From 3697dd3fe37aaf1368575dcafedbdae3aee6b90e Mon Sep 17 00:00:00 2001 From: Anvisimi <8444.sa@gmail.com> Date: Thu, 17 Oct 2024 16:12:03 +0800 Subject: [PATCH] name change central-repo and added SAST, DAST, LINT and sonarcloud quality-gates --- .github/workflows/docker-build.yml | 114 ++++++++++++++++++++++ .github/workflows/lint.yaml | 33 +++++++ .github/workflows/sast-scan.yml | 35 +++++++ .github/workflows/zap-scan.yml | 69 +++++++++++++ Dockerfile | 33 +++++++ pom.xml | 39 +++++++- src/main/resources/application.properties | 3 +- 7 files changed, 323 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/docker-build.yml create mode 100644 .github/workflows/lint.yaml create mode 100644 .github/workflows/sast-scan.yml create mode 100644 .github/workflows/zap-scan.yml create mode 100644 Dockerfile diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml new file mode 100644 index 0000000..e4933a6 --- /dev/null +++ b/.github/workflows/docker-build.yml @@ -0,0 +1,114 @@ +name: Build, Test, SAST, and Push Docker Image + +on: + push: + branches: + - feature/shopsmart-72 + pull_request: + branches: + - feature/shopsmart-72 + workflow_dispatch: # allows manual triggering + +jobs: + build: + runs-on: ubuntu-latest + env: + AWS_REGION: ${{ secrets.AWS_REGION }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + ECR_REPO_URI: ${{ secrets.ECR_REPO_URI }} + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ secrets.AWS_REGION }} + + - name: Log in to Amazon ECR + uses: aws-actions/amazon-ecr-login@v2 + + - name: Set up JDK + uses: actions/setup-java@v2 + with: + java-version: '21' + distribution: 'temurin' + + - name: Verify Java Installation + run: java -version + + - name: Install required tools + run: | + sudo apt-get update + sudo apt-get install -y libxml2-utils bc + - name: Build and run tests with JaCoCo + run: | + mvn clean test + mvn jacoco:report + + - name: Check JaCoCo Coverage Threshold + run: | + #!/bin/bash + + # Debug: Print the content of the JaCoCo report + echo "Content of JaCoCo report:" + cat target/site/jacoco/jacoco.xml + + # Extract the total lines covered + TOTAL_LINES_COVERED=$(xmllint --xpath "(//counter[@type='LINE']/@covered)[1]" target/site/jacoco/jacoco.xml | cut -d'"' -f2) + echo "Total lines covered: $TOTAL_LINES_COVERED" + + # Extract the total lines + TOTAL_LINES=$(xmllint --xpath "(//counter[@type='LINE']/@missed)[1]" target/site/jacoco/jacoco.xml | cut -d'"' -f2) + echo "Total lines: $TOTAL_LINES" + + # Calculate coverage percentage + if [[ $TOTAL_LINES_COVERED =~ ^[0-9]+$ ]] && [[ $TOTAL_LINES =~ ^[0-9]+$ ]]; then + COVERAGE_PERCENTAGE=$(echo "scale=2; ($TOTAL_LINES_COVERED / ($TOTAL_LINES + $TOTAL_LINES_COVERED)) * 100" | bc) + echo "Calculated Coverage Percentage: $COVERAGE_PERCENTAGE%" + else + echo "Invalid coverage or total line count extracted." + exit 1 + fi + + if (( $(echo "$COVERAGE_PERCENTAGE < 80" | bc -l) )); then + echo "Code coverage is below 80%, build failed." + exit 1 + fi + + echo "Code coverage check passed!" + shell: bash + - name: Debug AWS Credentials + run: | + echo "AWS_REGION=${{ secrets.AWS_REGION }}" + echo "AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }}" + echo "AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}" + echo "ECR_REPO_URI=${{ secrets.ECR_REPO_URI }}" + + - name: Build, Test, and Analyze with Maven + run: | + mvn clean verify sonar:sonar \ + -Dsonar.projectKey=ShopSmartSG_central-repo-service \ + -Dsonar.organization=shopsmartsg \ + -Dsonar.host.url=https://sonarcloud.io \ + -Dsonar.login=${{ secrets.SONAR_TOKEN }} \ + -Dsonar.coverage.jacoco.xmlReportPaths=target/site/jacoco/jacoco.xml + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + NVD_API_KEY: ${{ secrets.NVD_API_KEY }} + + - name: Log in to Amazon ECR Public + run: | + aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/l0d0i0v3 + + - name: Build Docker image + run: | + docker build -t shopsmartsg/central-repo-service . + docker tag shopsmartsg/central-repo-service:latest ${{ secrets.ECR_REPO_URI }}:latest + + - name: Push Docker image to ECR + run: | + docker push ${{ secrets.ECR_REPO_URI }}:latest diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml new file mode 100644 index 0000000..46ebb94 --- /dev/null +++ b/.github/workflows/lint.yaml @@ -0,0 +1,33 @@ +name: Lint + +on: + push: + branches: [main, feature/*] + pull_request: + branches: [main] + +jobs: + lint: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Set up JDK 21 + uses: actions/setup-java@v2 + with: + java-version: '21' + distribution: 'temurin' # Specify the Java distribution + + - name: Install Maven + run: sudo apt-get install maven -y + + - name: Run Checkstyle + run: mvn checkstyle:check + + - name: Archive Checkstyle Report + uses: actions/upload-artifact@v3 + with: + name: checkstyle-report + path: target/checkstyle-result.xml \ No newline at end