Implement configuration for handling artifact ratings from a file

.github/actions/artifact-security-label-threshold-action/Dockerfile

@@ -0,0 +1,11 @@
+FROM python:3
+
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    apt-get install -y git jupyter python3-pandas python3-yaml cowsay
+
+ENV PATH $PATH:/usr/games
+
+COPY entrypoint.sh /opt/entrypoint.sh
+
+ENTRYPOINT [ "/opt/entrypoint.sh" ]

.github/actions/artifact-security-label-threshold-action/action.yml

@@ -0,0 +1,22 @@
+name: "Calculate label thresholds for Fosstars security ratings"
+description: "The action calculates label thresholds for Fosstars project security rating procedure."
+inputs:
+  input-file:
+    description: "A path to an input JSON file"
+    default: "maven_artifacts.json"
+    required: true
+  report-branch:
+    description: "A branch where the output file should be stored"
+    required: true
+    default: oss-artifact-security-report
+  fosstars-version:
+    description: "A version of Fosstars"
+    required: true
+    default: art-config
+runs:
+  using: "docker"
+  image: "Dockerfile"
+  args:
+    - ${{ inputs.input-file }}
+    - ${{ inputs.report-branch }}
+    - ${{ inputs.fosstars-version }}

.github/actions/artifact-security-label-threshold-action/entrypoint.sh

@@ -0,0 +1,84 @@
+#!/bin/bash
+
+export INPUT_FILE=$1
+export REPORT_BRANCH=$2
+export FOSSTARS_VERSION=$3
+
+if [ "$INPUT_FILE" = "" ]; then
+    cowsay "Oops! No input file provided!"
+    exit 1
+fi
+
+if [ "$REPORT_BRANCH" = "" ]; then
+    cowsay "Oops! No branch provided!"
+    exit 1
+fi
+
+if [ "$FOSSTARS_VERSION" = "" ]; then
+    cowsay "Oops! No Fosstars version provided!"
+    exit 1
+fi
+
+# Switch to the branch where the output should be stored
+OLD_BRANCH=$(git rev-parse --abbrev-ref HEAD)
+git fetch origin $REPORT_BRANCH || git branch $REPORT_BRANCH
+git checkout $REPORT_BRANCH
+if [ $? -ne 0 ]; then
+    cowsay "Could not switch to branch '$REPORT_BRANCH'. Did you forget to run 'actions/checkout' step in your workflow?"
+    exit 1
+fi
+
+ROOT_DIR=$(pwd)
+
+status=0
+while true
+do
+  export INPUT_FILE=$ROOT_DIR/$INPUT_FILE
+  if [ ! -f $INPUT_FILE ]; then
+    status=1
+    cowsay "$INPUT_FILE does not exist!"
+    break
+  fi
+
+  git clone https://github.com/sourabhsparkala/fosstars-rating-core && \
+      cd fosstars-rating-core && \
+      git checkout $FOSSTARS_VERSION
+
+  if [ $? -ne 0 ]; then
+    status=1
+    cowsay "Oops! Could not build Fosstars!"
+    break
+  fi
+
+  cd src/main/jupyter/oss/security
+  export OUTPUT_FILE=$ROOT_DIR/OssArtifactSecurityRatingThresholds.json
+  jupyter nbconvert --to notebook --execute ArtifactSecurityRatingAnalysis.ipynb
+
+  if [ $? -ne 0 ]; then
+    status=1
+    cowsay "Oops! Jupyter notebook failed!"
+    break
+  fi
+
+  mv ArtifactSecurityRatingAnalysis.nbconvert.ipynb $ROOT_DIR/ArtifactSecurityRatingAnalysis.ipynb
+
+  # Commit the report
+  cd $ROOT_DIR
+  git add ArtifactSecurityRatingAnalysis.ipynb OssArtifactSecurityRatingThresholds.json
+  git config --global user.name "Fosstars"
+  git config --global user.email "[email protected]"
+  git commit -m "Update label thresholds" ArtifactSecurityRatingAnalysis.ipynb OssArtifactSecurityRatingThresholds.json
+  if [ $? -ne 0 ]; then
+    cowsay "Could not commit anything"
+  else
+    git remote set-url origin https://x-access-token:[email protected]/$GITHUB_REPOSITORY
+    git push origin $REPORT_BRANCH
+  fi
+
+	break
+done
+
+# Restore the original branch
+git checkout $OLD_BRANCH
+
+exit $status

