From fffdf486398be5a464c2dc6a6d9bfac70d73c28e Mon Sep 17 00:00:00 2001 From: mpgxvii Date: Tue, 22 Mar 2022 11:31:51 +0000 Subject: [PATCH 01/22] Add dependencies to README --- README.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 3c3a66dc8..a7ca004df 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,16 @@ This will start a Postgres database and ManagementPortal. The default password f account is `admin`. ### Build from source -you must install and configure the following dependencies on your machine to run from source. + +#### Dependencies + +The following are the prerequisites to run ManagementPortal from source on your machine: + +- Java 11 +- Gradle (v6 or later is recommended) +- Node.js (v15 or later is recommended) +- Yarn (v1.19.0 or later is recommended) + 1. [Node.js][]: We use Node to run a development web server and build the project. Depending on your system, you can install Node either from source or as a pre-packaged bundle. 2. [Yarn][]: We use Yarn to manage Node dependencies. From a536e8e554d5fc01f3cde7cb6f10e22194be9ab4 Mon Sep 17 00:00:00 2001 From: mpgxvii Date: Tue, 22 Mar 2022 11:33:45 +0000 Subject: [PATCH 02/22] Add dependencies to README --- README.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index a7ca004df..9c2a210ae 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,15 @@ ManagementPortal is an application which is used to manage pilot studies for [RA - [Documentation](#documentation) - [Client libraries](#client-libraries) +## Dependencies + +The following are the prerequisites to run ManagementPortal from source on your machine: + +- Java 11 +- Gradle (v6 or later is recommended) +- Node.js (v15 or later is recommended) +- Yarn (v1.19.0 or later is recommended) + ## Quickstart Management Portal can be easily run either by running from source or by using the provided `docker-compose` file. @@ -46,15 +55,7 @@ account is `admin`. ### Build from source -#### Dependencies - -The following are the prerequisites to run ManagementPortal from source on your machine: - -- Java 11 -- Gradle (v6 or later is recommended) -- Node.js (v15 or later is recommended) -- Yarn (v1.19.0 or later is recommended) - +You must install and configure the following dependencies on your machine to run from source. 1. [Node.js][]: We use Node to run a development web server and build the project. Depending on your system, you can install Node either from source or as a pre-packaged bundle. 2. [Yarn][]: We use Yarn to manage Node dependencies. From 0904bcaa9f3c5a160f7141e0d29c1c7f7f449ca1 Mon Sep 17 00:00:00 2001 From: Pauline Conde Date: Tue, 22 Mar 2022 18:48:07 +0000 Subject: [PATCH 03/22] Update README.md --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 9c2a210ae..71400563e 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,6 @@ ManagementPortal is an application which is used to manage pilot studies for [RA The following are the prerequisites to run ManagementPortal from source on your machine: - Java 11 -- Gradle (v6 or later is recommended) - Node.js (v15 or later is recommended) - Yarn (v1.19.0 or later is recommended) From f4dd639824a705c79a65c20167bbec9d02926be9 Mon Sep 17 00:00:00 2001 From: Peyman Mohtashami Date: Mon, 25 Jul 2022 18:14:37 +0200 Subject: [PATCH 04/22] Change response of activationReset --- .../org/radarbase/management/web/rest/AccountResource.