name change central-repo and added SAST, DAST, LINT and sonarcloud qu…

…ality-gates
ShopSmartSG · Oct 17, 2024 · 3697dd3 · 3697dd3
1 parent 33c0269
commit 3697dd3
Show file tree

Hide file tree

Showing 7 changed files with 323 additions and 3 deletions.
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -0,0 +1,114 @@
+name: Build, Test, SAST, and Push Docker Image
+
+on:
+  push:
+    branches:
+      - feature/shopsmart-72
+  pull_request:
+    branches:
+      - feature/shopsmart-72
+  workflow_dispatch: # allows manual triggering
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env:
+      AWS_REGION: ${{ secrets.AWS_REGION }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      ECR_REPO_URI: ${{ secrets.ECR_REPO_URI }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Log in to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Set up JDK
+        uses: actions/setup-java@v2
+        with:
+          java-version: '21'
+          distribution: 'temurin'
+
+      - name: Verify Java Installation
+        run: java -version
+
+      - name: Install required tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libxml2-utils bc
+      - name: Build and run tests with JaCoCo
+        run: |
+          mvn clean test
+          mvn jacoco:report
+
+      - name: Check JaCoCo Coverage Threshold
+        run: |
+          #!/bin/bash
+
+          # Debug: Print the content of the JaCoCo report
+          echo "Content of JaCoCo report:"
+          cat target/site/jacoco/jacoco.xml
+
+          # Extract the total lines covered
+          TOTAL_LINES_COVERED=$(xmllint --xpath "(//counter[@type='LINE']/@covered)[1]" target/site/jacoco/jacoco.xml | cut -d'"' -f2)
+          echo "Total lines covered: $TOTAL_LINES_COVERED"
+
+          # Extract the total lines
+          TOTAL_LINES=$(xmllint --xpath "(//counter[@type='LINE']/@missed)[1]" target/site/jacoco/jacoco.xml | cut -d'"' -f2)
+          echo "Total lines: $TOTAL_LINES"
+
+          # Calculate coverage percentage
+          if [[ $TOTAL_LINES_COVERED =~ ^[0-9]+$ ]] && [[ $TOTAL_LINES =~ ^[0-9]+$ ]]; then
+              COVERAGE_PERCENTAGE=$(echo "scale=2; ($TOTAL_LINES_COVERED / ($TOTAL_LINES + $TOTAL_LINES_COVERED)) * 100" | bc)
+              echo "Calculated Coverage Percentage: $COVERAGE_PERCENTAGE%"
+          else
+              echo "Invalid coverage or total line count extracted."
+              exit 1
+          fi
+
+          if (( $(echo "$COVERAGE_PERCENTAGE < 80" | bc -l) )); then
+              echo "Code coverage is below 80%, build failed."
+              exit 1
+          fi
+
+          echo "Code coverage check passed!"
+        shell: bash
+      - name: Debug AWS Credentials
+        run: |
+          echo "AWS_REGION=${{ secrets.AWS_REGION }}"
+          echo "AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }}"
+          echo "AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}"
+          echo "ECR_REPO_URI=${{ secrets.ECR_REPO_URI }}"
+
+      - name: Build, Test, and Analyze with Maven
+        run: |
+          mvn clean verify sonar:sonar \
+            -Dsonar.projectKey=ShopSmartSG_central-repo-service \
+            -Dsonar.organization=shopsmartsg \
+            -Dsonar.host.url=https://sonarcloud.io \
+            -Dsonar.login=${{ secrets.SONAR_TOKEN }} \
+            -Dsonar.coverage.jacoco.xmlReportPaths=target/site/jacoco/jacoco.xml
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+
+      - name: Log in to Amazon ECR Public
+        run: |
+          aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/l0d0i0v3
+
+      - name: Build Docker image
+        run: |
+          docker build -t shopsmartsg/central-repo-service .
+          docker tag shopsmartsg/central-repo-service:latest ${{ secrets.ECR_REPO_URI }}:latest
+
+      - name: Push Docker image to ECR
+        run: |
+          docker push ${{ secrets.ECR_REPO_URI }}:latest
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -0,0 +1,33 @@
+name: Lint
+
+on:
+  push:
+    branches: [main, feature/*]
+  pull_request:
+    branches: [main]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@v2
+        with:
+          java-version: '21'
+          distribution: 'temurin'  # Specify the Java distribution
+
+      - name: Install Maven
+        run: sudo apt-get install maven -y
+
+      - name: Run Checkstyle
+        run: mvn checkstyle:check
+
+      - name: Archive Checkstyle Report
+        uses: actions/upload-artifact@v3
+        with:
+          name: checkstyle-report
+          path: target/checkstyle-result.xml
diff --git a/.github/workflows/sast-scan.yml b/.github/workflows/sast-scan.yml
@@ -0,0 +1,35 @@
+name: SAST Scan
+
+on:
+  push:
+    branches: [main, feature/*]
+  pull_request:
+    branches: [main]
+
+jobs:
+  sast:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@v2
+        with:
+          java-version: '21'
+          distribution: 'temurin'  # Specify the Java distribution
+
+      - name: Install Maven
+        run: sudo apt-get install maven -y
+
+      - name: Run OWASP Dependency Check
+        env:
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+        run: mvn org.owasp:dependency-check-maven:check -Dnvd.apiKey=${NVD_API_KEY}