.github/actions/artifact-security-report-action/Dockerfile

@@ -0,0 +1,22 @@
+FROM openjdk:8
+
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    apt-get install -y git jq
+
+RUN wget https://downloads.apache.org/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz && \
+    HASH=c35a1803a6e70a126e80b2b3ae33eed961f83ed74d18fcd16909b2d44d7dada3203f1ffe726c17ef8dcca2dcaa9fca676987befeadc9b9f759967a8cb77181c0 && \
+    echo "$HASH apache-maven-3.6.3-bin.tar.gz" | sha512sum --check --status && \
+    tar xf apache-maven-3.6.3-bin.tar.gz -C /opt
+
+ENV M2_HOME="/opt/apache-maven-3.6.3"
+ENV MAVEN_HOME="/opt/apache-maven-3.6.3"
+ENV PATH="${MAVEN_HOME}/bin:${PATH}"
+
+RUN mvn -version
+
+COPY build_fosstars.sh /opt/build_fosstars.sh
+COPY cleanup_for_config_if_necessary.sh /opt/cleanup_for_config_if_necessary.sh
+COPY entrypoint.sh /opt/entrypoint.sh
+
+ENTRYPOINT [ "/opt/entrypoint.sh" ]

.github/actions/artifact-security-report-action/action.yml

@@ -0,0 +1,30 @@
+name: "Calculate Fosstars security ratings for open source projects"
+description: "The action calculates security ratings for a number of open source projects."
+inputs:
+  config-file:
+    description: "A path to a config file"
+    required: true
+  report-branch:
+    description: "A branch where the report is stored"
+    required: true
+    default: oss-artifact-security-report
+  fosstars-version:
+    description: "A version of Fosstars"
+    required: true
+    default: art-config
+  token:
+    description: "A GitHub token for accessing the repository"
+    required: true
+  cleanup:
+    description: "Tells the action to remove the old report and data"
+    required: false
+    default: No
+runs:
+  using: "docker"
+  image: "Dockerfile"
+  args:
+    - ${{ inputs.config-file }}
+    - ${{ inputs.report-branch }}
+    - ${{ inputs.fosstars-version }}
+    - ${{ inputs.token }}
+    - ${{ inputs.cleanup }}

.github/actions/artifact-security-report-action/build_fosstars.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+old_directory=$(pwd)
+git clone https://github.com/sourabhsparkala/fosstars-rating-core && \
+    cd fosstars-rating-core && \
+    git checkout $FOSSTARS_VERSION && \
+    mvn package -ntp -DskipTests -Dcheckstyle.skip -Dmaven.javadoc.skip
+code=$?
+cd ${old_directory}
+exit $code

.github/actions/artifact-security-report-action/cleanup_for_config_if_necessary.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+if [ "$CLEANUP" == "Yes" ]; then
+  echo "Remove the old report and data"
+  echo "Remove .fosstars"
+  rm -rf .fosstars > /dev/null 2>&1
+
+  echo "Remove Markdown files"
+  for file in $(find . -name "*.md")
+  do
+    rm $file > /dev/null 2>&1
+  done
+
+  echo "Remove JSON files"
+  for file in $(find . -name "*.json")
+  do
+    rm $file > /dev/null 2>&1
+  done
+fi