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/radarbase/management/web/rest/AccountResource.java b/src/main/java/org/radarbase/management/web/rest/AccountResource.java index 66094bd88..e4d1a13e3 100644 --- a/src/main/java/org/radarbase/management/web/rest/AccountResource.java +++ b/src/main/java/org/radarbase/management/web/rest/AccountResource.java @@ -158,13 +158,13 @@ public ResponseEntity changePassword(@RequestBody String password) { @PostMapping(path = "/account/reset-activation/init", produces = MediaType.TEXT_PLAIN_VALUE) @Timed - public ResponseEntity requestActivationReset(@RequestBody String login) { + public ResponseEntity requestActivationReset(@RequestBody String login) { return userService.requestActivationReset(login) .map(user -> { // this will be the similar email with newly set reset-key mailService.sendCreationEmail(user, managementPortalProperties.getCommon() .getActivationKeyTimeoutInSeconds()); - return new ResponseEntity<>("Activation email was sent", HttpStatus.OK); + return new ResponseEntity<>(HttpStatus.NO_CONTENT); }).orElse(new ResponseEntity<>("Cannot find a deactivated user with login " + login, HttpStatus.BAD_REQUEST)); } From 52e456a6318dd9b476313d5bfb204c08d2aa77b5 Mon Sep 17 00:00:00 2001 From: Peyman Mohtashami Date: Mon, 25 Jul 2022 18:20:31 +0200 Subject: [PATCH 05/22] Bump version --- build.gradle | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index 4ad4969f7..6ef1b47f1 100644 --- a/build.gradle +++ b/build.gradle @@ -32,7 +32,7 @@ repositories { allprojects { group 'org.radarbase' - version '0.8.1' // project version + version '0.8.2' // project version // The comment on the previous line is only there to identify the project version line easily // with a sed command, to auto-update the version number with the prepare-release-branch.sh diff --git a/package.json b/package.json index 04664ad23..f42288ef8 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "management-portal", - "version": "0.8.1", + "version": "0.8.2", "description": "Description for ManagementPortal", "private": true, "cacheDirectories": [ From 77687b2cd54406cf9f3af0b74ea87da3e42aa1a7 Mon Sep 17 00:00:00 2001 From: mpgxvii Date: Wed, 1 Feb 2023 11:26:55 +0000 Subject: [PATCH 06/22] Warn instead of throw error if public key can't be fetched --- .../org/radarbase/auth/authentication/TokenValidator.java | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/radar-auth/src/main/java/org/radarbase/auth/authentication/TokenValidator.java b/radar-auth/src/main/java/org/radarbase/auth/authentication/TokenValidator.java index 500c56ccf..c18a97e53 100644 --- a/radar-auth/src/main/java/org/radarbase/auth/authentication/TokenValidator.java +++ b/radar-auth/src/main/java/org/radarbase/auth/authentication/TokenValidator.java @@ -7,6 +7,7 @@ import java.util.LinkedList; import java.util.List; import java.util.Map; +import java.util.Objects; import java.util.concurrent.TimeUnit; import java.util.stream.Collectors; import java.util.stream.Stream; @@ -215,6 +216,7 @@ private List loadVerifiers() throws TokenValidationException { Stream endpointKeys = streamEmptyIfNull(config.getPublicKeyEndpoints()) .map(this::algorithmFromServerPublicKeyEndpoint) + .filter(Objects::nonNull) .flatMap(List::stream); Stream stringKeys = streamEmptyIfNull(config.getPublicKeys()) @@ -243,8 +245,9 @@ private List algorithmFromServerPublicKeyEndpoint(URI serverUri) thro .getKeys().size(), serverUri.toURL()); return algorithmLoader.loadAlgorithmsFromJavaWebKeys(publicKeyInfo); } else { - throw new TokenValidationException("Invalid token signature. Could not load " - + "newer public keys"); + // Log and Continue Pulling next Endpoints, if any + LOGGER.warn("Invalid token signature. Could not load "+ "newer public keys"); + return null; } } catch (Exception ex) { From 6f5b70f4fe7363313666754ebf22d65a4091bf33 Mon Sep 17 00:00:00 2001 From: mpgxvii Date: Wed, 1 Feb 2023 12:05:59 +0000 Subject: [PATCH 07/22] Fix checkstyle errors --- .../java/org/radarbase/auth/authentication/TokenValidator.