From 5545354ff4ff3e3bc9a4e0991180b293ba23a1e7 Mon Sep 17 00:00:00 2001 From: samatstarion Date: Sun, 20 Oct 2024 11:54:04 +0200 Subject: [PATCH] [Add] Github actions --- .github/workflows/CodeQuality.yml | 54 +++++++++++++++++++++ .github/workflows/codeql.yml | 49 +++++++++++++++++++ .github/workflows/nuget-reference-check.yml | 47 ++++++++++++++++++ .github/workflows/semgrep.yml | 43 ++++++++++++++++ EcoreNettoWebSite..sln.DotSettings | 27 ----------- 5 files changed, 193 insertions(+), 27 deletions(-) create mode 100644 .github/workflows/CodeQuality.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/nuget-reference-check.yml create mode 100644 .github/workflows/semgrep.yml delete mode 100644 EcoreNettoWebSite..sln.DotSettings diff --git a/.github/workflows/CodeQuality.yml b/.github/workflows/CodeQuality.yml new file mode 100644 index 0000000..0bd11bd --- /dev/null +++ b/.github/workflows/CodeQuality.yml @@ -0,0 +1,54 @@ +name: Build & Test & SonarQube + +on: + push: + branches: + - '**' + tags-ignore: + - 'web-*' + pull_request: + types: [opened, synchronize, reopened] + +jobs: + build: + name: Build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: '17' + overwrite-settings: false + + - name: Setup .NET Core + uses: actions/setup-dotnet@v4 + with: + dotnet-version: '8.0.x' + + - name: Restore dependencies + run: dotnet restore EcoreNettoWebsite.sln + + - name: Sonarqube Begin + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + run: | + dotnet tool install --global dotnet-sonarscanner + dotnet sonarscanner begin /k:"STARIONGROUP_EcoreNettoWebsite" /o:"stariongroup" /d:sonar.token="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io" /d:sonar.cs.opencover.reportsPaths="./CoverageResults/coverage.opencover.xml" + + - name: Build + run: dotnet build --no-restore /p:ContinuousIntegrationBuild=true + + - name: Test with the dotnet CLI + run: dotnet test --no-build --verbosity normal --filter /p:CollectCoverage=true /p:CoverletOutput=../CoverageResults/ /p:MergeWith="../CoverageResults/coverage.json" /p:CoverletOutputFormat=\"opencover,json\" -m:1 + + - name: Sonarqube end + run: dotnet sonarscanner end /d:sonar.login="${{ secrets.SONAR_TOKEN }}" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..df7b3b6 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,49 @@ +name: "CodeQL" + +on: + push: + branches: + - '**' + tags-ignore: + - 'web-*' + pull_request: + schedule: + - cron: '42 2 * * 3' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'csharp' ] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup .NET Core + uses: actions/setup-dotnet@v4 + with: + dotnet-version: 8.0.x + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + + - name: Install dependencies + run: dotnet restore EcoreNettoWebsite.sln + + - name: Build + run: dotnet build EcoreNettoWebsite.sln --no-restore + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/nuget-reference-check.yml b/.github/workflows/nuget-reference-check.yml new file mode 100644 index 0000000..f7f832f --- /dev/null +++ b/.github/workflows/nuget-reference-check.yml @@ -0,0 +1,47 @@ +name: "nuget package reference check" + +on: + push: + pull_request: + schedule: + - cron: '0 8 * * *' + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + # We must fetch at least the immediate parents so that if this is + # a pull request then we can checkout the head. + fetch-depth: 2 + + - name: Setup .NET Environment + uses: actions/setup-dotnet@v4 + with: + dotnet-version: 8.0.x + + - name: Restore dependencies + run: dotnet restore EcoreNettoWebsite.sln + + - name: Build + run: dotnet build EcoreNettoWebsite.sln --no-restore /p:ContinuousIntegrationBuild=true + + - name: Checking NuGet vulnerabilites + run: | + set -e + dotnet list EcoreNettoWebsite.sln package --outdated --include-transitive + + dotnet list EcoreNettoWebsite.sln package --deprecated --include-transitive + + dotnet list EcoreNettoWebsite.sln package --vulnerable --include-transitive 2>&1 | tee vulnerabilities.log + + echo "Analyze dotnet list package command log output..." + if grep -q -i "\bcritical\b\|\bhigh\b\|\bmoderate\b\|\blow\b" vulnerabilities.log; then + echo "Security Vulnerabilities found" + exit 1 + else + echo "No Security Vulnerabilities found" + exit 0 + fi \ No newline at end of file diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 0000000..bc81127 --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,43 @@ +name: Semgrep OWASP Top Ten + +on: + push: + branches: + - '**' + tags-ignore: + - '*' + pull_request: + schedule: + - cron: '42 2 * * 3' + +jobs: + + semgrep-full: + runs-on: ubuntu-latest + container: + image: semgrep/semgrep + + steps: + + - name: clone application source code + uses: actions/checkout@v4 + with: + # We must fetch at least the immediate parents so that if this is + # a pull request then we can checkout the head. + fetch-depth: 2 + + - name: full scan + run: | + semgrep scan --config "https://semgrep.dev/p/owasp-top-ten" --sarif --output=semgrep-sast.sarif --metrics=off + + - name: save report as pipeline artifact + uses: actions/upload-artifact@v4 + with: + name: semgrep-sast.sarif + path: semgrep-sast.sarif + + - name: publish code scanning alerts + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: semgrep-sast.sarif + category: semgrep \ No newline at end of file diff --git a/EcoreNettoWebSite..sln.DotSettings b/EcoreNettoWebSite..sln.DotSettings deleted file mode 100644 index 2e46586..0000000 --- a/EcoreNettoWebSite..sln.DotSettings +++ /dev/null @@ -1,27 +0,0 @@ - - Field, Property, Event, Method - True - ------------------------------------------------------------------------------------------------- -<copyright file="${File.FileName}" company="Starion Group S.A"> - - Copyright 2017-2024 Starion Group S.A. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - -</copyright> ------------------------------------------------------------------------------------------------- - <Policy Inspect="True" Prefix="" Suffix="" Style="aaBb" /> - <Policy><Descriptor Staticness="Static" AccessRightKinds="Private" Description="Static fields (private)"><ElementKinds><Kind Name="FIELD" /></ElementKinds></Descriptor><Policy Inspect="True" Prefix="" Suffix="" Style="aaBb" /></Policy> - True - True - True \ No newline at end of file