From a831ba320ffaa5d10becf19584989e1f0684e00b Mon Sep 17 00:00:00 2001 From: makotokosh <67721801+makotokosh@users.noreply.github.com> Date: Mon, 30 Jan 2023 17:05:29 +0900 Subject: [PATCH 01/51] Create synopsys.yml Test demo version of SYnopsys GH Actions --- .github/workflows/synopsys.yml | 73 ++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 .github/workflows/synopsys.yml diff --git a/.github/workflows/synopsys.yml b/.github/workflows/synopsys.yml new file mode 100644 index 00000000..f1b0bc8b --- /dev/null +++ b/.github/workflows/synopsys.yml @@ -0,0 +1,73 @@ +name: Synopsys AST + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the "main" branch + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +permissions: + issues: write + pull-requests: write + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + synopsys: + # The type of runner that the job will run on + runs-on: ip-172-31-30-139 + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v3 + + # Run a full analysis on pushes to main branch(es), including generating new fix PRs + - name: Synopsys AST (Full) + if: ${{ github.event_name == 'push' }} + uses: synopsys-sig/synopsys-action@main + with: + # For demo purposes only + bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} + + coverity_url: ${{ secrets.COVERITY_URL }} + coverity_user: ${{ secrets.COVERITY_USER }} + coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }} + coverity_project_name: ${{ github.event.repository.name }} + coverity_stream_name: ${{ github.event.repository.name }} + + blackduck_url: ${{ secrets.BLACKDUCK_URL }} + blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} + blackduck_automation_fixpr: true + blackduck_scan_full: true + env: + LINUX_BRIDGE_URL: "https://artifactory.internal.synopsys.com/artifactory/clops-local/clops.sig.synopsys.com/synopsys-action/0.1.162-demo-only/ci-package-0.1.162-demo-only-linux64.zip" + GITHUB_TOKEN: ${{ github.token }} + + - name: Synopsys AST (Incremental) + if: ${{ github.event_name == 'pull_request' }} + uses: synopsys-sig/synopsys-action@main + with: + # For demo purposes only + bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} + + coverity_url: ${{ secrets.COVERITY_URL }} + coverity_user: ${{ secrets.COVERITY_USER }} + coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }} + coverity_project_name: ${{ github.event.repository.name }} + coverity_stream_name: ${{ github.event.repository.name }} + + blackduck_url: ${{ secrets.BLACKDUCK_URL }} + blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} + blackduck_scan_full: false + env: + LINUX_BRIDGE_URL: "https://artifactory.internal.synopsys.com/artifactory/clops-local/clops.sig.synopsys.com/synopsys-action/0.1.162-demo-only/ci-package-0.1.162-demo-only-linux64.zip" + BRIDGE_GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }} + BRIDGE_COVERITY_CONNECT_RESULTS_INTEGRATION_ENABLED: true + BRIDGE_BLACKDUCK_RESULTS_INTEGRATION_ENABLED: true + GITHUB_TOKEN: ${{ github.token }} From 0e3930ee5ae544ad512739ebcd5ea1f2434fb219 Mon Sep 17 00:00:00 2001 From: makotokosh <67721801+makotokosh@users.noreply.github.com> Date: Mon, 30 Jan 2023 17:12:25 +0900 Subject: [PATCH 02/51] Update synopsys.yml to appoint self-hosted runner --- .github/workflows/synopsys.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synopsys.yml b/.github/workflows/synopsys.yml index f1b0bc8b..bb460295 100644 --- a/.github/workflows/synopsys.yml +++ b/.github/workflows/synopsys.yml @@ -20,7 +20,7 @@ jobs: # This workflow contains a single job called "build" synopsys: # The type of runner that the job will run on - runs-on: ip-172-31-30-139 + runs-on: [self-hosted, linux, X64] # Steps represent a sequence of tasks that will be executed as part of the job steps: From ee73306454e464b6d5e08c970d43f4a49b70c819 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Mon, 30 Jan 2023 17:37:57 +0900 Subject: [PATCH 03/51] Very minor log string modification for GHActions test --- src/main/java/org/joychou/util/JwtUtils.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/joychou/util/JwtUtils.java b/src/main/java/org/joychou/util/JwtUtils.java index bb33642e..dbfb5c20 100644 --- a/src/main/java/org/joychou/util/JwtUtils.java +++ b/src/main/java/org/joychou/util/JwtUtils.java @@ -85,7 +85,7 @@ public static Boolean verifyTokenByJavaJwt(String token) { public static String getNicknameByJavaJwt(String token) { // If the signature is not verified, there will be security issues. if (!verifyTokenByJavaJwt(token)) { - log.error("token is invalid"); + log.error("Token is invalid"); return null; } return JWT.decode(token).getClaim("nickname").asString(); From 0c09cc63e1e01b093825d9347108d4afc9665066 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Mon, 30 Jan 2023 17:51:12 +0900 Subject: [PATCH 04/51] Modified target branch name for GH Actions --- .github/workflows/synopsys.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/synopsys.yml b/.github/workflows/synopsys.yml index bb460295..4798ea8d 100644 --- a/.github/workflows/synopsys.yml +++ b/.github/workflows/synopsys.yml @@ -4,9 +4,9 @@ name: Synopsys AST on: # Triggers the workflow on push or pull request events but only for the "main" branch push: - branches: [ "main" ] + branches: [ "master" ] pull_request: - branches: [ "main" ] + branches: [ "master" ] # Allows you to run this workflow manually from the Actions tab workflow_dispatch: From 3a7973b850321ffb2a39f314724a444b84c54916 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Mon, 30 Jan 2023 20:28:37 +0900 Subject: [PATCH 05/51] Modified Bridge URL for enabling test --- .github/workflows/synopsys.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/synopsys.yml b/.github/workflows/synopsys.yml index 4798ea8d..f8859984 100644 --- a/.github/workflows/synopsys.yml +++ b/.github/workflows/synopsys.yml @@ -46,7 +46,8 @@ jobs: blackduck_automation_fixpr: true blackduck_scan_full: true env: - LINUX_BRIDGE_URL: "https://artifactory.internal.synopsys.com/artifactory/clops-local/clops.sig.synopsys.com/synopsys-action/0.1.162-demo-only/ci-package-0.1.162-demo-only-linux64.zip" + #LINUX_BRIDGE_URL: "https://artifactory.internal.synopsys.com/artifactory/clops-local/clops.sig.synopsys.com/synopsys-action/0.1.162-demo-only/ci-package-0.1.162-demo-only-linux64.zip" + LINUX_BRIDGE_URL: "https://sig-repo.synopsys.com/artifactory/bds-integrations-release/com/synopsys/integration/synopsys-action/0.1.72/ci-package-0.1.72-linux64.zip" GITHUB_TOKEN: ${{ github.token }} - name: Synopsys AST (Incremental) @@ -66,7 +67,8 @@ jobs: blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} blackduck_scan_full: false env: - LINUX_BRIDGE_URL: "https://artifactory.internal.synopsys.com/artifactory/clops-local/clops.sig.synopsys.com/synopsys-action/0.1.162-demo-only/ci-package-0.1.162-demo-only-linux64.zip" + #LINUX_BRIDGE_URL: "https://artifactory.internal.synopsys.com/artifactory/clops-local/clops.sig.synopsys.com/synopsys-action/0.1.162-demo-only/ci-package-0.1.162-demo-only-linux64.zip" + LINUX_BRIDGE_URL: "https://sig-repo.synopsys.com/artifactory/bds-integrations-release/com/synopsys/integration/synopsys-action/0.1.72/ci-package-0.1.72-linux64.zip" BRIDGE_GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }} BRIDGE_COVERITY_CONNECT_RESULTS_INTEGRATION_ENABLED: true BRIDGE_BLACKDUCK_RESULTS_INTEGRATION_ENABLED: true From a80b76337425954ab54bd4c7bb8d146f603ab7a3 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Mon, 30 Jan 2023 20:43:21 +0900 Subject: [PATCH 06/51] Modified GHActions yaml file for enabling test --- .github/workflows/synopsys.yml | 89 ++++++++++++---------------------- 1 file changed, 30 insertions(+), 59 deletions(-) diff --git a/.github/workflows/synopsys.yml b/.github/workflows/synopsys.yml index f8859984..698a6747 100644 --- a/.github/workflows/synopsys.yml +++ b/.github/workflows/synopsys.yml @@ -1,75 +1,46 @@ -name: Synopsys AST +name: Synopsys Security Testing -# Controls when the workflow will run on: - # Triggers the workflow on push or pull request events but only for the "main" branch push: - branches: [ "master" ] - pull_request: - branches: [ "master" ] - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: + branches: [ master, main ] -permissions: - issues: write - pull-requests: write + pull_request: + branches: [ master, main ] -# A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: - # This workflow contains a single job called "build" - synopsys: - # The type of runner that the job will run on + build: runs-on: [self-hosted, linux, X64] - - # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 - - # Run a full analysis on pushes to main branch(es), including generating new fix PRs - - name: Synopsys AST (Full) - if: ${{ github.event_name == 'push' }} - uses: synopsys-sig/synopsys-action@main + - name: Checkout + uses: actions/checkout@v2 + + - name: Synopsys Action + uses: synopsys-sig/synopsys-action@ with: - # For demo purposes only - bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} - coverity_url: ${{ secrets.COVERITY_URL }} coverity_user: ${{ secrets.COVERITY_USER }} coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }} - coverity_project_name: ${{ github.event.repository.name }} + # Many customers prefer to set their Coverity project and stream names to match + # the GitHub repository name + coverity_project_name: ${{ secrets.COVERITY_PROJECT_NAME }} coverity_stream_name: ${{ github.event.repository.name }} - - blackduck_url: ${{ secrets.BLACKDUCK_URL }} - blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} - blackduck_automation_fixpr: true - blackduck_scan_full: true - env: - #LINUX_BRIDGE_URL: "https://artifactory.internal.synopsys.com/artifactory/clops-local/clops.sig.synopsys.com/synopsys-action/0.1.162-demo-only/ci-package-0.1.162-demo-only-linux64.zip" - LINUX_BRIDGE_URL: "https://sig-repo.synopsys.com/artifactory/bds-integrations-release/com/synopsys/integration/synopsys-action/0.1.72/ci-package-0.1.72-linux64.zip" - GITHUB_TOKEN: ${{ github.token }} - - - name: Synopsys AST (Incremental) - if: ${{ github.event_name == 'pull_request' }} - uses: synopsys-sig/synopsys-action@main - with: - # For demo purposes only + # Optionally you may specify the ID number of a saved view to apply as a "break the build" policy. + # If any defects are found within this view when applied to the project, the build will be failed + # with an exit code. + #coverity_policy_view: 100001 + # Below fields are optional + coverity_repository_name: ${{ secrets.COVERITY_REPOSITORY_NAME }} + coverity_branch_name: ${{ secrets.COVERITY_BRANCH_NAME }} + + # Optional parameter to specify path to synopsys bridge. + # This can be used if you want to pre-configure your GitHub Runner with the + # Synopsys Bridge software + # The default is either /{user_home}/synopsys-bridge or in linux /usr/synopsys-bridge + #synopsys_bridge_path: "/path_to_bridge_executable" + + # Optional parameter, but usually specified - the location of the Synopsys Bridge software + # The Synopsys Bridge software distribution is platform specific - this must match the host OS + # of your runner. For example in this case, we are using the latest version for Linux. bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} - - coverity_url: ${{ secrets.COVERITY_URL }} - coverity_user: ${{ secrets.COVERITY_USER }} - coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }} - coverity_project_name: ${{ github.event.repository.name }} - coverity_stream_name: ${{ github.event.repository.name }} - - blackduck_url: ${{ secrets.BLACKDUCK_URL }} - blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} - blackduck_scan_full: false env: - #LINUX_BRIDGE_URL: "https://artifactory.internal.synopsys.com/artifactory/clops-local/clops.sig.synopsys.com/synopsys-action/0.1.162-demo-only/ci-package-0.1.162-demo-only-linux64.zip" LINUX_BRIDGE_URL: "https://sig-repo.synopsys.com/artifactory/bds-integrations-release/com/synopsys/integration/synopsys-action/0.1.72/ci-package-0.1.72-linux64.zip" - BRIDGE_GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }} - BRIDGE_COVERITY_CONNECT_RESULTS_INTEGRATION_ENABLED: true - BRIDGE_BLACKDUCK_RESULTS_INTEGRATION_ENABLED: true - GITHUB_TOKEN: ${{ github.token }} From 90854eca4a5edb574daa2fb8224fa935cc61fe9c Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Mon, 30 Jan 2023 20:46:24 +0900 Subject: [PATCH 07/51] Modified GHActions yaml file for enabling test attempt2 --- .github/workflows/synopsys.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synopsys.yml b/.github/workflows/synopsys.yml index 698a6747..daee4465 100644 --- a/.github/workflows/synopsys.yml +++ b/.github/workflows/synopsys.yml @@ -15,7 +15,7 @@ jobs: uses: actions/checkout@v2 - name: Synopsys Action - uses: synopsys-sig/synopsys-action@ + uses: synopsys-sig/synopsys-action@main with: coverity_url: ${{ secrets.COVERITY_URL }} coverity_user: ${{ secrets.COVERITY_USER }} From be4e8ed6ddc92c805c9a045ed77e88378494041e Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 1 Feb 2023 16:30:07 +0900 Subject: [PATCH 08/51] Switch scanner to BlackDuck --- .github/workflows/synopsys.yml | 39 +++++++++++++++------------------- 1 file changed, 17 insertions(+), 22 deletions(-) diff --git a/.github/workflows/synopsys.yml b/.github/workflows/synopsys.yml index daee4465..401980db 100644 --- a/.github/workflows/synopsys.yml +++ b/.github/workflows/synopsys.yml @@ -17,30 +17,25 @@ jobs: - name: Synopsys Action uses: synopsys-sig/synopsys-action@main with: - coverity_url: ${{ secrets.COVERITY_URL }} - coverity_user: ${{ secrets.COVERITY_USER }} - coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }} - # Many customers prefer to set their Coverity project and stream names to match - # the GitHub repository name - coverity_project_name: ${{ secrets.COVERITY_PROJECT_NAME }} - coverity_stream_name: ${{ github.event.repository.name }} - # Optionally you may specify the ID number of a saved view to apply as a "break the build" policy. - # If any defects are found within this view when applied to the project, the build will be failed - # with an exit code. - #coverity_policy_view: 100001 - # Below fields are optional - coverity_repository_name: ${{ secrets.COVERITY_REPOSITORY_NAME }} - coverity_branch_name: ${{ secrets.COVERITY_BRANCH_NAME }} - - # Optional parameter to specify path to synopsys bridge. - # This can be used if you want to pre-configure your GitHub Runner with the - # Synopsys Bridge software - # The default is either /{user_home}/synopsys-bridge or in linux /usr/synopsys-bridge - #synopsys_bridge_path: "/path_to_bridge_executable" + blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} + blackduck_url: ${{ secrets.BLACKDUCK_URL }} + + # Optional parameter. By default, pushes will initiate a full "intelligent" scan and pull requests + # will initiate a rapid scan. + blackduck_scan_full: false + # Required parameter if blackduck_automation_fixpr is enabled + # Make sure GITHUB_TOKEN have appropriate permissions + github_token: ${{ secrets.GH_TOKEN }} + # Optional parameter. By default, create fix pull requests if vulnerabilities are reported + # Passing false will disable fix pull request creation + blackduck_automation_fixpr: true + # Optional parameter. The values could be. ALL|NONE|BLOCKER|CRITICAL|MAJOR|MINOR|OK|TRIVIAL|UNSPECIFIED + # Single parameter + blackduck_scan_failure_severities: "[\"ALL\"]" + # multiple parameters + # blackduck_scan_failure_severities: "[\"BLOCKER\", \"CRITICAL\", \"TRIVIAL\"]" # Optional parameter, but usually specified - the location of the Synopsys Bridge software # The Synopsys Bridge software distribution is platform specific - this must match the host OS # of your runner. For example in this case, we are using the latest version for Linux. bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} - env: - LINUX_BRIDGE_URL: "https://sig-repo.synopsys.com/artifactory/bds-integrations-release/com/synopsys/integration/synopsys-action/0.1.72/ci-package-0.1.72-linux64.zip" From 6201bc0aaf15610d14f22b6961a92303b15c7795 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 9 Mar 2023 10:54:18 +0900 Subject: [PATCH 09/51] First step for integration with Screwdriver cd --- screwdriver.yaml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 screwdriver.yaml diff --git a/screwdriver.yaml b/screwdriver.yaml new file mode 100644 index 00000000..3502e24c --- /dev/null +++ b/screwdriver.yaml @@ -0,0 +1,61 @@ +# inherit. In our example, we state that all our Jobs will use the same Docker +# container for building in. +shared: + # Docker image to use as the desired build container. This typically takes the + # form of "repo_name". Alternatively, you can define the image as + # "repo_name:tag_label". + # + # (Source: https://hub.docker.com/r/library/buildpack-deps/) + image: mk-openjdk17-maven3-node16 + +# Job definition block +# "main" is a default job that all pipelines have +jobs: + # Jobs are defined by name. + # All pipelines have "main" implicitly defined. The definitions in your + # screwdriver.yaml