+
+      - name: Archive Dependency Check Report
+        uses: actions/upload-artifact@v3
+        with:
+          name: dependency-check-report
+          path: target/dependency-check-report.html
diff --git a/.github/workflows/zap-scan.yml b/.github/workflows/zap-scan.yml
@@ -0,0 +1,69 @@
+name: ZAP Full Scan
+
+on:
+  push:
+    branches: [main, feature/*]
+  pull_request:
+    branches: [main]
+
+jobs:
+  zap_scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@v3
+        with:
+          java-version: '21'
+          distribution: 'temurin'
+
+      - name: Build with Maven
+        run: mvn clean package
+
+      # Step 1: Create Docker network
+      - name: Create Docker Network
+        run: docker network create zap-network
+
+      # Step 2: Build the Docker image for the central-repo-service
+      - name: Build Docker Image
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: ./Dockerfile
+          push: false
+          tags: central-repo-service:latest
+
+      # Step 3: Run the Docker container for the application in the zap-network
+      - name: Run Docker Container
+        run: docker run -d --name central-repo-service --network zap-network -p 8084:8084 central-repo-service:latest
+
+      # Step 4: Wait for the application to start and be available
+      - name: Wait for Application to Start
+        run: |
+          echo "Waiting for the application to start..."
+          for i in {1..10}; do
+            if curl -s http://localhost:8084 >/dev/null; then
+              echo "Application is up!"
+              break
+            fi
+            echo "Waiting for 10 seconds..."
+            sleep 10
+          done
+
+      # Step 5: Run ZAP Full Scan in the same Docker network
+      - name: ZAP Full Scan
+        uses: zaproxy/action-full-scan@v0.11.0
+        with:
+          target: 'http://central-repo-service:8084'  # Target by container name in the zap-network
+          token: ${{ secrets.GITHUB_TOKEN }}
+          cmd_options: '-t http://central-repo-service:8084 -r zap_report.html'
+
+      # Step 6: Upload the ZAP report as an artifact
+      - name: Upload ZAP Report
+        uses: actions/upload-artifact@v3
+        with:
+          name: zap-report
+          path: zap_report.html
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,33 @@
+# Stage 1: Build the application using Maven
+FROM maven:3.9.7-eclipse-temurin-21 AS build
+WORKDIR /app
+COPY pom.xml .
+COPY src ./src
+RUN mvn clean package
+
+# Stage 2: Set up the runtime environment
+# Use an official OpenJDK runtime as a parent image
+FROM openjdk:21-jdk-slim
+
+# Create the log directory and set proper permissions
+RUN mkdir -p /var/log/central-repo-service && \
+    chmod -R 777 /var/log/central-repo-service  # Ensure the app can write to the log directory
+
+# Copy the project’s jar file into the container at /app
+COPY --from=build /app/target/central-repo-service.jar central-repo-app.jar
+
+# Make port 8084 available to the world outside this container
+EXPOSE 8084
+
+# Run the jar file
+ENTRYPOINT ["java", "-jar", "central-repo-app.jar"]
+
+# to build image after building jar post any changes
+# docker build -t central-repo-service:latest .
+# docker-compose up --build
+# docker push simranarora264/central-repo-service:latest
+# docker file and docker-compose port should be same
+# docker-compose down : shutdown the container
+# till we shutdown the postgres image , db remains intact
+#docker file has container port
+#app.properties has
diff --git a/pom.xml b/pom.xml
@@ -70,6 +70,7 @@
 		</dependency>
 	</dependencies>
 	<build>
+		<finalName>central-repo-service</finalName>
 		<plugins>
 			<plugin>
 				<groupId>org.springframework.boot</groupId>
@@ -119,7 +120,7 @@
 										<limit>
 											<counter>LINE</counter>
 											<value>COVEREDRATIO</value>
-											<minimum>90%</minimum>
+											<minimum>80%</minimum>
 										</limit>
 									</limits>
 								</rule>
@@ -128,7 +129,41 @@
 					</execution>
 				</executions>
 			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-checkstyle-plugin</artifactId>
+				<version>3.1.2</version>
+				<configuration>
+					<configLocation>google_checks.xml</configLocation> <!-- You can use sun_checks.xml or your custom config -->
+					<consoleOutput>true</consoleOutput>
+					<failOnViolation>true</failOnViolation>
+				</configuration>
+				<executions>
+					<execution>
+						<phase>validate</phase>
+						<goals>
+							<goal>check</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
+			<plugin>
+				<groupId>org.owasp</groupId>
+				<artifactId>dependency-check-maven</artifactId>
+				<version>10.0.2</version>
+				<configuration>
+					<nvdApiKeyEnvironmentVariable>NVD_API_KEY</nvdApiKeyEnvironmentVariable>
+				</configuration>
+				<executions>
+					<execution>
+						<goals>
+							<goal>check</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
+
 		</plugins>
 	</build>
 
-</project>
+</project>
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
@@ -1 +1,2 @@
-spring.application.name=shopsmart_backend
+spring.application.name=central-repo
+server.port=8080