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radar-auth/src/main/java/org/radarbase/auth/authentication/TokenValidator.java b/radar-auth/src/main/java/org/radarbase/auth/authentication/TokenValidator.java index c18a97e53..dcd54c79b 100644 --- a/radar-auth/src/main/java/org/radarbase/auth/authentication/TokenValidator.java +++ b/radar-auth/src/main/java/org/radarbase/auth/authentication/TokenValidator.java @@ -246,7 +246,7 @@ private List algorithmFromServerPublicKeyEndpoint(URI serverUri) thro return algorithmLoader.loadAlgorithmsFromJavaWebKeys(publicKeyInfo); } else { // Log and Continue Pulling next Endpoints, if any - LOGGER.warn("Invalid token signature. Could not load "+ "newer public keys"); + LOGGER.warn("Invalid token signature. Could not load newer public keys"); return null; } From 2efab25ae9b6fc6525e7a8965585790da9860d54 Mon Sep 17 00:00:00 2001 From: mpgxvii Date: Wed, 1 Feb 2023 13:13:18 +0000 Subject: [PATCH 08/22] Add public key url to warning logs --- .../java/org/radarbase/auth/authentication/TokenValidator.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/radar-auth/src/main/java/org/radarbase/auth/authentication/TokenValidator.java b/radar-auth/src/main/java/org/radarbase/auth/authentication/TokenValidator.java index dcd54c79b..6d9780afe 100644 --- a/radar-auth/src/main/java/org/radarbase/auth/authentication/TokenValidator.java +++ b/radar-auth/src/main/java/org/radarbase/auth/authentication/TokenValidator.java @@ -246,7 +246,8 @@ private List algorithmFromServerPublicKeyEndpoint(URI serverUri) thro return algorithmLoader.loadAlgorithmsFromJavaWebKeys(publicKeyInfo); } else { // Log and Continue Pulling next Endpoints, if any - LOGGER.warn("Invalid token signature. Could not load newer public keys"); + LOGGER.warn("Invalid token signature. Could not load " + + "public key from {}", serverUri.toURL()); return null; } From c19fd95acbc74ad39346c20c55dedaa9cf2c31b8 Mon Sep 17 00:00:00 2001 From: Pauline Conde Date: Wed, 1 Feb 2023 15:34:11 +0000 Subject: [PATCH 09/22] Update public key endpoint warning message on fail Co-authored-by: Joris Borgdorff --- .../java/org/radarbase/auth/authentication/TokenValidator.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/radar-auth/src/main/java/org/radarbase/auth/authentication/TokenValidator.java b/radar-auth/src/main/java/org/radarbase/auth/authentication/TokenValidator.java index 6d9780afe..14178c7a6 100644 --- a/radar-auth/src/main/java/org/radarbase/auth/authentication/TokenValidator.java +++ b/radar-auth/src/main/java/org/radarbase/auth/authentication/TokenValidator.java @@ -246,8 +246,7 @@ private List algorithmFromServerPublicKeyEndpoint(URI serverUri) thro return algorithmLoader.loadAlgorithmsFromJavaWebKeys(publicKeyInfo); } else { // Log and Continue Pulling next Endpoints, if any - LOGGER.warn("Invalid token signature. Could not load " - + "public key from {}", serverUri.toURL()); + LOGGER.warn("Could not load newer public keys from {}", serverUri.toURL()); return null; } From 42f7f03d25ea55fac75dc094dc09dbc9351577f6 Mon Sep 17 00:00:00 2001 From: mpgxvii Date: Wed, 8 Feb 2023 16:03:46 +0000 Subject: [PATCH 10/22] Pull GA changes from mp2.0 --- .github/workflows/main.yml | 116 +++++++++++++++++++++++-------------- 1 file changed, 71 insertions(+), 45 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a43a71ba3..c5a456de8 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -4,9 +4,8 @@ name: Main # Run in master and dev branches and in all pull requests to those branches on: push: - branches: [ master, dev ] - pull_request: - branches: [ master, dev ] + branches: [ master, dev, "Mp2.0-rc" ] + pull_request: {} env: DOCKER_IMAGE: radarbase/management-portal @@ -20,29 +19,30 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - - name: Use Node.js 15 - uses: actions/setup-node@v1 + - name: Use Node.js 16 + uses: actions/setup-node@v3 with: - node-version: 15 + node-version: 16 - name: Get yarn cache directory path id: yarn-cache-dir-path - run: echo "::set-output name=dir::$(yarn cache dir)" + run: echo "dir=.yarn/cache" >> $GITHUB_OUTPUT - - uses: actions/setup-java@v1 + - uses: actions/setup-java@v3 with: - java-version: 11 + distribution: temurin + java-version: 17 - name: Cache - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: | ${{ steps.yarn-cache-dir-path.outputs.dir }} ~/.gradle/caches ~/.gradle/wrapper - key: ${{ runner.os }}-java-${{ hashFiles('**/build.gradle', '**/gradle.properties', '**/yarn.lock') }} + key: ${{ runner.os }}-java-${{ hashFiles('**/build.gradle', '**/gradle.properties', '**/yarn.lock', '.yarnrc.yml') }} restore-keys: | ${{ runner.os }}-java- @@ -65,34 +65,15 @@ jobs: if: always() run: ./gradlew check - - name: Codacy - if: steps.gradle-check.outcome != 'cancelled' - env: - CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }} - run: ./gradlew sendCoverageToCodacy - - name: End to end tests id: e2e run: | cp src/test/resources/config/keystore.p12 src/main/resources/config/keystore.p12 ./gradlew bootRun &>mp.log > $GITHUB_OUTPUT - name: Login to Docker Hub if: steps.docker_check_secret.outputs.IS_DOCKER_SECRET_SET == 'true' - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Get yarn cache directory path + id: yarn-cache-dir-path + run: echo "dir=.yarn/cache" >> $GITHUB_OUTPUT + + - name: Cache Docker layers + id: cache-buildx + uses: actions/cache@v3 + with: + path: | + ${{ steps.yarn-cache-dir-path.outputs.dir }} + /tmp/.buildx-cache + key: ${{ runner.os }}-buildx-${{ hashFiles('Dockerfile', '**/*.gradle', 'gradle.properties', 'src/main/**', 'radar-auth/src/**', 'yarn.lock', '*.json', '.yarnrc.yml') }} + restore-keys: | + ${{ runner.os }}-buildx- + + - name: Cache parameters + id: cache-parameters + run: | + if [ "${{ steps.cache-buildx.outputs.cache-hit }}" = "true" ]; then + echo "cache-to=" >> $GITHUB_OUTPUT + else + echo "cache-to=type=local,dest=/tmp/.buildx-cache-new,mode=max" >> $GITHUB_OUTPUT + fi + + - name: Use Node.js 16 + uses: actions/setup-node@v3 + with: + node-version: 16 + + - name: Prime yarn cache + run: yarn install --mode=skip-build + # Add Docker labels and tags - name: Docker meta id: docker_meta - uses: crazy-max/ghaction-docker-meta@v2 + uses: docker/metadata-action@v4 with: images: ${{ env.DOCKER_IMAGE }} # Setup docker build environment - name: Set up QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@v2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v2 - name: Docker build parameters id: docker_params run: | if [ "${{ github.event_name == 'pull_request' }}" = "true" ]; then - echo "::set-output name=push::false" - echo "::set-output name=load::true" - echo "::set-output name=platforms::linux/amd64" + echo "push=false" >> $GITHUB_OUTPUT + echo "load=true" >> $GITHUB_OUTPUT + echo "platforms=linux/amd64" >> $GITHUB_OUTPUT else - echo "::set-output name=push::true" - echo "::set-output name=load::false" - echo "::set-output name=platforms::linux/amd64,linux/arm64" + echo "push=true" >> $GITHUB_OUTPUT + echo "load=false" >> $GITHUB_OUTPUT + echo "platforms=linux/amd64,linux/arm64" >> $GITHUB_OUTPUT fi - name: Build docker - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v3 with: + # Do not load context from Github but from local path + context: . + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: ${{ steps.cache-parameters.outputs.cache-to }} load: ${{ steps.docker_params.outputs.load }} push: ${{ steps.docker_params.outputs.push }} platforms: ${{ steps.docker_params.outputs.platforms }} @@ -177,6 +194,15 @@ jobs: org.opencontainers.image.vendor=RADAR-base org.opencontainers.image.licenses=Apache-2.0 + # Temp fix + # https://github.com/docker/build-push-action/issues/252 + # https://github.com/moby/buildkit/issues/1896 + - name: Move docker build cache + if: steps.cache-buildx.outputs.cache-hit != 'true' + run: | + rm -rf /tmp/.buildx-cache + mv /tmp/.buildx-cache-new /tmp/.buildx-cache + - name: Pull docker image if: steps.docker_params.outputs.load == 'false' run: docker pull ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }} From 7bc48f79438dffd5fd6009ef7855208b307d8e72 Mon Sep 17 00:00:00 2001 From: mpgxvii Date: Wed, 8 Feb 2023 16:10:53 +0000 Subject: [PATCH 11/22] Fix GA --- .github/workflows/main.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c5a456de8..65a256569 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -4,7 +4,7 @@ name: Main # Run in master and dev branches and in all pull requests to those branches on: push: - branches: [ master, dev, "Mp2.0-rc" ] + branches: [ master, dev ] pull_request: {} env: @@ -21,10 +21,10 @@ jobs: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - uses: actions/checkout@v3 - - name: Use Node.js 16 + - name: Use Node.js 15 uses: actions/setup-node@v3 with: - node-version: 16 + node-version: 15 - name: Get yarn cache directory path id: yarn-cache-dir-path @@ -33,7 +33,7 @@ jobs: - uses: actions/setup-java@v3 with: distribution: temurin - java-version: 17 + java-version: 11 - name: Cache uses: actions/cache@v3 @@ -140,10 +140,10 @@ jobs: echo "cache-to=type=local,dest=/tmp/.buildx-cache-new,mode=max" >> $GITHUB_OUTPUT fi - - name: Use Node.js 16 + - name: Use Node.js 15 uses: actions/setup-node@v3 with: - node-version: 16 + node-version: 15 - name: Prime yarn cache run: yarn install --mode=skip-build From 901b1f86f7b1f78f44e8ea3c37dda8f7ad216eb5 Mon Sep 17 00:00:00 2001 From: mpgxvii Date: Wed, 8 Feb 2023 16:39:13 +0000 Subject: [PATCH 12/22] Pull GA changes from mp2.0 but keep node to 15 and java to 11 --- .github/workflows/pre-release.yml | 21 ++++++++----- .github/workflows/release.yml | 32 ++++++++++++------- .github/workflows/scheduled-snyk.yaml | 45 +++++++++++++-------------- .github/workflows/snyk.yaml | 39 ++++++++++++++--------- 4 files changed, 82 insertions(+), 55 deletions(-) diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml index a78c288fa..a4f5fa4a3 100644 --- a/.github/workflows/pre-release.yml +++ b/.github/workflows/pre-release.yml @@ -17,23 +17,24 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Use Node.js 15 - uses: actions/setup-node@v1 + uses: actions/setup-node@v3 with: node-version: 15 - name: Get yarn cache directory path id: yarn-cache-dir-path - run: echo "::set-output name=dir::$(yarn cache dir)" + run: echo "dir=.yarn/cache" >> $GITHUB_OUTPUT - - uses: actions/setup-java@v1 + - uses: actions/setup-java@v3 with: + distribution: temurin java-version: 11 - name: Cache - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: | ${{ steps.yarn-cache-dir-path.outputs.dir }} @@ -48,9 +49,15 @@ jobs: run: | yarn install - - name: Run full end to end tests + - name: End to end tests + id: e2e run: | - ./src/test/bash/run-prod-e2e.sh + cp src/test/resources/config/keystore.p12 src/main/resources/config/keystore.p12 + ./gradlew bootRun &>mp.log > $GITHUB_OUTPUT - - uses: actions/setup-java@v1 + - uses: actions/setup-java@v3 with: + distribution: temurin java-version: 11 - name: Cache - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: | ${{ steps.yarn-cache-dir-path.outputs.dir }} @@ -70,17 +71,25 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 + + - name: Use Node.js 15 + uses: actions/setup-node@v3 + with: + node-version: 15 + + - name: Prime yarn cache + run: yarn install --check-cache --mode=skip-build # Setup docker build environment - name: Set up QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@v2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v2 - name: Login to DockerHub - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -88,7 +97,7 @@ jobs: # Add Docker labels and tags - name: Docker meta id: docker_meta - uses: crazy-max/ghaction-docker-meta@v2 + uses: docker/metadata-action@v4 with: images: ${{ env.DOCKER_IMAGE }} tags: | @@ -96,8 +105,9 @@ jobs: type=semver,pattern={{major}}.{{minor}} - name: Build docker - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v3 with: + context: . # Allow running the image on the architectures supported by openjdk:11-jre-slim platforms: linux/amd64,linux/arm64 push: true diff --git a/.github/workflows/scheduled-snyk.yaml b/.github/workflows/scheduled-snyk.yaml index b0f365855..0ac9fc813 100644 --- a/.github/workflows/scheduled-snyk.yaml +++ b/.github/workflows/scheduled-snyk.yaml @@ -9,37 +9,36 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@master + - uses: actions/checkout@v3 + - uses: snyk/actions/setup@master + with: + snyk-version: v1.931.0 - - name: Run Snyk to check for Kotlin vulnerabilities - uses: snyk/actions/gradle-jdk11@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + - uses: actions/setup-node@v3 with: - command: test - json: true - args: --all-sub-projects --policy-path=.snyk - if: ${{ !cancelled() }} + node-version: '15' + cache: npm - - name: Report new Kotlin vulnerabilities - uses: thehyve/report-vulnerability@master + - uses: actions/setup-java@v3 with: - report-file: snyk.json - env: - TOKEN: ${{ secrets.GITHUB_TOKEN }} - if: ${{ failure() }} + distribution: temurin + java-version: 11 - - name: Run Snyk to check for Node vulnerabilities - uses: snyk/actions/node@master + - name: Setup Gradle + uses: gradle/gradle-build-action@v2 + + - name: Run Snyk to check for vulnerabilities env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - command: test - args: . --policy-path=.snyk - json: true - if: ${{ !cancelled() }} + run: > + snyk test + --all-projects + --configuration-matching="^(compile|runtime)Classpath$" + --org=radar-base + --policy-path=.snyk + --json-file-output=snyk.json - - name: Report new Node vulnerabilities + - name: Report new vulnerabilities uses: thehyve/report-vulnerability@master with: report-file: snyk.json diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index 554966c9e..10d2830c9 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -1,28 +1,39 @@ name: Snyk test on: - pull_request: - branches: - - master + - pull_request jobs: security: runs-on: ubuntu-latest steps: - - uses: actions/checkout@master + - uses: actions/checkout@v3 + - uses: snyk/actions/setup@master + with: + snyk-version: v1.931.0 - - name: Run Snyk to check for Kotlin vulnerabilities - uses: snyk/actions/gradle-jdk11@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + - uses: actions/setup-node@v3 with: - args: --severity-threshold=high --all-sub-projects --policy-path=.snyk + node-version: '15' + cache: npm - - name: Run Snyk to check for Node vulnerabilities - uses: snyk/actions/node@master + - uses: actions/setup-java@v3 + with: + distribution: temurin + java-version: 11 + + - name: Setup Gradle + uses: gradle/gradle-build-action@v2 + + - name: Run Snyk to check for vulnerabilities env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - args: . --severity-threshold=high --policy-path=.snyk - if: ${{ !cancelled() }} + run: > + snyk test + --all-projects + --configuration-matching="^(compile|runtime)Classpath$" + --fail-on=upgradable + --org=radar-base + --policy-path=.snyk + --severity-threshold=high From ebcc564912b0c33cec16cc5511e89dcd2b09c53d Mon Sep 17 00:00:00 2001 From: mpgxvii Date: Wed, 8 Feb 2023 17:00:43 +0000 Subject: [PATCH 13/22] Fix snyk GA --- .github/workflows/snyk.