file will override the implied defaults. + main: + # Requires is a single job name or array of job names that will trigger the job to run. + # Jobs defined with "requires: ~pr" are started by pull-request events. + # Jobs defined with "requires: ~commit" are started by push events. + # Jobs defined with "requires: ~sd@123:main" are started by job "main" from pipeline "123". + # Jobs defined with "requires: main" are started after "main" is done. + # Jobs defined with "requires: [deploy-west, deploy-east] are started after "deploy-west" and "deploy-east" are both done running successfully. + requires: [~pr, ~commit] + # Steps is the list of commands to execute. + steps: + # Each step takes the form "step_name: command_to_run". + # The "step_name" is a convenient label to reference it by. The + # "command_to_run" is the single command that is executed during this + # step. Environment variables will be passed between steps, within + # the same job (as shown below). + - export: export BRINGUP="We're bringing up the build env now!" + - console: echo $BRINGUP + # Metadata is a structured key/value storage of relevant information about a build. + # Metadata will be shared with subsequent builds in the same workflow. + # You can set any key using the command "meta set ". + #- set-metadata: meta set example.coverage 99.95 + # We define another Job called "second_job". In this Job, we intend on running + # a different set of commands. + build: + requires: main + steps: + # The "make_target" step calls a Makefile target to perform some set of + # actions. This is incredibly useful when you need to perform a multi-line + # command. + - export: export BUILDING="We are building now!" + - console: echo $BUILDING + - clean: mvn clean + - build: mvn compile + # You can get metadata that was set using the command "meta get ". + #- get-metadata: meta get example + # The "run_arbitrary_script" executes a script. This is an alternative to + # a Makefile target where you want to run a series of commands related to + # this step + #- run_arbitrary_script: ./my_script.sh + test: + requires: build + steps: + - export: export TESTING="We are SASTing now!" + - console: echo $TESTING + - teardown-test: echo "Good-bye" From b891d05d87e7b3c5c871e3af26758c5fda978c92 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 9 Mar 2023 14:06:52 +0900 Subject: [PATCH 10/51] First step for integration with Screwdriver cd. Attempt-2 --- screwdriver.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/screwdriver.yaml b/screwdriver.yaml index 3502e24c..908ad07e 100644 --- a/screwdriver.yaml +++ b/screwdriver.yaml @@ -6,7 +6,7 @@ shared: # "repo_name:tag_label". # # (Source: https://hub.docker.com/r/library/buildpack-deps/) - image: mk-openjdk17-maven3-node16 + image: maven:3.8.5-openjdk-17-slim # Job definition block # "main" is a default job that all pipelines have @@ -31,6 +31,11 @@ jobs: # the same job (as shown below). - export: export BRINGUP="We're bringing up the build env now!" - console: echo $BRINGUP + - xz_utils: apt-get update && apt-get install -y xz-utils git + - mkdir: mkdir -p /opt/node + - node: curl -fsSL https://nodejs.org/dist/v16.16.0/node-v16.16.0-linux-x64.tar.xz | tar -xJf - -C /opt/node + - path: PATH="${PATH}:/opt/node/node-v16.16.0-linux-x64/bin" + - test: node --version # Metadata is a structured key/value storage of relevant information about a build. # Metadata will be shared with subsequent builds in the same workflow. # You can set any key using the command "meta set ". @@ -58,4 +63,5 @@ jobs: steps: - export: export TESTING="We are SASTing now!" - console: echo $TESTING - - teardown-test: echo "Good-bye" + - teardown-1: echo "Good-bye" + - teardown-2: rm -rf /var/lib/apt/lists/* From 7e8c00bf3c13b894cfbdcb7134e37259f26d4dfe Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 9 Mar 2023 14:57:03 +0900 Subject: [PATCH 11/51] Update screwdriver.yaml --- screwdriver.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/screwdriver.yaml b/screwdriver.yaml index 908ad07e..ec961d02 100644 --- a/screwdriver.yaml +++ b/screwdriver.yaml @@ -21,7 +21,7 @@ jobs: # Jobs defined with "requires: ~sd@123:main" are started by job "main" from pipeline "123". # Jobs defined with "requires: main" are started after "main" is done. # Jobs defined with "requires: [deploy-west, deploy-east] are started after "deploy-west" and "deploy-east" are both done running successfully. - requires: [~pr, ~commit] + # requires: [~pr, ~commit] # Steps is the list of commands to execute. steps: # Each step takes the form "step_name: command_to_run". From 65bdf11435e8ff3a31922b3b104d79c6f99e4b95 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 9 Mar 2023 15:05:26 +0900 Subject: [PATCH 12/51] Update screwdriver.yaml --- screwdriver.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/screwdriver.yaml b/screwdriver.yaml index ec961d02..d3c1eefc 100644 --- a/screwdriver.yaml +++ b/screwdriver.yaml @@ -21,7 +21,7 @@ jobs: # Jobs defined with "requires: ~sd@123:main" are started by job "main" from pipeline "123". # Jobs defined with "requires: main" are started after "main" is done. # Jobs defined with "requires: [deploy-west, deploy-east] are started after "deploy-west" and "deploy-east" are both done running successfully. - # requires: [~pr, ~commit] + requires: [~commit] # Steps is the list of commands to execute. steps: # Each step takes the form "step_name: command_to_run". From 6914d7f61ab1ba96e7c537bb33568165c02ef9b1 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 9 Mar 2023 15:23:49 +0900 Subject: [PATCH 13/51] Update screwdriver.yaml --- screwdriver.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/screwdriver.yaml b/screwdriver.yaml index d3c1eefc..908ad07e 100644 --- a/screwdriver.yaml +++ b/screwdriver.yaml @@ -21,7 +21,7 @@ jobs: # Jobs defined with "requires: ~sd@123:main" are started by job "main" from pipeline "123". # Jobs defined with "requires: main" are started after "main" is done. # Jobs defined with "requires: [deploy-west, deploy-east] are started after "deploy-west" and "deploy-east" are both done running successfully. - requires: [~commit] + requires: [~pr, ~commit] # Steps is the list of commands to execute. steps: # Each step takes the form "step_name: command_to_run". From cd4f04e9277db3a3a3e76a77a571cdbec3f3e915 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 9 Mar 2023 16:34:54 +0900 Subject: [PATCH 14/51] Update screwdriver.yaml --- screwdriver.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/screwdriver.yaml b/screwdriver.yaml index 908ad07e..60ce16d8 100644 --- a/screwdriver.yaml +++ b/screwdriver.yaml @@ -1,12 +1,12 @@ # inherit. In our example, we state that all our Jobs will use the same Docker # container for building in. -shared: +#shared: # Docker image to use as the desired build container. This typically takes the # form of "repo_name". Alternatively, you can define the image as # "repo_name:tag_label". # # (Source: https://hub.docker.com/r/library/buildpack-deps/) - image: maven:3.8.5-openjdk-17-slim + #image: maven:3.8.5-openjdk-17-slim # Job definition block # "main" is a default job that all pipelines have @@ -31,11 +31,11 @@ jobs: # the same job (as shown below). - export: export BRINGUP="We're bringing up the build env now!" - console: echo $BRINGUP - - xz_utils: apt-get update && apt-get install -y xz-utils git - - mkdir: mkdir -p /opt/node - - node: curl -fsSL https://nodejs.org/dist/v16.16.0/node-v16.16.0-linux-x64.tar.xz | tar -xJf - -C /opt/node - - path: PATH="${PATH}:/opt/node/node-v16.16.0-linux-x64/bin" - - test: node --version + #- xz_utils: apt-get update && apt-get install -y xz-utils git + #- mkdir: mkdir -p /opt/node + #- node: curl -fsSL https://nodejs.org/dist/v16.16.0/node-v16.16.0-linux-x64.tar.xz | tar -xJf - -C /opt/node + #- path: PATH="${PATH}:/opt/node/node-v16.16.0-linux-x64/bin" + #- test: node --version # Metadata is a structured key/value storage of relevant information about a build. # Metadata will be shared with subsequent builds in the same workflow. # You can set any key using the command "meta set ". @@ -50,8 +50,8 @@ jobs: # command. - export: export BUILDING="We are building now!" - console: echo $BUILDING - - clean: mvn clean - - build: mvn compile + #- clean: mvn clean + #- build: mvn compile # You can get metadata that was set using the command "meta get ". #- get-metadata: meta get example # The "run_arbitrary_script" executes a script. This is an alternative to From b89a40f0eacaa058ca916f7bda4cec88342c7dc9 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 9 Mar 2023 16:38:46 +0900 Subject: [PATCH 15/51] Update screwdriver.yaml --- screwdriver.