+    # - run: |
+    #   echo "Run, Build Application using script"
+    #   ./location_of_script_within_repo/buildscript.sh
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/trivy-repo-scan.yml b/.github/workflows/trivy-repo-scan.yml
@@ -0,0 +1,130 @@
+name: Trivy Security Scan on repository
+on:
+  push:
+    branches:
+      - master
+      - v2
+  pull_request:    
+  schedule:
+    - cron: '0 3 * * 1,3'   # CodeQL Scan every Monday and Wednesday at 3 AM UTC
+  # Below is for manual scanning
+  workflow_dispatch:
+
+env:
+  FULL_SUMMARY: ""
+  PATCH_SUMMARY: ""
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Cancel previous workflow runs
+        uses: styfle/cancel-workflow-action@0.9.1
+        with:
+          access_token: ${{ github.token }} 
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in repo mode - SARIF
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-repo-results.sarif'          
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-repo-results.sarif'
+
+      - name: Run Trivy vulnerability scanner in repo mode - JSON (Full)
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          format: 'json'
+          output: 'trivy-repo-full-results.json'
+
+      - name: Create summary of trivy issues on Repository Full scan
+        run: |
+          summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-repo-full-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}')
+          if [ -z $summary ]
+          then
+            summary="No vulnerabilities found"
+          fi
+          echo "FULL_SUMMARY=$summary" >> $GITHUB_ENV
+
+      - name: Run Trivy vulnerability scanner in repo mode - JSON (with Patches)
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'json'
+          output: 'trivy-repo-fixable-results.json'
+
+      - name: Create summary of trivy issues on Repository scan
+        run: |
+          summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-repo-fixable-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}')
+          if [ -z $summary ]
+          then
+            summary="No issues or vulnerability fixes available"
+          fi
+          echo "PATCH_SUMMARY=$summary" >> $GITHUB_ENV
+      
+      - name: Generate trivy HTML report on Repository for download
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          format: 'template'
+          template: '@/contrib/html.tpl'
+          output: 'trivy-repo-report.html'
+
+      - name: Upload Trivy results as an artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: "trivy-repo-report.html"
+          path: './trivy-repo-report.html'
+          retention-days: 30
+
+      - name: Send Slack Notification
+        uses: slackapi/slack-github-action@v1.23.0
+        with:
+          payload: |
+            {
+              "text": "Trivy scan results for ${{ github.repository }} repository",
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "TRIVY REPO SCAN RESULTS FOR ${{ github.repository }} REPOSITORY"
+                  }
+                },
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "   Total Vulnerabilities: ${{ env.FULL_SUMMARY }}"
+                  }
+                },
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "   Vulnerabilities with fixes: ${{ env.PATCH_SUMMARY }}"
+                  }
+                },
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "   View HTML result artifact: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}. Artifact is only valid for 30 days."
+                  }
+                }
+              ]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
diff --git a/pom.xml b/pom.xml
@@ -12,7 +12,7 @@
 
 	<properties>
 		<main.basedir>${project.basedir}</main.basedir>
-		<spring.version>5.2.20.RELEASE</spring.version>
+		<spring.version>5.2.22.RELEASE</spring.version>
 		<spring.data.version>2.2.13.RELEASE</spring.data.version>
 		<spring.security.version>5.5.7</spring.security.version>
 		<mybatis.version>3.5.7</mybatis.version>
@@ -95,7 +95,7 @@
 		<dependency>
 			<groupId>com.aliyun.oss</groupId>
 			<artifactId>aliyun-sdk-oss</artifactId>
-			<version>3.14.0</version>
+			<version>3.15.2</version>
 		</dependency>
 
 		<dependency>
@@ -115,7 +115,7 @@
 		<dependency>
 			<groupId>com.amazonaws</groupId>
 			<artifactId>aws-java-sdk</artifactId>
-			<version>1.12.142</version>
+			<version>1.12.322</version>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework</groupId>
@@ -195,7 +195,7 @@
 		<dependency>
 			<groupId>org.apache.poi</groupId>
 			<artifactId>poi</artifactId>
-			<version>4.1.2</version>
+			<version>5.2.3</version>
 		</dependency>
 		<dependency>
 			<groupId>ch.maxant</groupId>
@@ -275,7 +275,7 @@
 		<dependency>
 			<groupId>org.postgresql</groupId>
 			<artifactId>postgresql</artifactId>
-			<version>42.2.25.jre7</version>
+			<version>42.5.0</version>
 		</dependency>
 		<!-- https://mvnrepository.com/artifact/org.json/json -->
 		<dependency>
@@ -323,7 +323,7 @@
 		<dependency>
 			<groupId>com.jayway.jsonpath</groupId>
 			<artifactId>json-path</artifactId>
-			<version>2.4.0</version>
+			<version>2.7.0</version>
 		</dependency>
 		  <dependency>
 			<groupId>org.apache.logging.log4j</groupId>

diff --git a/src/main/java/org/opensrp/domain/StructureDetails.java b/src/main/java/org/opensrp/domain/StructureDetails.java
@@ -1,6 +1,7 @@
 package org.opensrp.domain;
 
 import java.util.HashSet;
+import java.util.Objects;
 import java.util.Set;
 
 public class StructureDetails {
@@ -62,8 +63,17 @@ public void setFamilyMembers(Set<String> familyMembers) {
 		this.familyMembers = familyMembers;
 	}
 
