From b66f5f03077e5dddfd31df198c59f7e2a701600d Mon Sep 17 00:00:00 2001 From: Denis Plotnikov Date: Tue, 7 Feb 2023 11:34:40 +0400 Subject: [PATCH 1/2] [TH2-4566] Reusable workflow with vulnerabilities check --- .../workflows/dev-java-publish-sonatype.yml | 73 ++++++++----------- .github/workflows/java-publish-sonatype.yml | 40 ++++++---- .gitignore | 3 + build.gradle | 36 ++++++++- settings.gradle | 1 + 5 files changed, 96 insertions(+), 57 deletions(-) diff --git a/.github/workflows/dev-java-publish-sonatype.yml b/.github/workflows/dev-java-publish-sonatype.yml index c654dba7..38da564e 100644 --- a/.github/workflows/dev-java-publish-sonatype.yml +++ b/.github/workflows/dev-java-publish-sonatype.yml @@ -1,52 +1,39 @@ -name: Dev build and publish Docker distributions to Github Container Registry ghcr.io - +name: Dev build and publish Java distributions to sonatype snapshot repository on: push: branches-ignore: - - master - - version-* -# paths: -# - gradle.properties + - master + - version-* jobs: - build: + build-job: + uses: th2-net/.github/.github/workflows/compound-java-dev.yml@main + with: + scanner-enabled: false + build-target: 'Sonatype' + runsOn: ubuntu-latest + secrets: + sonatypeUsername: ${{ secrets.SONATYPE_NEXUS_USERNAME }} + sonatypePassword: ${{ secrets.SONATYPE_NEXUS_PASSWORD }} + sonatypeSigningKey: ${{ secrets.SONATYPE_GPG_ARMORED_KEY }} + sonatypeSigningPassword: ${{ secrets.SONATYPE_SIGNING_PASSWORD }} + scan-job: runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - # Prepare custom build version - - name: Get branch name - id: branch - run: echo ::set-output name=branch_name::${GITHUB_REF#refs/*/} - - name: Get SHA of the commit - id: sha - run: echo ::set-output name=sha_short::$(git rev-parse --short HEAD) - - name: Get release_version - id: ver - uses: christian-draeger/read-properties@1.0.1 - with: - path: gradle.properties - property: release_version - - name: Build custom release version - id: release_ver - run: echo ::set-output name=value::"${{ steps.ver.outputs.value }}-${{ steps.branch.outputs.branch_name }}-${{ github.run_id }}-${{ steps.sha.outputs.sha_short }}-SNAPSHOT" - - name: Write custom release version to file - uses: christian-draeger/write-properties@1.0.1 + - name: Checkout code + uses: actions/checkout@v3 + - name: Create lockfiles + run: ./gradlew createLockFiles + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master with: - path: gradle.properties - property: release_version - value: ${{ steps.release_ver.outputs.value }} - - name: Show custom release version - run: echo ${{ steps.release_ver.outputs.value }} - # Build and publish package - - name: Set up JDK 11 - uses: actions/setup-java@v1 + scan-type: 'fs' + ignore-unfixed: false + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH,MEDIUM' + exit-code: '0' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 with: - java-version: '11' - - name: Build with Gradle - run: ./gradlew --info clean build publish - env: - ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.SONATYPE_NEXUS_USERNAME }} - ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.SONATYPE_NEXUS_PASSWORD }} - ORG_GRADLE_PROJECT_signingKey: ${{ secrets.SONATYPE_GPG_ARMORED_KEY }} - ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.SONATYPE_SIGNING_PASSWORD }} + sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/java-publish-sonatype.yml b/.github/workflows/java-publish-sonatype.yml index b8c36688..5d1e85f9 100644 --- a/.github/workflows/java-publish-sonatype.yml +++ b/.github/workflows/java-publish-sonatype.yml @@ -1,5 +1,4 @@ name: Build and release Java distributions to sonatype. - on: push: branches: @@ -10,18 +9,33 @@ on: jobs: build: + uses: th2-net/.github/.github/workflows/compound-java.yml@main + with: + scanner-enabled: false + build-target: 'Sonatype' + runsOn: ubuntu-latest + secrets: + sonatypeUsername: ${{ secrets.SONATYPE_NEXUS_USERNAME }} + sonatypePassword: ${{ secrets.SONATYPE_NEXUS_PASSWORD }} + sonatypeSigningKey: ${{ secrets.SONATYPE_GPG_ARMORED_KEY }} + sonatypeSigningPassword: ${{ secrets.SONATYPE_SIGNING_PASSWORD }} + scan-job: runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Set up JDK 11 - uses: actions/setup-java@v1 + - name: Checkout code + uses: actions/checkout@v3 + - name: Create lockfiles + run: ./gradlew createLockFiles + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + ignore-unfixed: false + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH,MEDIUM' + exit-code: '0' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 with: - java-version: '11' - - name: Build with Gradle - run: ./gradlew --info clean build publish closeAndReleaseSonatypeStagingRepository - env: - ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.SONATYPE_NEXUS_USERNAME }} - ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.SONATYPE_NEXUS_PASSWORD }} - ORG_GRADLE_PROJECT_signingKey: ${{ secrets.SONATYPE_GPG_ARMORED_KEY }} - ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.SONATYPE_SIGNING_PASSWORD }} + sarif_file: 'trivy-results.sarif' \ No newline at end of file diff --git a/.gitignore b/.gitignore index 18acb945..7121109d 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,9 @@ /cradle-cassandra/.project /cradle-cassandra/.classpath /cradle-cassandra/build +/cradle-cassandra/gradle/ +/cradle-core/gradle/ +/gradle/dependency-locks/ /cradle-core/.classpath /cradle-core/.project /cradle-core/.settings diff --git a/build.gradle b/build.gradle index 78554ee0..a51d0e9f 100644 --- a/build.gradle +++ b/build.gradle @@ -5,7 +5,7 @@ plugins { ext { slf4j_version = '1.7.36' - jackson_version = '2.9.7' + jackson_version = '2.13.4' sharedDir = file("${project.rootDir}/shared") } @@ -13,6 +13,24 @@ ext { allprojects { version = release_version group = 'com.exactpro.th2' + + configurations { + compileClasspath { + resolutionStrategy.activateDependencyLocking() + } + } + + tasks.register('resolveAndLockAll') { + doFirst { + println gradle.startParameter.writeDependencyLocks + } + doLast { + configurations.findAll { + // Add any custom filtering on the configurations to be resolved + it.canBeResolved + }.each { it.resolve() } + } + } } subprojects { @@ -29,6 +47,22 @@ subprojects { resolutionStrategy.cacheDynamicVersionsFor 0, 'seconds' } } + + configurations { + compileClasspath { + resolutionStrategy.activateDependencyLocking() + } + } + + tasks.register('createLockFiles', Copy) { + dependsOn('resolveAndLockAll') + from "./gradle/dependency-locks/compileClasspath.lockfile" + into "./.." + + rename { String filename -> + return project.name + '-' + filename + } + } defaultTasks 'build' diff --git a/settings.gradle b/settings.gradle index f7f7a1a8..5ca681b5 100644 --- a/settings.gradle +++ b/settings.gradle @@ -4,3 +4,4 @@ include 'cradle-cassandra' // Defined names will be used for jar and artifact names project(':cradle-core').name = 'cradle-core' project(':cradle-cassandra').name = 'cradle-cassandra' +startParameter.setWriteDependencyLocks(true) From 791ca8c0a364f0132928d7737171587aa119e2cf Mon Sep 17 00:00:00 2001 From: Denis Plotnikov Date: Tue, 7 Feb 2023 11:52:15 +0400 Subject: [PATCH 2/2] version bump --- README.md | 6 +++++- gradle.properties | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 856cda33..33f36bb8 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Cradle API (3.1.4) +# Cradle API (3.1.5) ## Overview @@ -142,6 +142,10 @@ Test events have mandatory parameters that are verified when storing an event. T ## Release notes +### 3.1.5 ++ datastax drive upgrade from `4.13.0` to `4.14.1` ++ jackson upgrade from `2.9.7` to `13.4.0` + ### 3.1.4 + Fixed poor performance bug while maintaining event batch durations diff --git a/gradle.properties b/gradle.properties index 408c4b9a..4d78cc0b 100644 --- a/gradle.properties +++ b/gradle.properties @@ -1,4 +1,4 @@ -release_version = 3.1.4 +release_version = 3.1.5 description = 'Cradle API'