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index 10d2830c9..37d55b2d9 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -32,7 +32,7 @@ jobs: run: > snyk test --all-projects - --configuration-matching="^(compile|runtime)Classpath$" + --configuration-matching="^compileClasspath$" --fail-on=upgradable --org=radar-base --policy-path=.snyk From 71e27648a3e14ac273cc9d749ca94e9140984154 Mon Sep 17 00:00:00 2001 From: mpgxvii Date: Wed, 8 Feb 2023 17:19:21 +0000 Subject: [PATCH 14/22] Undo snyx GA changes --- .github/workflows/snyk.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index 37d55b2d9..10d2830c9 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -32,7 +32,7 @@ jobs: run: > snyk test --all-projects - --configuration-matching="^compileClasspath$" + --configuration-matching="^(compile|runtime)Classpath$" --fail-on=upgradable --org=radar-base --policy-path=.snyk From 84f8eae48d72a0c5fbe685ea6078f75adb682736 Mon Sep 17 00:00:00 2001 From: mpgxvii Date: Wed, 22 Feb 2023 18:34:09 +0800 Subject: [PATCH 15/22] Fix snyk GA --- .github/workflows/snyk.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index 10d2830c9..1d4973249 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -32,7 +32,7 @@ jobs: run: > snyk test --all-projects - --configuration-matching="^(compile|runtime)Classpath$" + --configuration-matching='^(compile|runtime)Classpath$' --fail-on=upgradable --org=radar-base --policy-path=.snyk From 825adcb8cfcf8cec40aedccf73053bb9d3045ac8 Mon Sep 17 00:00:00 2001 From: mpgxvii Date: Wed, 22 Feb 2023 19:09:44 +0800 Subject: [PATCH 16/22] Fix snyk GA --- .github/workflows/snyk.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index 1d4973249..f98d07a9c 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -32,7 +32,7 @@ jobs: run: > snyk test --all-projects - --configuration-matching='^(compile|runtime)Classpath$' + --configuration-matching="^compileClasspath$|^runtimeClasspath$" --fail-on=upgradable --org=radar-base --policy-path=.snyk From 78d41e80af6ce7c84ccc9e76a4233df0d12aab79 Mon Sep 17 00:00:00 2001 From: mpgxvii Date: Wed, 22 Feb 2023 19:15:31 +0800 Subject: [PATCH 17/22] Fix snyk GA --- .github/workflows/scheduled-snyk.yaml | 4 ++-- .github/workflows/snyk.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/scheduled-snyk.yaml b/.github/workflows/scheduled-snyk.yaml index 0ac9fc813..4733346c9 100644 --- a/.github/workflows/scheduled-snyk.yaml +++ b/.github/workflows/scheduled-snyk.yaml @@ -12,7 +12,7 @@ jobs: - uses: actions/checkout@v3 - uses: snyk/actions/setup@master with: - snyk-version: v1.931.0 + snyk-version: v1.996.0 - uses: actions/setup-node@v3 with: @@ -33,7 +33,7 @@ jobs: run: > snyk test --all-projects - --configuration-matching="^(compile|runtime)Classpath$" + --configuration-matching="^compileClasspath$|^runtimeClasspath$" --org=radar-base --policy-path=.snyk --json-file-output=snyk.json diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index f98d07a9c..eed10e9cf 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -11,7 +11,7 @@ jobs: - uses: actions/checkout@v3 - uses: snyk/actions/setup@master with: - snyk-version: v1.931.0 + snyk-version: v1.996.0 - uses: actions/setup-node@v3 with: From ed5bbe2f074f598d1f945987b7457f1c9362ca71 Mon Sep 17 00:00:00 2001 From: mpgxvii Date: Wed, 22 Feb 2023 20:03:50 +0800 Subject: [PATCH 18/22] Fix snyk GA --- .github/workflows/snyk.