Merge pull request #187 from DataDog/anmarchenko/setup_static_analysi…

…s_and_sca

add Datadog static analysis

.github/workflows/add-milestone-to-pull-requests.yml

@@ -10,7 +10,7 @@ jobs:
     steps:
       - name: Checkout code
         # Checks out the branch that the pull request is merged into
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.base.ref }}
 

.github/workflows/build-gem.yml

@@ -28,9 +28,9 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      - uses: ruby/setup-ruby@31a7f6d628878b80bc63375a93ae079ec50a1601 # v1.143.0
+      - uses: ruby/setup-ruby@v1
         with:
-          ruby-version: '3.2'
+          ruby-version: '3.3'
           bundler-cache: true # runs 'bundle install' and caches installed gems automatically
       - name: Patch version
         if: ${{ matrix.type != 'final' }}
@@ -120,9 +120,9 @@ jobs:
       - name: List gem
         run: |
           find pkg
-      - uses: ruby/setup-ruby@31a7f6d628878b80bc63375a93ae079ec50a1601 # v1.143.0
+      - uses: ruby/setup-ruby@v1
         with:
-          ruby-version: '3.2'
+          ruby-version: '3.3'
       - name: Install gem
         run: |
           gem install pkg/*.gem

.github/workflows/check.yml

@@ -11,9 +11,9 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
-      - uses: ruby/setup-ruby@31a7f6d628878b80bc63375a93ae079ec50a1601 # v1.143.0
+      - uses: ruby/setup-ruby@v1
         with:
-          ruby-version: '3.2'
+          ruby-version: '3.3'
           bundler-cache: true # runs 'bundle install' and caches installed gems automatically
       - name: Check for stale signature files
         run: bundle exec rake rbs:stale

.github/workflows/datadog-sca.yml

@@ -0,0 +1,25 @@
+on: [push]
+
+name: Datadog Software Composition Analysis
+
+jobs:
+  software-composition-analysis:
+    runs-on: ubuntu-latest
+    name: Datadog SBOM Generation and Upload
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+          ruby-version: '3.3'
+      - name: Check imported libraries are secure and compliant
+        id: datadog-software-composition-analysis
+        uses: DataDog/datadog-sca-github-action@main
+        with:
+          dd_api_key: ${{ secrets.DD_API_KEY }}
+          dd_app_key: ${{ secrets.DD_APP_KEY }}
+          dd_service: my-app
+          dd_env: ci
+          dd_site: datadoghq.com

.github/workflows/datadog-static-analysis.yml

@@ -0,0 +1,21 @@
+on: [push]
+
+name: Datadog Static Analysis
+
+jobs:
+  static-analysis:
+    runs-on: ubuntu-latest
+    name: Datadog Static Analyzer
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Check code meets quality and security standards
+        id: datadog-static-analysis
+        uses: DataDog/datadog-static-analyzer-github-action@v1
+        with:
+          dd_api_key: ${{ secrets.DD_API_KEY }}
+          dd_app_key: ${{ secrets.DD_APP_KEY }}
+          dd_service: datadog-ci-rb
+          dd_env: ci
+          dd_site: datadoghq.com
+          cpu_count: 2

.github/workflows/publish.yml

@@ -21,5 +21,5 @@ jobs:
         uses: ruby/setup-ruby@v1
         with:
           bundler-cache: true
-          ruby-version: '3.2.4'
+          ruby-version: '3.3'
       - uses: rubygems/release-gem@v1

.github/workflows/yard.yml

@@ -30,7 +30,7 @@ jobs:
         uses: actions/checkout@v4
       - uses: ruby/setup-ruby@v1
         with:
-          ruby-version: '3.2'
+          ruby-version: '3.3'
           bundler-cache: true
       - name: Generate YARD documentation
         run: bundle exec rake docs

Appraisals

@@ -3,27 +3,19 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 module DisableBundleCheck
   def check_command
-    ["bundle", "exec", "false"]
+    %w[bundle exec false]
   end
 end
 