.github/actions/artifact-security-report-action/entrypoint.sh

@@ -0,0 +1,94 @@
+#!/bin/bash
+
+export CONFIG=$1
+export REPORT_BRANCH=$2
+export FOSSTARS_VERSION=$3
+export TOKEN=$4
+export CLEANUP=$5
+
+if [ "$CONFIG" = "" ]; then
+    echo "Oops! No config file provided!"
+    exit 1
+fi
+
+if [ "$REPORT_BRANCH" = "" ]; then
+    echo "Oops! No branch provided!"
+    exit 1
+fi
+
+if [ "$FOSSTARS_VERSION" = "" ]; then
+    echo "Oops! No Fosstars version provided!"
+    exit 1
+fi
+
+if [ "$TOKEN" = "" ]; then
+    echo "Oops! No token provided!"
+    exit 1
+fi
+
+# Switch to the branch where the report should be stored
+OLD_BRANCH=$(git rev-parse --abbrev-ref HEAD)
+git fetch origin $REPORT_BRANCH || git branch $REPORT_BRANCH
+git checkout $REPORT_BRANCH
+if [ $? -ne 0 ]; then
+    echo "Could not switch to branch '$REPORT_BRANCH'"
+    echo "Did you fortet to run 'actions/checkout' step in your workflow?"
+    exit 1
+fi
+
+status=0
+while true
+do
+	bash /opt/cleanup_for_config_if_necessary.sh
+
+  bash /opt/build_fosstars.sh
+  if [ $? -ne 0 ]; then
+    status=1
+    echo "Oops! Could not build Fosstars!"
+    break
+  fi
+
+  # Generate a report
+  echo "" > report.log
+  java -jar -Xms2048M -Xmx2048M \
+            fosstars-rating-core/target/fosstars-github-rating-calc.jar \
+            --config $CONFIG \
+            --token $TOKEN \
+            --rating oss-artifact-security \
+            --cleanup \
+            --verbose 2>&1 | tee report.log
+
+  if [ ${PIPESTATUS[0]} -ne 0 ]; then
+    status=1
+    echo "Oops! Fosstars failed!"
+    break
+  fi
+
+  if grep -i exception report.log > /dev/null 2>&1; then
+    echo "Achtung! Looks like there were some errors, check out report.log"
+  fi
+
+  rm -rf .fosstars > /dev/null 2>&1
+  rm -rf report.log > /dev/null 2>&1
+  rm -rf fosstars-rating-core > /dev/null 2>&1
+
+  # Commit the report
+  git config --global user.name "Fosstars"
+  git config --global user.email "[email protected]"
+
+  git add --all
+  git commit -am "Update Fosstars security report for $CONFIG"
+  if [ $? -ne 0 ]; then
+    echo "Could not commit anything"
+  else
+    git remote set-url origin https://x-access-token:[email protected]/$GITHUB_REPOSITORY
+    git push origin $REPORT_BRANCH
+  fi
+
+	break
+done
+
+# Restore the original branch
+git checkout $OLD_BRANCH
+
+exit $status

.github/workflows/oss-artifacts-security-label-thresholds.yml

@@ -0,0 +1,13 @@
+name: "Calculate label thresholds for artifact"
+on: workflow_dispatch
+
+jobs:
+  thresholds:
+    runs-on: ubuntu-latest
+    name: "Calculate label thresholds"
+    steps:
+      - uses: actions/[email protected]
+      - uses: ./.github/actions/artifact-security-label-threshold-action
+        with:
+          input-file: maven_artifacts.json
+          fosstars-version: art-config

.github/workflows/oss-artifacts-security-report.yml

@@ -0,0 +1,14 @@
+name: "Fosstars OSS artifact security report"
+on: workflow_dispatch
+
+jobs:
+  other:
+    runs-on: ubuntu-latest
+    name: "Other artifacts"
+    steps:
+      - uses: actions/[email protected]
+      - uses: ./.github/actions/artifact-security-report-action
+        with:
+          config-file: artifacts.yml
+          token: ${{ secrets.GITHUB_TOKEN }}
+          cleanup: Yes

checkstyle-suppressions.xml

@@ -54,6 +54,12 @@
   <suppress checks="AbbreviationAsWordInName"
     files="GAV.java"
     lines="12"/>
+  <suppress checks="AbbreviationAsWordInName"
+    files="AbstractReporter.java"
+    lines="35"/>
+  <suppress checks="MemberName"
+    files="AbstractReporter.java"
+    lines="35"/>
   <suppress checks="LineLength"
     files="package-info.java"
     lines="142"/>