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/screwdriver.yaml b/screwdriver.yaml index 60ce16d8..1aab80c0 100644 --- a/screwdriver.yaml +++ b/screwdriver.yaml @@ -1,12 +1,13 @@ # inherit. In our example, we state that all our Jobs will use the same Docker # container for building in. -#shared: +shared: # Docker image to use as the desired build container. This typically takes the # form of "repo_name". Alternatively, you can define the image as # "repo_name:tag_label". # # (Source: https://hub.docker.com/r/library/buildpack-deps/) #image: maven:3.8.5-openjdk-17-slim + image: buildpack-deps # Job definition block # "main" is a default job that all pipelines have From a1b3d7f02212925d45128869f43dcfbd720a287d Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 9 Mar 2023 17:00:35 +0900 Subject: [PATCH 16/51] Update screwdriver.yaml --- screwdriver.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/screwdriver.yaml b/screwdriver.yaml index 1aab80c0..80166375 100644 --- a/screwdriver.yaml +++ b/screwdriver.yaml @@ -6,8 +6,7 @@ shared: # "repo_name:tag_label". # # (Source: https://hub.docker.com/r/library/buildpack-deps/) - #image: maven:3.8.5-openjdk-17-slim - image: buildpack-deps + image: maven:3.8.5-openjdk-17 # Job definition block # "main" is a default job that all pipelines have From 29dbe6b2fddf506572d6ec0de627f53a1454be40 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 9 Mar 2023 17:03:04 +0900 Subject: [PATCH 17/51] Update screwdriver.yaml --- screwdriver.yaml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/screwdriver.yaml b/screwdriver.yaml index 80166375..2dc94d5c 100644 --- a/screwdriver.yaml +++ b/screwdriver.yaml @@ -31,11 +31,11 @@ jobs: # the same job (as shown below). - export: export BRINGUP="We're bringing up the build env now!" - console: echo $BRINGUP - #- xz_utils: apt-get update && apt-get install -y xz-utils git - #- mkdir: mkdir -p /opt/node - #- node: curl -fsSL https://nodejs.org/dist/v16.16.0/node-v16.16.0-linux-x64.tar.xz | tar -xJf - -C /opt/node - #- path: PATH="${PATH}:/opt/node/node-v16.16.0-linux-x64/bin" - #- test: node --version + - xz_utils: apt-get update && apt-get install -y xz-utils git + - mkdir: mkdir -p /opt/node + - node: curl -fsSL https://nodejs.org/dist/v16.16.0/node-v16.16.0-linux-x64.tar.xz | tar -xJf - -C /opt/node + - path: PATH="${PATH}:/opt/node/node-v16.16.0-linux-x64/bin" + - test: node --version # Metadata is a structured key/value storage of relevant information about a build. # Metadata will be shared with subsequent builds in the same workflow. # You can set any key using the command "meta set ". @@ -50,8 +50,7 @@ jobs: # command. - export: export BUILDING="We are building now!" - console: echo $BUILDING - #- clean: mvn clean - #- build: mvn compile + - build: mvn clean compile # You can get metadata that was set using the command "meta get ". #- get-metadata: meta get example # The "run_arbitrary_script" executes a script. This is an alternative to From b4c56c52f1f017ff8617a7e909a55e45a9a54f27 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 9 Mar 2023 17:07:21 +0900 Subject: [PATCH 18/51] Update screwdriver.yaml --- screwdriver.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/screwdriver.yaml b/screwdriver.yaml index 2dc94d5c..639b4737 100644 --- a/screwdriver.yaml +++ b/screwdriver.yaml @@ -31,7 +31,7 @@ jobs: # the same job (as shown below). - export: export BRINGUP="We're bringing up the build env now!" - console: echo $BRINGUP - - xz_utils: apt-get update && apt-get install -y xz-utils git + #- xz_utils: apt-get update && apt-get install -y xz-utils git - mkdir: mkdir -p /opt/node - node: curl -fsSL https://nodejs.org/dist/v16.16.0/node-v16.16.0-linux-x64.tar.xz | tar -xJf - -C /opt/node - path: PATH="${PATH}:/opt/node/node-v16.16.0-linux-x64/bin" From 04489d8b7feb01b2ffa6385192b5f7c802baa703 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 9 Mar 2023 21:49:01 +0900 Subject: [PATCH 19/51] Update screwdriver.yaml --- screwdriver.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/screwdriver.yaml b/screwdriver.yaml index 639b4737..742f66d3 100644 --- a/screwdriver.yaml +++ b/screwdriver.yaml @@ -33,7 +33,8 @@ jobs: - console: echo $BRINGUP #- xz_utils: apt-get update && apt-get install -y xz-utils git - mkdir: mkdir -p /opt/node - - node: curl -fsSL https://nodejs.org/dist/v16.16.0/node-v16.16.0-linux-x64.tar.xz | tar -xJf - -C /opt/node + - node: curl -fsSL https://nodejs.org/dist/v16.16.0/node-v16.16.0-linux-x64.tar.xz -o /opt/node/node-v16.16.0-linux-x64.tar.xz + - tar: tar -xJf /opt/node/node-v16.16.0-linux-x64.tar.xz - path: PATH="${PATH}:/opt/node/node-v16.16.0-linux-x64/bin" - test: node --version # Metadata is a structured key/value storage of relevant information about a build. From 0afed1bdd0153ad44ac82a179159acbee3e61810 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 9 Mar 2023 21:51:01 +0900 Subject: [PATCH 20/51] Update screwdriver.yaml --- screwdriver.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/screwdriver.yaml b/screwdriver.yaml index 742f66d3..a38acad4 100644 --- a/screwdriver.yaml +++ b/screwdriver.yaml @@ -31,7 +31,7 @@ jobs: # the same job (as shown below). - export: export BRINGUP="We're bringing up the build env now!" - console: echo $BRINGUP - #- xz_utils: apt-get update && apt-get install -y xz-utils git + - xz_utils: apt-get update && apt-get install -y xz-utils git - mkdir: mkdir -p /opt/node - node: curl -fsSL https://nodejs.org/dist/v16.16.0/node-v16.16.0-linux-x64.tar.xz -o /opt/node/node-v16.16.0-linux-x64.tar.xz - tar: tar -xJf /opt/node/node-v16.16.0-linux-x64.tar.xz From 7782f5874ddf865ae1796d83b691482f84ec3b30 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 10 Mar 2023 08:31:14 +0900 Subject: [PATCH 21/51] Update screwdriver.yaml --- screwdriver.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/screwdriver.yaml b/screwdriver.yaml index a38acad4..e08166ec 100644 --- a/screwdriver.yaml +++ b/screwdriver.yaml @@ -31,7 +31,9 @@ jobs: # the same job (as shown below). - export: export BRINGUP="We're bringing up the build env now!" - console: echo $BRINGUP - - xz_utils: apt-get update && apt-get install -y xz-utils git + - sleep: sleep 300 + - apt-update: apt-get update + - xzutils-install: apt-get install -y xz-utils git - mkdir: mkdir -p /opt/node - node: curl -fsSL https://nodejs.org/dist/v16.16.0/node-v16.16.0-linux-x64.tar.xz -o /opt/node/node-v16.16.0-linux-x64.tar.xz - tar: tar -xJf /opt/node/node-v16.16.0-linux-x64.tar.xz From 9f5567e9203b34bc7eb380dda7975642e4dbdf98 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 10 Mar 2023 08:43:38 +0900 Subject: [PATCH 22/51] Update screwdriver.yaml --- screwdriver.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/screwdriver.yaml b/screwdriver.yaml index e08166ec..071d48bc 100644 --- a/screwdriver.yaml +++ b/screwdriver.yaml @@ -6,7 +6,7 @@ shared: # "repo_name:tag_label". # # (Source: https://hub.docker.com/r/library/buildpack-deps/) - image: maven:3.8.5-openjdk-17 + image: maven:3.8.5-openjdk-17-slim # Job definition block # "main" is a default job that all pipelines have From 9c12224bc8b7458840b92095e26ba4cdb173be33 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 10 Mar 2023 08:48:09 +0900 Subject: [PATCH 23/51] Update screwdriver.yaml --- screwdriver.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/screwdriver.yaml b/screwdriver.yaml index 071d48bc..7f17480c 100644 --- a/screwdriver.yaml +++ b/screwdriver.yaml @@ -6,7 +6,7 @@ shared: # "repo_name:tag_label". # # (Source: https://hub.docker.com/r/library/buildpack-deps/) - image: maven:3.8.5-openjdk-17-slim + image: maven:3.8.5-openjdk-17 # Job definition block # "main" is a default job that all pipelines have @@ -32,8 +32,8 @@ jobs: - export: export BRINGUP="We're bringing up the build env now!" - console: echo $BRINGUP - sleep: sleep 300 - - apt-update: apt-get update - - xzutils-install: apt-get install -y xz-utils git + #- apt-update: apt-get update + #- xzutils-install: apt-get install -y xz-utils git - mkdir: mkdir -p /opt/node - node: curl -fsSL https://nodejs.org/dist/v16.16.0/node-v16.16.0-linux-x64.tar.xz -o /opt/node/node-v16.16.0-linux-x64.tar.xz - tar: tar -xJf /opt/node/node-v16.16.0-linux-x64.tar.xz From f2599eeba02e4451f8cf9ac856e098e21d6d74ff Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 10 Mar 2023 09:28:54 +0900 Subject: [PATCH 24/51] Update screwdriver.yaml --- screwdriver.