+	@Override
+	public int hashCode() {
+		return Objects.hash(structureId);
+	}
+
 	@Override
 	public boolean equals(Object obj) {
+		if (obj == null)
+		return false;
+		if (obj == this)
+			return true;
 		if (!(obj instanceof StructureDetails))
 			return false;
 		StructureDetails other = (StructureDetails) obj;

diff --git a/src/test/java/org/opensrp/domain/StructureDetailsTest.java b/src/test/java/org/opensrp/domain/StructureDetailsTest.java
@@ -108,7 +108,26 @@ public void testEquals() {
 
 		StructureDetails structureDetails2 = new StructureDetails(structureId, "structure-parent-id", "structure");
 		structureDetails = new StructureDetails(structureId, "structure-parent-id", "structure");
-		
+
 		Assert.assertEquals(structureDetails, structureDetails2);
 	}
+
+	@Test
+	public void testEqualsWithNullCompared() {
+		String structureId = "structure-id";
+		StructureDetails structureDetails = null;
+		StructureDetails structureDetails2 = new StructureDetails(structureId, "structure-parent-id", "structure");
+
+		Assert.assertFalse(structureDetails2.equals(structureDetails));
+	}
+
+	@Test
+	public void testHashcodeEquivalenceForSameStructureId() {
+		String structureId = "structure-id";
+
+		StructureDetails structureDetails2 = new StructureDetails(structureId, "structure-parent-id", "structure");
+		structureDetails = new StructureDetails(structureId, "structure-parent-id", "structure");
+
+		Assert.assertEquals(structureDetails.hashCode(), structureDetails2.hashCode());
+	}
 }
diff --git a/src/test/java/org/opensrp/repository/postgres/OrganizationRepositoryTest.java b/src/test/java/org/opensrp/repository/postgres/OrganizationRepositoryTest.java
@@ -377,7 +377,7 @@ public void testFindAssignedLocationsMutipleIds() {
 		assertEquals("7f2ae03f-9569-5535-918c-9d976b3ae5f8", assignedLocations.get(0).getPlanId());
 		assertEquals("2019-09-10", dateFormat.format(assignedLocations.get(0).getFromDate()));
 		assertEquals("2030-09-10", dateFormat.format(assignedLocations.get(0).getToDate()));
-		
+
 		assignedLocations = organizationRepository.findAssignedLocations(Arrays.asList(1l, 2l), true);
 		assertEquals(3, assignedLocations.size());
 	}

diff --git a/src/test/resources/test-scripts/organization.sql b/src/test/resources/test-scripts/organization.sql
@@ -23,7 +23,6 @@ INSERT INTO core.plan (identifier, json, date_deleted, server_version, id) VALUE
 INSERT INTO core.plan (identifier, json, date_deleted, server_version, id) VALUES ('9d1403a5-756d-517b-91d6-5b19059a69f0', '{}', null, 1567765433007, 11);
 INSERT INTO core.plan (identifier, json, date_deleted, server_version, id) VALUES ('7f2ae03f-9569-5535-918c-9d976b3ae5f8', '{}', null, 1567765433007, 294);
 
-
 INSERT INTO team.organization_location (id, organization_id, location_id, plan_id, from_date, to_date,duration) VALUES (1, 1, 2243, 162, '2019-09-10 17:29:55.059000', '2030-09-10 17:29:55.059000',daterange('2019-09-10','2030-09-10'));
 INSERT INTO team.organization_location (id, organization_id, location_id, plan_id, from_date, to_date,duration) VALUES (2, 1, 2243, 11, '2019-09-10 17:29:55.059000', '2030-09-10 17:29:55.059000',daterange('2019-09-10','2030-09-10'));
-INSERT INTO team.organization_location (id, organization_id, location_id, plan_id, from_date, to_date,duration) VALUES (3, 2, 2243, 294, '2019-09-10 17:29:55.059000', '2030-09-10 17:29:55.059000',daterange('2019-09-10','2030-09-10'));
+INSERT INTO team.organization_location (id, organization_id, location_id, plan_id, from_date, to_date,duration) VALUES (3, 2, 2243, 294, '2019-09-10 17:29:55.059000', '2030-09-10 17:29:55.059000',daterange('2019-09-10','2030-09-10'));