-if ["true", "y", "yes", "1"].include?(ENV["APPRAISAL_SKIP_BUNDLE_CHECK"])
+if %w[true y yes 1].include?(ENV["APPRAISAL_SKIP_BUNDLE_CHECK"])
   ::Appraisal::Appraisal.prepend(DisableBundleCheck)
 end
 
 alias original_appraise appraise
 
 REMOVED_GEMS = {
-  check: [
-    "rbs",
-    "steep"
-  ],
-  development: [
-    "ruby-lsp",
-    "ruby-lsp-rspec",
-    "debug",
-    "irb"
-  ]
+  check: %w[rbs steep],
+  development: %w[ruby-lsp ruby-lsp-rspec debug irb]
 }
 
 def appraise(group, &block)

lib/datadog/ci/codeowners/matcher.rb

@@ -87,7 +87,7 @@ def expand_pattern(pattern)
           return pattern if pattern == "*"
 
           # if pattern ends with a slash then it matches everything deeply nested in this directory
-          pattern += "**" if pattern.end_with?(::File::SEPARATOR)
+          pattern << "**" if pattern.end_with?(::File::SEPARATOR)
 
           # if pattern doesn't start with a slash then it matches anywhere in the repository
           if !pattern.start_with?(::File::SEPARATOR, "**#{::File::SEPARATOR}", "*#{::File::SEPARATOR}")

lib/datadog/ci/codeowners/parser.rb

@@ -8,11 +8,11 @@ module Codeowners
       # Responsible for parsing a CODEOWNERS file
       class Parser
         DEFAULT_LOCATION = "CODEOWNERS"
-        POSSIBLE_CODEOWNERS_LOCATIONS = [
-          "CODEOWNERS",
-          ".github/CODEOWNERS",
-          ".gitlab/CODEOWNERS",
-          "docs/CODEOWNERS"
+        POSSIBLE_CODEOWNERS_LOCATIONS = %w[
+          CODEOWNERS
+          .github/CODEOWNERS
+          .gitlab/CODEOWNERS
+          docs/CODEOWNERS
         ].freeze
 
         def initialize(root_file_path)

lib/datadog/ci/contrib/cucumber/formatter.rb

@@ -187,7 +187,7 @@ def extract_parameters_hash(test_case)
           def ok?(result, strict)
             # in minor update in Cucumber 9.2.0, the arity of the `ok?` method changed
             parameters = result.method(:ok?).parameters
-            if parameters == [[:opt, :be_strict]]
+            if parameters == [%i[opt be_strict]]
               result.ok?(strict)
             else
               result.ok?(strict: strict)

lib/datadog/ci/contrib/rspec/example.rb

@@ -23,7 +23,7 @@ def run(*args)
               test_name = full_description.strip
               if metadata[:description].empty?
                 # for unnamed it blocks this appends something like "example at ./spec/some_spec.rb:10"
-                test_name += " #{description}"
+                test_name << " #{description}"
               end
 
               test_suite_description = fetch_top_level_example_group[:description]
@@ -33,7 +33,7 @@ def run(*args)
               test_name = test_name.sub(test_suite_description, "").strip
 
               if ci_queue?
-                suite_name += " (ci-queue running example [#{test_name}])"
+                suite_name = "#{suite_name} (ci-queue running example [#{test_name}])"
                 test_suite_span = CI.start_test_suite(suite_name)
               end
 
@@ -83,9 +83,12 @@ def run(*args)
             private
 
             def fetch_top_level_example_group
-              return metadata[:example_group] unless metadata[:example_group][:parent_example_group]
+              example_group = metadata[:example_group]
+              parent_example_group = example_group[:parent_example_group]
 
-              res = metadata[:example_group][:parent_example_group]
+              return example_group unless parent_example_group
+
+              res = parent_example_group
               while (parent = res[:parent_example_group])
                 res = parent
               end

lib/datadog/ci/ext/environment.rb

@@ -23,10 +23,7 @@ module Environment
         TAG_NODE_NAME = "ci.node.name"
         TAG_CI_ENV_VARS = "_dd.ci.env_vars"
 
-        POSSIBLE_BUNDLE_LOCATIONS = [
-          "vendor/bundle",
-          ".bundle"
-        ].freeze
+        POSSIBLE_BUNDLE_LOCATIONS = %w[vendor/bundle .bundle].freeze
 
         module_function
 

lib/datadog/ci/ext/environment/providers/gitlab.rb

@@ -75,12 +75,12 @@ def git_tag
             end
 
             def git_commit_author_name
-              name, _ = extract_name_email
+              name, _email = extract_name_email
               name
             end
 
             def git_commit_author_email
-              _, email = extract_name_email
+              _name, email = extract_name_email
               email
             end
 

lib/datadog/ci/ext/settings.rb

@@ -15,13 +15,13 @@ module Settings
         ENV_ITR_CODE_COVERAGE_EXCLUDED_BUNDLE_PATH = "DD_CIVISIBILITY_ITR_CODE_COVERAGE_EXCLUDED_BUNDLE_PATH"
 