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index eed10e9cf..9ced5b362 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -32,7 +32,7 @@ jobs: run: > snyk test --all-projects - --configuration-matching="^compileClasspath$|^runtimeClasspath$" + --configuration-matching="^runtimeClasspath$" --fail-on=upgradable --org=radar-base --policy-path=.snyk From ae21e07e5d44963dddecec8ece601c387eebb5b8 Mon Sep 17 00:00:00 2001 From: mpgxvii Date: Wed, 22 Feb 2023 20:07:48 +0800 Subject: [PATCH 19/22] Fix snyk GA --- .github/workflows/snyk.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index 9ced5b362..9916e79eb 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -32,7 +32,7 @@ jobs: run: > snyk test --all-projects - --configuration-matching="^runtimeClasspath$" + --configuration-matching="^compileClasspath|runtimeClasspath$" --fail-on=upgradable --org=radar-base --policy-path=.snyk From 1936d488b8a79cac6421d20f243710901c6416d5 Mon Sep 17 00:00:00 2001 From: mpgxvii Date: Wed, 22 Feb 2023 20:19:50 +0800 Subject: [PATCH 20/22] Fix snyk GA --- .github/workflows/snyk.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index 9916e79eb..5aef5ef71 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -32,7 +32,7 @@ jobs: run: > snyk test --all-projects - --configuration-matching="^compileClasspath|runtimeClasspath$" + --configuration-matching="^compileClasspath$|runtimeClasspath" --fail-on=upgradable --org=radar-base --policy-path=.snyk From 2ac77b77dfd24b85b72fe877694c0884ddf970ea Mon Sep 17 00:00:00 2001 From: mpgxvii Date: Wed, 22 Feb 2023 20:36:05 +0800 Subject: [PATCH 21/22] Separate snyk tests --- .github/workflows/snyk.yaml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index 5aef5ef71..59a2e481b 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -26,14 +26,26 @@ jobs: - name: Setup Gradle uses: gradle/gradle-build-action@v2 - - name: Run Snyk to check for vulnerabilities + - name: Run Snyk to check for vulnerabilities in compileClasspath env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} run: > snyk test --all-projects - --configuration-matching="^compileClasspath$|runtimeClasspath" + --configuration-matching="^compileClasspath$" --fail-on=upgradable --org=radar-base --policy-path=.snyk --severity-threshold=high + + - name: Run Snyk to check for vulnerabilities in runtimeClasspath + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + run: > + snyk test + --all-projects + --configuration-matching="^runtimeClasspath$" + --fail-on=upgradable + --org=radar-base + --policy-path=.snyk + --severity-threshold=high From 81065e0aabe9d7fffe42196f63c8054668f3999b Mon Sep 17 00:00:00 2001 From: mpgxvii Date: Wed, 22 Feb 2023 20:37:32 +0800 Subject: [PATCH 22/22] Separate snyk tests --- .github/workflows/snyk.yaml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index 59a2e481b..42ae29133 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -38,14 +38,14 @@ jobs: --policy-path=.snyk --severity-threshold=high - - name: Run Snyk to check for vulnerabilities in runtimeClasspath - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - run: > - snyk test - --all-projects - --configuration-matching="^runtimeClasspath$" - --fail-on=upgradable - --org=radar-base - --policy-path=.snyk - --severity-threshold=high + - name: Run Snyk to check for vulnerabilities in runtimeClasspath + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + run: > + snyk test + --all-projects + --configuration-matching="^runtimeClasspath$" + --fail-on=upgradable + --org=radar-base + --policy-path=.snyk + --severity-threshold=high