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/screwdriver.yaml b/screwdriver.yaml index 7f17480c..983d737b 100644 --- a/screwdriver.yaml +++ b/screwdriver.yaml @@ -31,12 +31,12 @@ jobs: # the same job (as shown below). - export: export BRINGUP="We're bringing up the build env now!" - console: echo $BRINGUP - - sleep: sleep 300 + #- sleep: sleep 300 #- apt-update: apt-get update #- xzutils-install: apt-get install -y xz-utils git - mkdir: mkdir -p /opt/node - - node: curl -fsSL https://nodejs.org/dist/v16.16.0/node-v16.16.0-linux-x64.tar.xz -o /opt/node/node-v16.16.0-linux-x64.tar.xz - - tar: tar -xJf /opt/node/node-v16.16.0-linux-x64.tar.xz + - node: curl -fsSL https://nodejs.org/dist/v16.16.0/node-v16.16.0-linux-x64.tar.gz -o /opt/node/node-v16.16.0-linux-x64.tar.gz + - tar: tar -xzf /opt/node/node-v16.16.0-linux-x64.tar.xz - path: PATH="${PATH}:/opt/node/node-v16.16.0-linux-x64/bin" - test: node --version # Metadata is a structured key/value storage of relevant information about a build. From 8996f066d1ce6f14b8fc80716f157c27e0b37da0 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 10 Mar 2023 10:22:49 +0900 Subject: [PATCH 25/51] Update screwdriver.yaml --- screwdriver.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/screwdriver.yaml b/screwdriver.yaml index 983d737b..ea77a244 100644 --- a/screwdriver.yaml +++ b/screwdriver.yaml @@ -36,6 +36,7 @@ jobs: #- xzutils-install: apt-get install -y xz-utils git - mkdir: mkdir -p /opt/node - node: curl -fsSL https://nodejs.org/dist/v16.16.0/node-v16.16.0-linux-x64.tar.gz -o /opt/node/node-v16.16.0-linux-x64.tar.gz + - sleep: sleep 300 - tar: tar -xzf /opt/node/node-v16.16.0-linux-x64.tar.xz - path: PATH="${PATH}:/opt/node/node-v16.16.0-linux-x64/bin" - test: node --version From 802576675f90705635ce9ba75253cbc7f2e36770 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 10 Mar 2023 10:26:42 +0900 Subject: [PATCH 26/51] Update screwdriver.yaml --- screwdriver.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/screwdriver.yaml b/screwdriver.yaml index ea77a244..8768ceed 100644 --- a/screwdriver.yaml +++ b/screwdriver.yaml @@ -36,10 +36,10 @@ jobs: #- xzutils-install: apt-get install -y xz-utils git - mkdir: mkdir -p /opt/node - node: curl -fsSL https://nodejs.org/dist/v16.16.0/node-v16.16.0-linux-x64.tar.gz -o /opt/node/node-v16.16.0-linux-x64.tar.gz - - sleep: sleep 300 - - tar: tar -xzf /opt/node/node-v16.16.0-linux-x64.tar.xz + #- sleep: sleep 300 + - tar: tar -xzf /opt/node/node-v16.16.0-linux-x64.tar.gz - path: PATH="${PATH}:/opt/node/node-v16.16.0-linux-x64/bin" - - test: node --version + - test: echo "Node version: $(node --version)" # Metadata is a structured key/value storage of relevant information about a build. # Metadata will be shared with subsequent builds in the same workflow. # You can set any key using the command "meta set ". From 43cb369fb18d0ae1c25df2f71cca9d920d1c94c0 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 10 Mar 2023 10:29:46 +0900 Subject: [PATCH 27/51] Update screwdriver.yaml --- screwdriver.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/screwdriver.yaml b/screwdriver.yaml index 8768ceed..64a1fe33 100644 --- a/screwdriver.yaml +++ b/screwdriver.yaml @@ -39,7 +39,7 @@ jobs: #- sleep: sleep 300 - tar: tar -xzf /opt/node/node-v16.16.0-linux-x64.tar.gz - path: PATH="${PATH}:/opt/node/node-v16.16.0-linux-x64/bin" - - test: echo "Node version: $(node --version)" + - test: echo "$(node --version)" # Metadata is a structured key/value storage of relevant information about a build. # Metadata will be shared with subsequent builds in the same workflow. # You can set any key using the command "meta set ". From 9758861bc41bdfef6e7299962aea22b5e12d4e59 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 10 Mar 2023 11:40:19 +0900 Subject: [PATCH 28/51] Update screwdriver.yaml --- screwdriver.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/screwdriver.yaml b/screwdriver.yaml index 64a1fe33..a86b0144 100644 --- a/screwdriver.yaml +++ b/screwdriver.yaml @@ -31,15 +31,10 @@ jobs: # the same job (as shown below). - export: export BRINGUP="We're bringing up the build env now!" - console: echo $BRINGUP - #- sleep: sleep 300 - #- apt-update: apt-get update - #- xzutils-install: apt-get install -y xz-utils git - mkdir: mkdir -p /opt/node - node: curl -fsSL https://nodejs.org/dist/v16.16.0/node-v16.16.0-linux-x64.tar.gz -o /opt/node/node-v16.16.0-linux-x64.tar.gz - #- sleep: sleep 300 - tar: tar -xzf /opt/node/node-v16.16.0-linux-x64.tar.gz - path: PATH="${PATH}:/opt/node/node-v16.16.0-linux-x64/bin" - - test: echo "$(node --version)" # Metadata is a structured key/value storage of relevant information about a build. # Metadata will be shared with subsequent builds in the same workflow. # You can set any key using the command "meta set ". @@ -54,6 +49,7 @@ jobs: # command. - export: export BUILDING="We are building now!" - console: echo $BUILDING + - sleep 300 - build: mvn clean compile # You can get metadata that was set using the command "meta get ". #- get-metadata: meta get example From d5c27a7f1bd650397163be328e19a97f5a8e09a0 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 5 Apr 2023 15:01:08 +0900 Subject: [PATCH 29/51] Test Synopsys GHA with Polaris --- .github/workflows/synopsys-polaris.yml | 31 +++++++++++++++++++ .github/workflows/synopsys.yml | 41 -------------------------- 2 files changed, 31 insertions(+), 41 deletions(-) create mode 100644 .github/workflows/synopsys-polaris.yml delete mode 100644 .github/workflows/synopsys.yml diff --git a/.github/workflows/synopsys-polaris.yml b/.github/workflows/synopsys-polaris.yml new file mode 100644 index 00000000..a59fae9a --- /dev/null +++ b/.github/workflows/synopsys-polaris.yml @@ -0,0 +1,31 @@ +name: Synopsys Security Testing with Polaris + +on: + push: + # At this time, it is recommended to run Polaris only on pushes to main branches + # Pull request analysis will be supported by Polaris in the future + branches: [ master, main ] + + pull_request: + branches: [ master, main ] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: Synopsys Action + uses: synopsys-sig/synopsys-action@ + with: + polaris_serverUrl: ${{ secrets.POLARIS_SERVER_URL }} + polaris_accessToken: ${{ secrets.POLARIS_ACCESS_TOKEN }} + polaris_application_name: ${{ vars.POLARIS_APPLICATION_NAME }} + polaris_project_name: ${{ vars.POLARIS_PROJECT_NAME }} + polaris_assessment_types: ${{ vars.POLARIS_ASSESSMENT_TYPES }} + + # Optional parameter to specify path to synopsys bridge. + # This can be used if you want to pre-configure your GitHub Runner with the + # Synopsys Bridge software + # The default is either /{user_home}/synopsys-bridge or in linux /usr/synopsys-bridge + #synopsys_bridge_path: "/path_to_bridge_executable" diff --git a/.github/workflows/synopsys.yml b/.github/workflows/synopsys.yml deleted file mode 100644 index 401980db..00000000 --- a/.github/workflows/synopsys.yml +++ /dev/null @@ -1,41 +0,0 @@ -name: Synopsys Security Testing - -on: - push: - branches: [ master, main ] - - pull_request: - branches: [ master, main ] - -jobs: - build: - runs-on: [self-hosted, linux, X64] - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Synopsys Action - uses: synopsys-sig/synopsys-action@main - with: - blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} - blackduck_url: ${{ secrets.BLACKDUCK_URL }} - - # Optional parameter. By default, pushes will initiate a full "intelligent" scan and pull requests - # will initiate a rapid scan. - blackduck_scan_full: false - # Required parameter if blackduck_automation_fixpr is enabled - # Make sure GITHUB_TOKEN have appropriate permissions - github_token: ${{ secrets.GH_TOKEN }} - # Optional parameter. By default, create fix pull requests if vulnerabilities are reported - # Passing false will disable fix pull request creation - blackduck_automation_fixpr: true - # Optional parameter. The values could be. ALL|NONE|BLOCKER|CRITICAL|MAJOR|MINOR|OK|TRIVIAL|UNSPECIFIED - # Single parameter - blackduck_scan_failure_severities: "[\"ALL\"]" - # multiple parameters - # blackduck_scan_failure_severities: "[\"BLOCKER\", \"CRITICAL\", \"TRIVIAL\"]" - - # Optional parameter, but usually specified - the location of the Synopsys Bridge software - # The Synopsys Bridge software distribution is platform specific - this must match the host OS - # of your runner. For example in this case, we are using the latest version for Linux. - bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} From c11a4c34dee91a34544356c6994f78ef02e07337 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 5 Apr 2023 15:05:01 +0900 Subject: [PATCH 30/51] Test Synopsys GHA with Polaris, attempt 2 --- .github/workflows/synopsys-polaris.