         # Source: https://docs.datadoghq.com/getting_started/site/
-        DD_SITE_ALLOWLIST = [
-          "datadoghq.com",
-          "us3.datadoghq.com",
-          "us5.datadoghq.com",
-          "datadoghq.eu",
-          "ddog-gov.com",
-          "ap1.datadoghq.com"
+        DD_SITE_ALLOWLIST = %w[
+          datadoghq.com
+          us3.datadoghq.com
+          us5.datadoghq.com
+          datadoghq.eu
+          ddog-gov.com
+          ap1.datadoghq.com
         ].freeze
       end
     end

lib/datadog/ci/itr/coverage/event.rb

@@ -21,7 +21,7 @@ def initialize(test_id:, test_suite_id:, test_session_id:, coverage:)
           def valid?
             valid = true
 
-            [:test_id, :test_suite_id, :test_session_id, :coverage].each do |key|
+            %i[test_id test_suite_id test_session_id coverage].each do |key|
               next unless send(key).nil?
 
               Datadog.logger.warn("citestcov event is invalid: [#{key}] is nil. Event: #{self}")

lib/datadog/ci/test_visibility/serializers/base.rb

@@ -20,13 +20,7 @@ class Base
             "type" => "span_type"
           ].freeze
 
-          REQUIRED_FIELDS = [
-            "error",
-            "name",
-            "resource",
-            "start",
-            "duration"
-          ].freeze
+          REQUIRED_FIELDS = %w[error name resource start duration].freeze
 
           attr_reader :trace, :span, :meta, :options
 

lib/datadog/ci/test_visibility/serializers/span.rb

@@ -7,11 +7,11 @@ module CI
     module TestVisibility
       module Serializers
         class Span < Base
-          CONTENT_FIELDS = (["trace_id", "span_id", "parent_id"] + Base::CONTENT_FIELDS).freeze
+          CONTENT_FIELDS = (%w[trace_id span_id parent_id] + Base::CONTENT_FIELDS).freeze
 
           CONTENT_MAP_SIZE = calculate_content_map_size(CONTENT_FIELDS)
 
-          REQUIRED_FIELDS = (["trace_id", "span_id"] + Base::REQUIRED_FIELDS).freeze
+          REQUIRED_FIELDS = (%w[trace_id span_id] + Base::REQUIRED_FIELDS).freeze
 
           def content_fields
             CONTENT_FIELDS

lib/datadog/ci/test_visibility/serializers/test_module.rb

@@ -8,11 +8,11 @@ module CI
     module TestVisibility
       module Serializers
         class TestModule < Base
-          CONTENT_FIELDS = (["test_session_id", "test_module_id"] + Base::CONTENT_FIELDS).freeze
+          CONTENT_FIELDS = (%w[test_session_id test_module_id] + Base::CONTENT_FIELDS).freeze
 
           CONTENT_MAP_SIZE = calculate_content_map_size(CONTENT_FIELDS)
 
-          REQUIRED_FIELDS = (["test_session_id", "test_module_id"] + Base::REQUIRED_FIELDS).freeze
+          REQUIRED_FIELDS = (%w[test_session_id test_module_id] + Base::REQUIRED_FIELDS).freeze
 
           def content_fields
             CONTENT_FIELDS

lib/datadog/ci/test_visibility/serializers/test_session.rb

@@ -8,11 +8,11 @@ module CI
     module TestVisibility
       module Serializers
         class TestSession < Base
-          CONTENT_FIELDS = (["test_session_id"] + Base::CONTENT_FIELDS).freeze
+          CONTENT_FIELDS = (%w[test_session_id] + Base::CONTENT_FIELDS).freeze
 
           CONTENT_MAP_SIZE = calculate_content_map_size(CONTENT_FIELDS)
 