of file diff --git a/.github/workflows/sast-scan.yml b/.github/workflows/sast-scan.yml new file mode 100644 index 0000000..71c0f27 --- /dev/null +++ b/.github/workflows/sast-scan.yml @@ -0,0 +1,35 @@ +name: SAST Scan + +on: + push: + branches: [main, feature/*] + pull_request: + branches: [main] + +jobs: + sast: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Set up JDK 21 + uses: actions/setup-java@v2 + with: + java-version: '21' + distribution: 'temurin' # Specify the Java distribution + + - name: Install Maven + run: sudo apt-get install maven -y + + - name: Run OWASP Dependency Check + env: + NVD_API_KEY: ${{ secrets.NVD_API_KEY }} + run: mvn org.owasp:dependency-check-maven:check -Dnvd.apiKey=${NVD_API_KEY} + + - name: Archive Dependency Check Report + uses: actions/upload-artifact@v3 + with: + name: dependency-check-report + path: target/dependency-check-report.html diff --git a/.github/workflows/zap-scan.yml b/.github/workflows/zap-scan.yml new file mode 100644 index 0000000..7181284 --- /dev/null +++ b/.github/workflows/zap-scan.yml @@ -0,0 +1,69 @@ +name: ZAP Full Scan + +on: + push: + branches: [main, feature/*] + pull_request: + branches: [main] + +jobs: + zap_scan: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Set up JDK 21 + uses: actions/setup-java@v3 + with: + java-version: '21' + distribution: 'temurin' + + - name: Build with Maven + run: mvn clean package + + # Step 1: Create Docker network + - name: Create Docker Network + run: docker network create zap-network + + # Step 2: Build the Docker image for the central-repo-service + - name: Build Docker Image + uses: docker/build-push-action@v4 + with: + context: . + file: ./Dockerfile + push: false + tags: central-repo-service:latest + + # Step 3: Run the Docker container for the application in the zap-network + - name: Run Docker Container + run: docker run -d --name central-repo-service --network zap-network -p 8084:8084 central-repo-service:latest + + # Step 4: Wait for the application to start and be available + - name: Wait for Application to Start + run: | + echo "Waiting for the application to start..." + for i in {1..10}; do + if curl -s http://localhost:8084 >/dev/null; then + echo "Application is up!" + break + fi + echo "Waiting for 10 seconds..." + sleep 10 + done + + # Step 5: Run ZAP Full Scan in the same Docker network + - name: ZAP Full Scan + uses: zaproxy/action-full-scan@v0.11.0 + with: + target: 'http://central-repo-service:8084' # Target by container name in the zap-network + token: ${{ secrets.GITHUB_TOKEN }} + cmd_options: '-t http://central-repo-service:8084 -r zap_report.html' + + # Step 6: Upload the ZAP report as an artifact + - name: Upload ZAP Report + uses: actions/upload-artifact@v3 + with: + name: zap-report + path: zap_report.html \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..437c7a7 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,33 @@ +# Stage 1: Build the application using Maven +FROM maven:3.9.7-eclipse-temurin-21 AS build +WORKDIR /app +COPY pom.xml . +COPY src ./src +RUN mvn clean package + +# Stage 2: Set up the runtime environment +# Use an official OpenJDK runtime as a parent image +FROM openjdk:21-jdk-slim + +# Create the log directory and set proper permissions +RUN mkdir -p /var/log/central-repo-service && \ + chmod -R 777 /var/log/central-repo-service # Ensure the app can write to the log directory + +# Copy the project’s jar file into the container at /app +COPY --from=build /app/target/central-repo-service.jar central-repo-app.jar + +# Make port 8084 available to the world outside this container +EXPOSE 8084 + +# Run the jar file +ENTRYPOINT ["java", "-jar", "central-repo-app.jar"] + +# to build image after building jar post any changes +# docker build -t central-repo-service:latest . +# docker-compose up --build +# docker push simranarora264/central-repo-service:latest +# docker file and docker-compose port should be same +# docker-compose down : shutdown the container +# till we shutdown the postgres image , db remains intact +#docker file has container port +#app.properties has \ No newline at end of file diff --git a/pom.xml b/pom.xml index 9d40a56..6e15f1c 100644 --- a/pom.xml +++ b/pom.xml @@ -70,6 +70,7 @@ + central-repo-service org.springframework.boot @@ -119,7 +120,7 @@ LINE COVEREDRATIO - 90% + 80% @@ -128,7 +129,41 @@ + + org.apache.maven.plugins + maven-checkstyle-plugin + 3.1.2 + + google_checks.xml + true + true + + + + validate + + check + + + + + + org.owasp + dependency-check-maven + 10.0.2 + + NVD_API_KEY + + + + + check + + + + + - + \ No newline at end of file diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 52f1c32..0e560fd 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -1 +1,2 @@ -spring.application.name=shopsmart_backend +spring.application.name=central-repo +server.port=8080 \ No newline at end of file