diff --git a/.circleci/config.yml b/.circleci/config.yml index 04637a5e1ae..1b9faf656ae 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -458,11 +458,65 @@ jobs: echo "Individual reports for master and pr have been saved under the Artifacts tab." exit 0 fi + - persist_to_workspace: + root: /tmp/repos + paths: + - master_report.sbom - store_artifacts: path: /tmp/repos/master_report.sbom - store_artifacts: path: /tmp/repos/pr_report.sbom + update_security_status_badge: + machine: + image: ubuntu-2204:2024.08.1 + resource_class: medium + working_directory: /tmp/repos + environment: + SUCCESS_MESSAGE: 'passing' + SUCCESS_COLOR: 'brightgreen' + FAILURE_MESSAGE: 'failing' + FAILURE_COLOR: 'FF0A0A' + SEVERITY_THRESHOLD: 'CRITICAL' + TEST_REPO_URL: 'git@github.com:cBioPortal/cbioportal-test.git' + steps: + - attach_workspace: + at: /tmp/repos + - add_ssh_keys: + fingerprints: + - "SHA256:vtzpWrYBLQAMgZIsEv3Nuc1HeINJXFFtUB+IpSY/AK4" + - run: + name: Set up git user + command: | + git config --global user.name "CircleCI Bot" + git config --global user.email "bot@circleci.com" + - run: + name: Clone test repo using ssh url + command: | + rm -rf cbioportal-test + git clone $TEST_REPO_URL + - run: + name: Count vulnerabilities and update status badge + command: | + COUNT=$(jq '[.[] | select(.severity == "$SEVERITY_THRESHOLD")] | length' master_report.sbom) + cd cbioportal-test + if [ $COUNT -eq 0 ]; then + jq --arg msg "$SUCCESS_MESSAGE" --arg col "$SUCCESS_COLOR" '.message = $msg | .color = $col' security-status.json > temp.json + else + jq --arg msg "$FAILURE_MESSAGE" --arg col "$FAILURE_COLOR" '.message = $msg | .color = $col' security-status.json > temp.json + fi + mv temp.json security-status.json + echo "security-status.json has been updated:" + cat security-status.json | jq + - run: + name: Push new security status to cbioportal/cbioportal-test + command: | + cd cbioportal-test + git diff + git add security-status.json + git commit -m "Update security status" + git push + workflows: end_to_end_tests: jobs: @@ -501,4 +555,11 @@ workflows: context: - docker-scout requires: - - build_image \ No newline at end of file + - build_image + - update_security_status_badge: + requires: + - run_security_tests + filters: + branches: + only: + - master \ No newline at end of file diff --git a/README.md b/README.md index 8039031d85f..8b164e38dd1 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ # cBioPortal +[![Endpoint Badge](https://img.shields.io/endpoint?url=https%3A%2F%2Fraw.githubusercontent.com%2FcBioPortal%2Fcbioportal-test%2Frefs%2Fheads%2Fmain%2Fsecurity-status.json)](https://docs.cbioportal.org/development/security/) + The cBioPortal for Cancer Genomics provides visualization, analysis, and download of large-scale cancer genomics data sets. For a short intro on cBioPortal, see [these introductory slides](https://docs.google.com/presentation/d/1hm0G77UklZnpQfFvywBfW2ZIsy8deKi5r1RfJarOPLg/edit?usp=sharing). If you would like to know how to setup a private instance of the portal and/or get set up for developing, see the [documentation](https://docs.cbioportal.org). For details on contributing code changes via pull requests, see our [Contributing document](CONTRIBUTING.md). diff --git a/docs/development/Security.md b/docs/development/Security.md index 8561f20afa5..b82d0e80389 100644 --- a/docs/development/Security.md +++ b/docs/development/Security.md @@ -1,14 +1,15 @@ # Security We are committed to maintaining a secure and reliable platform by integrating proactive vulnerability detection and mitigation strategies into our development and release workflows. Here's how we address security concerns at each stage of our development process. ---- +## Current Vulnerability Status +We provide a [status badge](https://github.com/cBioPortal/cbioportal?tab=readme-ov-file#cbioportal) that displays the current vulnerability status of the cBioPortal application. Additionally, we maintain a Software Bill of Materials (SBOM) integrated with our Github Dependabot Security system. + ## Vulnerability Detection in Pull Requests We utilize **SonarCloud** to ensure the integrity and security of our codebase. SonarCloud is configured to automatically analyze all pull requests and merged code. This enables us to: - Detect security vulnerabilities, bugs, and code smells during the review process. - Generate detailed reports that identify specific issues, such as potential injections, insecure code patterns, or other security risks. - Enforce quality gates that prevent merging unsafe code into the main branch. The results of the analysis are presented as part of the Github pull request checks, allowing contributors and maintainers to address issues early in the development lifecycle. ---- ## Container Image Security with Docker Scout As part of our release process, we integrate **Docker Scout** to ensure the security of container images published to our public DockerHub repository. Key steps include: @@ -16,14 +17,12 @@ As part of our release process, we integrate **Docker Scout** to ensure the secu - **Detailed Reports:** Vulnerabilities are categorized by severity, and actionable remediation steps are provided. This ensures maintainers can quickly patch or replace vulnerable components. - **Image Maintenance:** We montior and rebuild images when new vulnerabilities are detected in upstream dependencies, ensuring our images remain secure. Docker Scout is a critical step in the release pipeline, ensuring that the container images used by our users are secure and free from known vulnerabilities. ---- ## Continuous Monitoring and Updates SonarCloud and Docker Scout work seamlessly within our development and release workflows: - **SonarCloud** safeguards the integrity of the codebase during pull requests and merges. - **Docker Scout** validates the security of container images as part of our weekly release cycle. This dual-layered approach ensures that vulnerabilities are addressed both at the source code and container levels, offering comprehensive security coverage for the cBioPortal platform. ---- ## Feedback and Contributions We encourage the community to provide feedback and suggestions to enhance our security processes. If you have any questions or ideas, please contact us or submit an issue on our [Github repository](https://github.com/cBioPortal/cbioportal/security/policy).