-          REQUIRED_FIELDS = (["test_session_id"] + Base::REQUIRED_FIELDS).freeze
+          REQUIRED_FIELDS = (%w[test_session_id] + Base::REQUIRED_FIELDS).freeze
 
           def content_fields
             CONTENT_FIELDS

lib/datadog/ci/test_visibility/serializers/test_suite.rb

@@ -8,11 +8,11 @@ module CI
     module TestVisibility
       module Serializers
         class TestSuite < Base
-          CONTENT_FIELDS = (["test_session_id", "test_module_id", "test_suite_id"] + Base::CONTENT_FIELDS).freeze
+          CONTENT_FIELDS = (%w[test_session_id test_module_id test_suite_id] + Base::CONTENT_FIELDS).freeze
 
           CONTENT_MAP_SIZE = calculate_content_map_size(CONTENT_FIELDS)
 
-          REQUIRED_FIELDS = (["test_session_id", "test_module_id", "test_suite_id"] + Base::REQUIRED_FIELDS).freeze
+          REQUIRED_FIELDS = (%w[test_session_id test_module_id test_suite_id] + Base::REQUIRED_FIELDS).freeze
 
           def content_fields
             CONTENT_FIELDS

lib/datadog/ci/test_visibility/serializers/test_v1.rb

@@ -8,11 +8,11 @@ module CI
     module TestVisibility
       module Serializers
         class TestV1 < Base
-          CONTENT_FIELDS = (["trace_id", "span_id"] + Base::CONTENT_FIELDS).freeze
+          CONTENT_FIELDS = (%w[trace_id span_id] + Base::CONTENT_FIELDS).freeze
 
           CONTENT_MAP_SIZE = calculate_content_map_size(CONTENT_FIELDS)
 
-          REQUIRED_FIELDS = (["trace_id", "span_id"] + Base::REQUIRED_FIELDS).freeze
+          REQUIRED_FIELDS = (%w[trace_id span_id] + Base::REQUIRED_FIELDS).freeze
 
           def content_fields
             CONTENT_FIELDS

lib/datadog/ci/test_visibility/serializers/test_v2.rb

@@ -8,15 +8,15 @@ module CI
     module TestVisibility
       module Serializers
         class TestV2 < TestV1
-          CONTENT_FIELDS = (["test_session_id", "test_module_id", "test_suite_id"] + TestV1::CONTENT_FIELDS).freeze
+          CONTENT_FIELDS = (%w[test_session_id test_module_id test_suite_id] + TestV1::CONTENT_FIELDS).freeze
 
-          CONTENT_FIELDS_WITH_ITR_CORRELATION_ID = (CONTENT_FIELDS + ["itr_correlation_id"]).freeze
+          CONTENT_FIELDS_WITH_ITR_CORRELATION_ID = (CONTENT_FIELDS + %w[itr_correlation_id]).freeze
 
           CONTENT_MAP_SIZE = calculate_content_map_size(CONTENT_FIELDS)
 
           CONTENT_MAP_SIZE_WITH_ITR_CORRELATION_ID = calculate_content_map_size(CONTENT_FIELDS_WITH_ITR_CORRELATION_ID)
 
-          REQUIRED_FIELDS = (["test_session_id", "test_module_id", "test_suite_id"] + TestV1::REQUIRED_FIELDS).freeze
+          REQUIRED_FIELDS = (%w[test_session_id test_module_id test_suite_id] + TestV1::REQUIRED_FIELDS).freeze
 
           def content_fields
             return CONTENT_FIELDS if itr_correlation_id.nil?

lib/datadog/ci/transport/http.rb

@@ -124,6 +124,7 @@ def trace_count
           def gzipped?(payload)
             return false if payload.nil? || payload.empty?
 
+            # no-dd-sa
             first_bytes = payload[0, 2]
             return false if first_bytes.nil? || first_bytes.empty?
 

sig/datadog/ci/codeowners/parser.rbs

@@ -6,7 +6,7 @@ module Datadog
 
         DEFAULT_LOCATION: "CODEOWNERS"
 
-        POSSIBLE_CODEOWNERS_LOCATIONS: ::Array["CODEOWNERS" | ".github/CODEOWNERS" | ".gitlab/CODEOWNERS" | "docs/CODEOWNERS"]
+        POSSIBLE_CODEOWNERS_LOCATIONS: Array[String]
 
         def initialize: (String? root_file_path) -> void