Benchmark/.github/workflows/main.yml at master · Encryptshell/Benchmark · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
---
# This workflow integrates ShiftLeft NG SAST with GitHub
# Visit https://docs.shiftleft.io for help
name: ShiftLeft

on:
  workflow_dispatch:
  pull_request:
    branches: [ master ]
  push:
    branches: [ master ]

jobs:
  NextGen-Static-Analysis:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    # We are building this application with Java 11
    - name: Setup Java JDK
      uses: actions/setup-java@v1.4.3
      with:
        java-version: 11.0.x
    - name: Package with maven
      run: mvn compile package
    - name: Download ShiftLeft CLI
      run: |
        curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
        sl check-environment
    # ShiftLeft requires Java 1.8. Post the package step override the version
    - name: Setup Java JDK
      uses: actions/setup-java@v1.4.3
      with:
        java-version: 1.8
    - name: Extract branch name
      shell: bash
      run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
      id: extract_branch
    - name: NG SAST Trunk
      # Removed the --wait since we wont be checking the scan
      if: ${{ github.ref == 'refs/heads/main' }}
      run: ${GITHUB_WORKSPACE}/sl analyze --strict --app Benchmark --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/benchmark.war
      env:
        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
        SHIFTLEFT_ORG_ID: ${{ secrets.SHIFTLEFT_ORG_ID }}
    - name: NG SAST PR
      # --wait in place because we will run check-analysis with this scan
      if: ${{ github.event_name == 'pull_request' }}
      run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app Benchmark --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/benchmark.war
      env:
        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
        SHIFTLEFT_ORG_ID: ${{ secrets.SHIFTLEFT_ORG_ID }}
    - name: Validate Build Rules
      # Only run on pull request and compare to Main as set in the build rules file Shiftleft.yml
      if: ${{ github.event_name == 'pull_request' }}
      run: |
            ${GITHUB_WORKSPACE}/sl check-analysis --app Benchmark \
            --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" \
            --report \
            --github-pr-number=${{github.event.number}} \
            --github-pr-user=${{ github.repository_owner }} \
            --github-pr-repo=${{ github.event.repository.name }} \
            --github-token=${{ secrets.GITHUB_TOKEN }}
      env:
        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}

  OWASP-Benchmark-Score:
    runs-on: ubuntu-20.04
    needs: NextGen-Static-Analysis
    steps:
    - uses: actions/checkout@v2
    - name: Setup Java JDK
      uses: actions/setup-java@v1.4.3
      with:
        java-version: 11.0.x
    - name: Export NG SAST Findings
      run: |
        cd $HOME
        git clone --depth 1 --branch v0.0.3  https://github.com/ShiftLeftSecurity/field-integrations
        cd field-integrations/shiftleft-utils || exit 1
        mkdir -p ${GITHUB_WORKSPACE}/ngsast_results
        pip3 install -r requirements.txt
        python3 export.py --app Benchmark -f sl -o ${GITHUB_WORKSPACE}/ngsast_results/Benchmark.sl
      env:
        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}

    - name: Package with maven
      run: mvn compile package
    - name: Calculate OWASP Benchmark Score
      run: |
        cd ${GITHUB_WORKSPACE}
        mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.2.csv ngsast_results ShiftLeft anonymous"
        if [ -e "scorecard/Benchmark_Scorecard_for_ShiftLeft.html" ]; then
            echo "*** Thank you for Benchmarking ShiftLeft NextGen Static Analysis ***"
            echo "You can find the results for ShiftLeft under workflow artifacts called scorecard"
        else
            echo "Benchmark results were not produced correctly. Check if you have Java 1.8 installed"
        fi
    - uses: actions/upload-artifact@v2
      with:
        name: Benchmark_v1.2_Scorecard_for_ShiftLeft
        path: scorecard

    - name: Generate Results Checksum
      run: |
        OWASP_BENCHMARK_CHECKSUM=$(tail -n +2 scorecard/Benchmark_v1.2_Scorecard_for_ShiftLeft.csv |
          sort |
          tr -d '[:space:]' |
          tr '[:upper:]' '[:lower:]' |
          shasum |
          tr -d " -")
        echo "OWASP_BENCHMARK_CHECKSUM=$OWASP_BENCHMARK_CHECKSUM" >> $GITHUB_ENV

    - uses: actions/setup-node@v2
      with:
        node-version: 14
    - run: npm install jwt-decode node-fetch@2
      if: github.event_name == 'pull_request'

    - name: Notify Benchmark Results
      uses: actions/github-script@v4
      if: github.event_name == 'pull_request'
      env:
        OWASP_BENCHMARK_CHECKSUM: ${{ env.OWASP_BENCHMARK_CHECKSUM }}
        SHIFTLEFT_USER_ID_V2: f82c02ab-752c-4156-a639-978ceafd0ccc
        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}

      with:
        github-token: ${{ secrets.GITHUB_TOKEN }}
        script: |
          // Leave a comment on the PR
          const { issue: { number: issue_number }, repo: { owner, repo }  } = context;
          const run = await github.actions.getWorkflowRun({
                owner: context.repo.owner,
                repo: context.repo.repo,
                run_id: context.runId
              });
          const loc = run.data.html_url ? '[GitHub Action](' + run.data.html_url + ')' : 'GitHub Action';
          const body = '👋 ' + '@' + context.actor + ' OWASP Benchmark scorecard is available for download in the Artifacts Section of ' + loc;
          github.issues.createComment({ issue_number, owner, repo, body });

          // Report the results
          const jwt_decode = require('jwt-decode');
          const fetch = require("node-fetch");
          const {
            SHIFTLEFT_API_HOST,
            SHIFTLEFT_ACCESS_TOKEN,
            SHIFTLEFT_USER_ID_V2,
            OWASP_BENCHMARK_CHECKSUM,
          } = process.env;
          const decoded = jwt_decode(SHIFTLEFT_ACCESS_TOKEN);
          const orgID = decoded.orgID;
          const apiHost = SHIFTLEFT_API_HOST || 'www.shiftleft.io';
          fetch(`https://${apiHost}/api/v4/private/orgs/${orgID}/bi_proxy/owasp_benchmark_complete`, {
            headers: {
              "Content-Type": "application/json; charset=utf-8",
              "Authorization": `Bearer ${SHIFTLEFT_ACCESS_TOKEN}`,
            },
            method: 'POST',
            body: JSON.stringify({
              artifact_url: run.data.html_url || '',
              result_sha1: OWASP_BENCHMARK_CHECKSUM,
              user_id_v2: SHIFTLEFT_USER_ID_V2,
            })
          })