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synopsys-polaris.yml b/.github/workflows/synopsys-polaris.yml index a59fae9a..5f999b81 100644 --- a/.github/workflows/synopsys-polaris.yml +++ b/.github/workflows/synopsys-polaris.yml @@ -16,7 +16,7 @@ jobs: - name: Checkout uses: actions/checkout@v2 - name: Synopsys Action - uses: synopsys-sig/synopsys-action@ + uses: synopsys-sig/synopsys-action@1.1.0 with: polaris_serverUrl: ${{ secrets.POLARIS_SERVER_URL }} polaris_accessToken: ${{ secrets.POLARIS_ACCESS_TOKEN }} From f779b0c891a83f279e91236d38bf527bf4b062dd Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 5 Apr 2023 15:08:47 +0900 Subject: [PATCH 31/51] Test Synopsys GHA with Polaris, attempt 3 --- .github/workflows/synopsys-polaris.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synopsys-polaris.yml b/.github/workflows/synopsys-polaris.yml index 5f999b81..b7659f62 100644 --- a/.github/workflows/synopsys-polaris.yml +++ b/.github/workflows/synopsys-polaris.yml @@ -16,7 +16,7 @@ jobs: - name: Checkout uses: actions/checkout@v2 - name: Synopsys Action - uses: synopsys-sig/synopsys-action@1.1.0 + uses: synopsys-sig/synopsys-action@v1.1.0 with: polaris_serverUrl: ${{ secrets.POLARIS_SERVER_URL }} polaris_accessToken: ${{ secrets.POLARIS_ACCESS_TOKEN }} From 0df10504137a40a97f1863d5c3e4afefa51d3ec8 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 5 Apr 2023 15:23:55 +0900 Subject: [PATCH 32/51] Test Synopsys GHA with Polaris, attempt 4 --- .github/workflows/synopsys-polaris.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/synopsys-polaris.yml b/.github/workflows/synopsys-polaris.yml index b7659f62..bb6cdfa6 100644 --- a/.github/workflows/synopsys-polaris.yml +++ b/.github/workflows/synopsys-polaris.yml @@ -20,9 +20,13 @@ jobs: with: polaris_serverUrl: ${{ secrets.POLARIS_SERVER_URL }} polaris_accessToken: ${{ secrets.POLARIS_ACCESS_TOKEN }} - polaris_application_name: ${{ vars.POLARIS_APPLICATION_NAME }} - polaris_project_name: ${{ vars.POLARIS_PROJECT_NAME }} - polaris_assessment_types: ${{ vars.POLARIS_ASSESSMENT_TYPES }} +# polaris_application_name: ${{ vars.POLARIS_APPLICATION_NAME }} +# polaris_project_name: ${{ vars.POLARIS_PROJECT_NAME }} +# polaris_assessment_types: ${{ vars.POLARIS_ASSESSMENT_TYPES }} + + polaris_application_name: "mkoishi-application" + polaris_project_name: "MK-java-sec-code" + polaris_assessment_types: "SAST" # Optional parameter to specify path to synopsys bridge. # This can be used if you want to pre-configure your GitHub Runner with the From 3efd74d6beda089e7e2cd68c0fba946e9a5cdef3 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 5 Apr 2023 15:41:03 +0900 Subject: [PATCH 33/51] Test Synopsys GHA with Black Duck --- .github/workflows/synopsys-blackduck.yml | 40 ++++++++++++++++++++++++ .github/workflows/synopsys-polaris.yml | 10 ++---- 2 files changed, 43 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/synopsys-blackduck.yml diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml new file mode 100644 index 00000000..dd7cf0df --- /dev/null +++ b/.github/workflows/synopsys-blackduck.yml @@ -0,0 +1,40 @@ +name: Synopsys Security Testing for Black Duck + +on: + push: + branches: [ master, main ] + + pull_request: + branches: [ master, main ] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Synopsys Action + uses: synopsys-sig/synopsys-action@v1.1.0 + with: + blackduck_apiToken: ${{ secrets.BLACKDUCK_API_TOKEN }} + blackduck_url: ${{ secrets.BLACKDUCK_URL }} + + # Optional parameter. By default, pushes will initiate a full "intelligent" scan and pull requests + # will initiate a rapid scan. + blackduck_scan_full: false + # Required parameter if blackduck_automation_fixpr is enabled + # Make sure GITHUB_TOKEN have appropriate permissions + github_token: ${{ secrets.MY_GITHUB_TOKEN }} + # Optional parameter. By default, create fix pull requests if vulnerabilities are reported + # Passing false will disable fix pull request creation + blackduck_automation_fixpr: true + # Optional parameter. The values could be. ALL|NONE|BLOCKER|CRITICAL|MAJOR|MINOR|OK|TRIVIAL|UNSPECIFIED + # Single parameter + blackduck_scan_failure_severities: "ALL" + # multiple parameters + # blackduck_scan_failure_severities: "[\"BLOCKER\", \"CRITICAL\", \"TRIVIAL\"]" + + # Optional parameter, but usually specified - the location of the Synopsys Bridge software + # The Synopsys Bridge software distribution is platform specific - this must match the host OS + # of your runner. For example in this case, we are using the latest version for Linux. + #bridge_download_url: ${{ env.LINUX_BRIDGE_URL }} diff --git a/.github/workflows/synopsys-polaris.yml b/.github/workflows/synopsys-polaris.yml index bb6cdfa6..b7659f62 100644 --- a/.github/workflows/synopsys-polaris.yml +++ b/.github/workflows/synopsys-polaris.yml @@ -20,13 +20,9 @@ jobs: with: polaris_serverUrl: ${{ secrets.POLARIS_SERVER_URL }} polaris_accessToken: ${{ secrets.POLARIS_ACCESS_TOKEN }} -# polaris_application_name: ${{ vars.POLARIS_APPLICATION_NAME }} -# polaris_project_name: ${{ vars.POLARIS_PROJECT_NAME }} -# polaris_assessment_types: ${{ vars.POLARIS_ASSESSMENT_TYPES }} - - polaris_application_name: "mkoishi-application" - polaris_project_name: "MK-java-sec-code" - polaris_assessment_types: "SAST" + polaris_application_name: ${{ vars.POLARIS_APPLICATION_NAME }} + polaris_project_name: ${{ vars.POLARIS_PROJECT_NAME }} + polaris_assessment_types: ${{ vars.POLARIS_ASSESSMENT_TYPES }} # Optional parameter to specify path to synopsys bridge. # This can be used if you want to pre-configure your GitHub Runner with the From db7182f287d76c625657f01f52be268dd38cf000 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 5 Apr 2023 15:54:58 +0900 Subject: [PATCH 34/51] Test Synopsys GHA with Black Duck trial-2 --- .github/workflows/synopsys-blackduck.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index dd7cf0df..71f164b4 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -21,7 +21,7 @@ jobs: # Optional parameter. By default, pushes will initiate a full "intelligent" scan and pull requests # will initiate a rapid scan. - blackduck_scan_full: false + blackduck_scan_full: true # Required parameter if blackduck_automation_fixpr is enabled # Make sure GITHUB_TOKEN have appropriate permissions github_token: ${{ secrets.MY_GITHUB_TOKEN }} @@ -32,7 +32,8 @@ jobs: # Single parameter blackduck_scan_failure_severities: "ALL" # multiple parameters - # blackduck_scan_failure_severities: "[\"BLOCKER\", \"CRITICAL\", \"TRIVIAL\"]" + blackduck_scan_failure_severities: "BLOCKER" + #blackduck_scan_failure_severities: "BLOCKER,CRITICAL,TRIVIAL" # Optional parameter, but usually specified - the location of the Synopsys Bridge software # The Synopsys Bridge software distribution is platform specific - this must match the host OS From d67494780040c2f5e5c7d73e3235ff72c95af8c8 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 5 Apr 2023 15:57:48 +0900 Subject: [PATCH 35/51] Test Synopsys GHA with Black Duck attempt-2 --- .github/workflows/synopsys-blackduck.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 71f164b4..dc90e06c 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -30,7 +30,7 @@ jobs: blackduck_automation_fixpr: true # Optional parameter. The values could be. ALL|NONE|BLOCKER|CRITICAL|MAJOR|MINOR|OK|TRIVIAL|UNSPECIFIED # Single parameter - blackduck_scan_failure_severities: "ALL" + #blackduck_scan_failure_severities: "ALL" # multiple parameters blackduck_scan_failure_severities: "BLOCKER" #blackduck_scan_failure_severities: "BLOCKER,CRITICAL,TRIVIAL" From 9d636f5591e8b19477c6afb66017ae6520833600 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 5 Apr 2023 16:14:57 +0900 Subject: [PATCH 36/51] Test Synopsys GHA with Black Duck attempt-3 --- .github/workflows/synopsys-blackduck.yml | 4 +-- .github/workflows/synopsys-polaris.yml | 31 ------------------------ 2 files changed, 2 insertions(+), 33 deletions(-) delete mode 100644 .github/workflows/synopsys-polaris.yml diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index dc90e06c..7b1ace55 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -27,14 +27,14 @@ jobs: github_token: ${{ secrets.MY_GITHUB_TOKEN }} # Optional parameter. By default, create fix pull requests if vulnerabilities are reported # Passing false will disable fix pull request creation - blackduck_automation_fixpr: true + blackduck_automation_fixpr: false # Optional parameter. The values could be. ALL|NONE|BLOCKER|CRITICAL|MAJOR|MINOR|OK|TRIVIAL|UNSPECIFIED # Single parameter #blackduck_scan_failure_severities: "ALL" # multiple parameters blackduck_scan_failure_severities: "BLOCKER" #blackduck_scan_failure_severities: "BLOCKER,CRITICAL,TRIVIAL" - + blackduck_automation_prcomment: true # Optional parameter, but usually specified - the location of the Synopsys Bridge software # The Synopsys Bridge software distribution is platform specific - this must match the host OS # of your runner. For example in this case, we are using the latest version for Linux. diff --git a/.github/workflows/synopsys-polaris.yml b/.github/workflows/synopsys-polaris.yml deleted file mode 100644 index b7659f62..00000000 --- a/.github/workflows/synopsys-polaris.