exclude & timeout #4
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Veracode scans | ||
on: | ||
workflow_call: | ||
inputs: | ||
module_name: | ||
required: true | ||
type: string | ||
major_version: | ||
required: true | ||
type: string | ||
minor_version: | ||
required: true | ||
type: string | ||
stability: | ||
required: true | ||
type: string | ||
is_cpp_project: | ||
required: false | ||
type: string | ||
img_version: | ||
required: true | ||
type: string | ||
docker_registry_url: | ||
required: true | ||
type: string | ||
secrets: | ||
veracode_api_id: | ||
required: true | ||
veracode_api_key: | ||
required: true | ||
veracode_srcclr_token: | ||
required: true | ||
docker_registry_id: | ||
required: true | ||
docker_registry_passwd: | ||
required: true | ||
jobs: | ||
build: | ||
name: Sandbox scan | ||
runs-on: [self-hosted, collect] | ||
container: | ||
image: ${{ inputs.docker_registry_url }}/centreon-collect-alma9:${{ inputs.img_version }} | ||
credentials: | ||
username: ${{ secrets.docker_registry_id }} | ||
password: ${{ secrets.docker_registry_passwd }} | ||
steps: | ||
- uses: actions/checkout@v3 | ||
- name: debug before compilation status | ||
run: | | ||
echo "[DEBUG] - current location ?" | ||
pwd | ||
ls -la | ||
echo "[DEBUG] - Current folder size ?" | ||
du -sh ./* | sort -h | ||
- name: Compile cpp sources | ||
if: inputs.is_cpp_project == 'yes' | ||
run: | | ||
pwd | ||
ls -la | ||
sudo pip3 install conan==1.57.0 --prefix=/usr --upgrade | ||
sudo conan install . -s compiler.cppstd=14 -s compiler.libcxx=libstdc++11 --build=missing | ||
# If verbosity is required add : -DCMAKE_VERBOSE_MAKEFILE:BOOL=ON \ | ||
# Removed to test : -DCMAKE_BUILD_TYPE=RelWithDebInfo \ | ||
sudo cmake \ | ||
-G "Ninja" \ | ||
-DCMAKE_CXX_FLAGS="-gdwarf-2 -g3 -O0 -fno-builtin" \ | ||
-DWITH_TESTING=OFF \ | ||
-DWITH_BENCH=OFF \ | ||
-DWITH_MODULE_SIMU=OFF \ | ||
-DCMAKE_INSTALL_PREFIX=/usr \ | ||
-DWITH_STARTUP_SCRIPT=systemd \ | ||
-DWITH_ENGINE_LOGROTATE_SCRIPT=ON \ | ||
-DWITH_USER_BROKER=centreon-broker \ | ||
-DWITH_GROUP_BROKER=centreon-broker \ | ||
-DWITH_USER_ENGINE=centreon-engine \ | ||
-DWITH_GROUP_ENGINE=centreon-engine \ | ||
-DWITH_VAR_DIR=/var/log/centreon-engine \ | ||
-DWITH_DAEMONS=ON \ | ||
-DWITH_CREATE_FILES=OFF \ | ||
-DWITH_CONFIG_FILES=ON \ | ||
. | ||
sudo ninja | ||
- name: debug after compilation status | ||
run: | | ||
echo "[DEBUG] - current location ?" | ||
pwd | ||
echo "[DEBUG] - Current folder size ?" | ||
du -sh ./* | sort -h | ||
echo "[DEBUG] - Build / Bin folder size ?" | ||
du -sh ./bin/* | sort -h | ||
echo "[DEBUG] - Build / Lib folder size ?" | ||
du -sh ./lib/* | sort -h | ||
echo "[DEBUG] - Build / Broker module folder size ?" | ||
du -sh ./broker/* | sort -h | ||
echo "[DEBUG] - Current location files ?" | ||
ls -la | ||
- name: Removing files to exclude | ||
run: | | ||
echo "[INFO] - Removing veracode exclusions" | ||
if [[ -f ".veracode-exclusions" ]]; then | ||
for LINE in $( cat .veracode-exclusions | sed 's/[^a-zA-Z0-9_./-]//g' | sed -r 's/\.\./\./g' ); do | ||
if [[ -d "$LINE" ]]; then | ||
rm -rf "$LINE" | ||
echo "[INFO] - folder removed from analysis : '$LINE'" | ||
elif [[ -e "$LINE" ]]; then | ||
rm -f "$LINE" | ||
echo "[INFO] - file removed from analysis : '$LINE'" | ||
elif [[ -z "$LINE" ]]; then | ||
echo "[INFO] - empty directive. Skipping this line" | ||
else | ||
echo "[INFO] - target to exclude not found. Skipping: '$LINE'" | ||
fi | ||
done | ||
else | ||
echo "[INFO] - No '.veracode-exclusions' file found for this module. Skipping exclusion step" | ||
fi | ||
echo "[INFO] - Cleaning useless files" | ||
toClean=( | ||
*.o | ||
*.a | ||
*.h | ||
*.sql | ||
CMake*.* | ||
*.in | ||
*.cfg | ||
CMakeDetermineCompilerABI_C.bin | ||
) | ||
for toFind in ${toClean[@]}; do | ||
for file in $( find ./ -name "$toFind" ); do | ||
rm -f $file | ||
done | ||
done | ||
echo "[INFO] - Checking for remaining scripts used to mock tests" | ||
for file in $( find ./ -name "*.py" ); do | ||
echo "[WARN] - Remaining file to exclude : $file" | ||
done | ||
echo "[DEBUG] - Current folder size ?" | ||
du -sh ./* | sort -h | ||
cd .. | ||
echo "[DEBUG] - Parent folder size ?" | ||
du -sh ./* | sort -h | ||
- name: Analysis preparation | ||
run: | | ||
echo "[DEBUG] - Current location ?" | ||
pwd | ||
ls -la | ||
cd .. | ||
env GZIP=-9 tar cvzf "${{ inputs.module_name }}-${{ github.sha }}-${{ github.run_id }}-veracode-binary.tar.gz" centreon-collect | ||
ls -la | ||
- name: Sandbox scan | ||
uses: veracode/veracode-uploadandscan-action@0.2.6 | ||
if: vars.VERACODE_CONTINUE_ON_ERROR == 'true' | ||
continue-on-error: true | ||
with: | ||
appname: "${{ inputs.module_name }}" | ||
version: "${{ inputs.major_version }}.${{ inputs.minor_version }}_runId-${{ github.run_id }}" | ||
filepath: "../${{ inputs.module_name }}-${{ github.sha }}-${{ github.run_id }}-veracode-binary.tar.gz" | ||
vid: "vera01ei-${{ secrets.veracode_api_id }}" | ||
vkey: "vera01es-${{ secrets.veracode_api_key }}" | ||
createprofile: true | ||
createsandbox: true | ||
sandboxname: "${{ github.ref_name }}" | ||
criticality: "Low" | ||
#scantimeout: 120 | ||
includenewmodules: true | ||
scanallnonfataltoplevelmodules: true | ||
deleteincompletescan: 1 | ||
exclude: "*.jar" | ||
scanpollinginterval: 120 # time between two checks in seconds / [30 to 120] | ||
- name: Promote Scan | ||
# only develop will be promoted to policy scan | ||
## if: success() && github.ref_name == 'develop' | ||
if: success() | ||
env: | ||
VERACODE_API_ID: "${{ secrets.veracode_api_id }}" | ||
VERACODE_API_SECRET: "${{ secrets.veracode_api_key }}" | ||
# Action forked as API call hardcode '.com' route | ||
uses: sc979/veracode-sandboxes-helper@v0.2 | ||
with: | ||
activity: "promote-latest-scan" | ||
app-name: "${{ inputs.module_name }}" | ||
sandbox-name: "${{ github.ref_name }}" | ||
delete-on-promote: false |