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: Synopsys Security Testing with Polaris - -on: - push: - # At this time, it is recommended to run Polaris only on pushes to main branches - # Pull request analysis will be supported by Polaris in the future - branches: [ master, main ] - - pull_request: - branches: [ master, main ] - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Synopsys Action - uses: synopsys-sig/synopsys-action@v1.1.0 - with: - polaris_serverUrl: ${{ secrets.POLARIS_SERVER_URL }} - polaris_accessToken: ${{ secrets.POLARIS_ACCESS_TOKEN }} - polaris_application_name: ${{ vars.POLARIS_APPLICATION_NAME }} - polaris_project_name: ${{ vars.POLARIS_PROJECT_NAME }} - polaris_assessment_types: ${{ vars.POLARIS_ASSESSMENT_TYPES }} - - # Optional parameter to specify path to synopsys bridge. - # This can be used if you want to pre-configure your GitHub Runner with the - # Synopsys Bridge software - # The default is either /{user_home}/synopsys-bridge or in linux /usr/synopsys-bridge - #synopsys_bridge_path: "/path_to_bridge_executable" From 5df0455d7842ccc26b49e489b1958da66d752090 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 5 Apr 2023 16:17:10 +0900 Subject: [PATCH 37/51] Test Synopsys GHA with Black Duck attempt-4 --- .github/workflows/synopsys-blackduck.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 7b1ace55..1b6e571b 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -34,7 +34,7 @@ jobs: # multiple parameters blackduck_scan_failure_severities: "BLOCKER" #blackduck_scan_failure_severities: "BLOCKER,CRITICAL,TRIVIAL" - blackduck_automation_prcomment: true + #blackduck_automation_prcomment: true # Optional parameter, but usually specified - the location of the Synopsys Bridge software # The Synopsys Bridge software distribution is platform specific - this must match the host OS # of your runner. For example in this case, we are using the latest version for Linux. From c1451a2ce05c76c1fb4e1d083184e7fc79c2478d Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 5 Apr 2023 16:39:55 +0900 Subject: [PATCH 38/51] Update synopsys-blackduck.yml --- .github/workflows/synopsys-blackduck.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 1b6e571b..7b1ace55 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -34,7 +34,7 @@ jobs: # multiple parameters blackduck_scan_failure_severities: "BLOCKER" #blackduck_scan_failure_severities: "BLOCKER,CRITICAL,TRIVIAL" - #blackduck_automation_prcomment: true + blackduck_automation_prcomment: true # Optional parameter, but usually specified - the location of the Synopsys Bridge software # The Synopsys Bridge software distribution is platform specific - this must match the host OS # of your runner. For example in this case, we are using the latest version for Linux. From 215dbe36407c37ce0b5e556ee2971bc8fa178c6b Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 6 Apr 2023 14:49:55 +0900 Subject: [PATCH 39/51] test for auto fix and pr comment --- .github/workflows/synopsys-blackduck.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 7b1ace55..2c033579 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -27,12 +27,12 @@ jobs: github_token: ${{ secrets.MY_GITHUB_TOKEN }} # Optional parameter. By default, create fix pull requests if vulnerabilities are reported # Passing false will disable fix pull request creation - blackduck_automation_fixpr: false + blackduck_automation_fixpr: true # Optional parameter. The values could be. ALL|NONE|BLOCKER|CRITICAL|MAJOR|MINOR|OK|TRIVIAL|UNSPECIFIED # Single parameter #blackduck_scan_failure_severities: "ALL" # multiple parameters - blackduck_scan_failure_severities: "BLOCKER" + blackduck_scan_failure_severities: "NONE" #blackduck_scan_failure_severities: "BLOCKER,CRITICAL,TRIVIAL" blackduck_automation_prcomment: true # Optional parameter, but usually specified - the location of the Synopsys Bridge software From c7e3630fafa98ade20c8ab42d976142e49a3a2db Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 12 Apr 2023 14:22:11 +0900 Subject: [PATCH 40/51] Update synopsys-blackduck.yml --- .github/workflows/synopsys-blackduck.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 2c033579..630fe105 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -27,13 +27,13 @@ jobs: github_token: ${{ secrets.MY_GITHUB_TOKEN }} # Optional parameter. By default, create fix pull requests if vulnerabilities are reported # Passing false will disable fix pull request creation - blackduck_automation_fixpr: true + blackduck_automation_fixpr: false # Optional parameter. The values could be. ALL|NONE|BLOCKER|CRITICAL|MAJOR|MINOR|OK|TRIVIAL|UNSPECIFIED # Single parameter #blackduck_scan_failure_severities: "ALL" # multiple parameters - blackduck_scan_failure_severities: "NONE" - #blackduck_scan_failure_severities: "BLOCKER,CRITICAL,TRIVIAL" + #blackduck_scan_failure_severities: "NONE" + blackduck_scan_failure_severities: "BLOCKER,CRITICAL" blackduck_automation_prcomment: true # Optional parameter, but usually specified - the location of the Synopsys Bridge software # The Synopsys Bridge software distribution is platform specific - this must match the host OS From 0c5a115db3e9e5b156d53ae5489c77360742fe3b Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Thu, 17 Jul 2025 20:13:30 +0900 Subject: [PATCH 41/51] ipd code-tagging test --- src/main/java/org/ipd-code-tagging-test.java | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 src/main/java/org/ipd-code-tagging-test.java diff --git a/src/main/java/org/ipd-code-tagging-test.java b/src/main/java/org/ipd-code-tagging-test.java new file mode 100644 index 00000000..0d709b0d --- /dev/null +++ b/src/main/java/org/ipd-code-tagging-test.java @@ -0,0 +1,13 @@ +def process_numbers(numbers): + # Calculate sum of even numbers + even_sum = sum(num for num in numbers if num % 2 == 0) + # Calculate average of all numbers + average = sum(numbers) / len(numbers) if numbers else 0 + print("Average of all numbers:", average) + return even_sum + +# Example usage: +input_str = input("Enter numbers separated by spaces: ") +numbers = list(map(int, input_str.split())) +result = process_numbers(numbers) +print("Sum of even numbers:", result) \ No newline at end of file From f24a3a44b0f3288227ae1b77b850d15beef508ee Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 18 Jul 2025 12:45:12 +0900 Subject: [PATCH 42/51] new test file and updated test file for code tagging test --- src/main/ipd-code-tagging-test-2.py | 0 .../org/ipd-code-tagging-test.java => ipd-code-tagging-test.py} | 0 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 src/main/ipd-code-tagging-test-2.py rename src/main/{java/org/ipd-code-tagging-test.java => ipd-code-tagging-test.py} (100%) diff --git a/src/main/ipd-code-tagging-test-2.py b/src/main/ipd-code-tagging-test-2.py new file mode 100644 index 00000000..e69de29b diff --git a/src/main/java/org/ipd-code-tagging-test.java b/src/main/ipd-code-tagging-test.py similarity index 100% rename from src/main/java/org/ipd-code-tagging-test.java rename to src/main/ipd-code-tagging-test.py From e55c2210f440236f275aa920569247bb5018e102 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 18 Jul 2025 16:34:16 +0900 Subject: [PATCH 43/51] another code tagging test --- src/main/ipd-code-tagging-test-2.py | 9 +++++++++ src/main/ipd-code-tagging-test-3.py | 8 ++++++++ 2 files changed, 17 insertions(+) create mode 100644 src/main/ipd-code-tagging-test-3.py diff --git a/src/main/ipd-code-tagging-test-2.py b/src/main/ipd-code-tagging-test-2.py index e69de29b..3e52f716 100644 --- a/src/main/ipd-code-tagging-test-2.py +++ b/src/main/ipd-code-tagging-test-2.py @@ -0,0 +1,9 @@ +def calculate_average(numbers): + if not numbers: + return 0 # Avoid division by zero + return sum(numbers) / len(numbers) + +# Example usage: +my_list = [10, 20, 30, 40] +average = calculate_average(my_list) +print("The calculated average is:", average) diff --git a/src/main/ipd-code-tagging-test-3.py b/src/main/ipd-code-tagging-test-3.py new file mode 100644 index 00000000..85ffc885 --- /dev/null +++ b/src/main/ipd-code-tagging-test-3.py @@ -0,0 +1,8 @@ +def multiply_numbers(*numbers): + result = 1 + for num in numbers: + result *= num + print("The multiplication result is:", result) + +# Example usage: +multiply_numbers(2, 5, 3) # Output: The multiplication result is: 30 \ No newline at end of file From 00879d6c421911e06041c6afa6e3dcc58eb17b09 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 18 Jul 2025 16:59:36 +0900 Subject: [PATCH 44/51] new test code added --- src/main/ipd-code-tagging-test-4.py | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 src/main/ipd-code-tagging-test-4.py diff --git a/src/main/ipd-code-tagging-test-4.py b/src/main/ipd-code-tagging-test-4.py new file mode 100644 index 00000000..ef2e3be7 --- /dev/null +++ b/src/main/ipd-code-tagging-test-4.py @@ -0,0 +1,24 @@ +# Population numbers (approximate, as of 2025) +china_population = 1411750000 +japan_population = 124300000 +south_korea_population = 51780000 +thailand_population = 71700000 +indonesia_population = 279100000 +nepal_population = 30700000 +india_population = 1426250000 + +populations = [ + china_population, + japan_population, + south_korea_population, + thailand_population, + indonesia_population, + nepal_population, + india_population +] + +total_population = sum(populations) +average_population = total_population / len(populations) + +print("Total population:", total_population) +print("Average population:", average_population) \ No newline at end of file From d6aa948e3c94004cf75e87607b07ca838fcb40dd Mon Sep 17 00:00:00 2001 From: Black Duck Date: Wed, 30 Jul 2025 01:11:58 +0000 Subject: [PATCH 45/51] Black Duck Security: Committed polaris-workflow.yml --- .github/workflows/polaris-workflow.yml | 36 ++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/polaris-workflow.yml diff --git a/.github/workflows/polaris-workflow.yml b/.github/workflows/polaris-workflow.yml new file mode 100644 index 00000000..6d2c8ba0 --- /dev/null +++ b/.github/workflows/polaris-workflow.yml @@ -0,0 +1,36 @@ +name: Polaris Security Scan +on: + push: + branches: + - main + - master + - develop + - stage + - release + pull_request: + branches: + - main + - master + - develop + - stage + - release + workflow_dispatch: {} +jobs: + polaris: + runs-on: ubuntu-latest + steps: + - name: Checkout Source + uses: actions/checkout@v4 + - name: Polaris Security Scan + id: polaris-scan + uses: blackduck-inc/black-duck-security-scan@v2 + with: + polaris_server_url: ${{ vars.POLARIS_URL }} + polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }} + polaris_assessment_types: SAST,SCA + polaris_waitForScan: true + mark_build_status: failure + include_diagnostics: false + polaris_prComment_enabled: false + polaris_reports_sarif_create: false + polaris_upload_sarif_report: false From a8b2a411841f0723e684cd208825485040e0cb57 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 30 Jul 2025 10:31:20 +0900 Subject: [PATCH 46/51] Update polaris-workflow.yml --- .github/workflows/polaris-workflow.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/polaris-workflow.yml b/.github/workflows/polaris-workflow.yml index 6d2c8ba0..a54b994c 100644 --- a/.github/workflows/polaris-workflow.yml +++ b/.github/workflows/polaris-workflow.yml @@ -27,6 +27,7 @@ jobs: with: polaris_server_url: ${{ vars.POLARIS_URL }} polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }} + polaris_application_name: mkoishi-${{ github.event.repository.name }} polaris_assessment_types: SAST,SCA polaris_waitForScan: true mark_build_status: failure From dae9a546dc9b39878aeea0386d07ab8cbab16db1 Mon Sep 17 00:00:00 2001 From: Black Duck Date: Fri, 5 Sep 2025 03:43:14 +0000 Subject: [PATCH 47/51] Black Duck Security: Committed blackducksca-workflow.yml --- .github/workflows/blackducksca-workflow.yml | 37 +++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/blackducksca-workflow.yml diff --git a/.github/workflows/blackducksca-workflow.yml b/.github/workflows/blackducksca-workflow.yml new file mode 100644 index 00000000..da20526b --- /dev/null +++ b/.github/workflows/blackducksca-workflow.yml @@ -0,0 +1,37 @@ +name: Black Duck Security Scan +on: + push: + branches: + - main + - master + - develop + - stage + - release + pull_request: + branches: + - main + - master + - develop + - stage + - release + workflow_dispatch: {} +jobs: + blackducksca: + runs-on: ubuntu-latest + steps: + - name: Checkout Source + uses: actions/checkout@v4 + - name: Black Duck Security Scan + id: black-duck-security-scan + uses: blackduck-inc/black-duck-security-scan@v2 + with: + blackducksca_url: ${{ vars.BLACKDUCKSCA_URL }} + blackducksca_token: ${{ secrets.BLACKDUCKSCA_TOKEN }} + blackducksca_waitForScan: true + mark_build_status: failure + include_diagnostics: false + blackducksca_prComment_enabled: false + blackducksca_fixpr_enabled: false + blackducksca_reports_sarif_create: false + blackducksca_upload_sarif_report: false + blackducksca_scan_failure_severities: 'BLOCKER,CRITICAL' From 75f33c0558349f0712beb624c343e2ad7ebad229 Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 5 Sep 2025 14:09:10 +0900 Subject: [PATCH 48/51] Update blackducksca-workflow.yml --- .github/workflows/blackducksca-workflow.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/blackducksca-workflow.yml b/.github/workflows/blackducksca-workflow.yml index da20526b..8fe73896 100644 --- a/.github/workflows/blackducksca-workflow.yml +++ b/.github/workflows/blackducksca-workflow.yml @@ -24,6 +24,8 @@ jobs: - name: Black Duck Security Scan id: black-duck-security-scan uses: blackduck-inc/black-duck-security-scan@v2 + env: + DETECT_PROJECT_NAME: MK-${{ github.event.repository.name }} with: blackducksca_url: ${{ vars.BLACKDUCKSCA_URL }} blackducksca_token: ${{ secrets.BLACKDUCKSCA_TOKEN }} From db9a60519f84b501649bbac2bff0a888b1a498fa Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Fri, 5 Sep 2025 14:38:17 +0900 Subject: [PATCH 49/51] Update blackducksca-workflow.yml --- .github/workflows/blackducksca-workflow.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/blackducksca-workflow.yml b/.github/workflows/blackducksca-workflow.yml index 8fe73896..1994df43 100644 --- a/.github/workflows/blackducksca-workflow.yml +++ b/.github/workflows/blackducksca-workflow.yml @@ -37,3 +37,4 @@ jobs: blackducksca_reports_sarif_create: false blackducksca_upload_sarif_report: false blackducksca_scan_failure_severities: 'BLOCKER,CRITICAL' + detect_args: "--detect.excluded.detector.types=GIT" From aa76fe0295b4187910f0c61741b4f0a148814e9d Mon Sep 17 00:00:00 2001 From: Makoto Koishi Date: Wed, 10 Sep 2025 16:56:58 +0900 Subject: [PATCH 50/51] Update synopsys-blackduck.yml --- .github/workflows/synopsys-blackduck.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/synopsys-blackduck.yml b/.github/workflows/synopsys-blackduck.yml index 630fe105..b3c606bf 100644 --- a/.github/workflows/synopsys-blackduck.yml +++ b/.github/workflows/synopsys-blackduck.yml @@ -1,3 +1,4 @@ +# Obsolte workflow file but to be kept for reference purpose name: Synopsys Security Testing for Black Duck on: From 789159c1983cadc47a04ddcae4da6f74e0000f78 Mon Sep 17 00:00:00 2001 From: Black Duck Date: Mon, 29 Sep 2025 05:12:48 +0000 Subject: [PATCH 51/51] Black Duck Security: Committed polaris-workflow.yml --- .github/workflows/polaris-workflow.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/polaris-workflow.yml b/.github/workflows/polaris-workflow.yml index a54b994c..7e57aa64 100644 --- a/.github/workflows/polaris-workflow.yml +++ b/.github/workflows/polaris-workflow.yml @@ -27,8 +27,9 @@ jobs: with: polaris_server_url: ${{ vars.POLARIS_URL }} polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }} - polaris_application_name: mkoishi-${{ github.event.repository.name }} - polaris_assessment_types: SAST,SCA + polaris_application_name: mkoishi-application + polaris_project_name: MK-java-sec-code + polaris_assessment_types: SAST polaris_waitForScan: true mark_build_status: failure include_diagnostics: false