Merge branch 'kiko/codescan/compliance-pr/OTP-19359/PR-9085' into maint

* kiko/codescan/compliance-pr: gh: Implement SARIF license uploader github: scancode scans multiple files at once
dotsimon · Nov 20, 2024 · dc97ae2 · dc97ae2
2 parents 83def86 + ad78d8d
commit dc97ae2
Show file tree

Hide file tree

Showing 7 changed files with 361 additions and 90 deletions.
diff --git a/.github/scripts/get-supported-branches.sh b/.github/scripts/get-supported-branches.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+## %CopyrightBegin%
+##
+## Copyright Ericsson AB 2024. All Rights Reserved.
+##
+## Licensed under the Apache License, Version 2.0 (the "License");
+## you may not use this file except in compliance with the License.
+## You may obtain a copy of the License at
+##
+##     http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+##
+## %CopyrightEnd%
+
+printf '["master","maint"'
+for vsn in $(.github/scripts/get-supported-versions.sh); do
+    printf ',"maint-%s"' "${vsn}"
+done
+
+printf ']'
diff --git a/.github/scripts/get-supported-versions.sh b/.github/scripts/get-supported-versions.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+## %CopyrightBegin%
+##
+## Copyright Ericsson AB 2024. All Rights Reserved.
+##
+## Licensed under the Apache License, Version 2.0 (the "License");
+## you may not use this file except in compliance with the License.
+## You may obtain a copy of the License at
+##
+##     http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+##
+## %CopyrightEnd%
+
+.github/scripts/get-major-versions.sh | head -3
diff --git a/.github/scripts/update-gh-actions-versions.es b/.github/scripts/update-gh-actions-versions.es
@@ -82,7 +82,7 @@ run(Opts) ->
              "Do you want to want to proceed?", [Cwd, Upstream]),
 
     %% Get this for dependabot update before we start switching branches and other chenanigans
-    SupportedMajorVersions = string:split(cmd(Opts, ".github/scripts/get-major-versions.sh | head -3"),"\n", all),
+    SupportedMajorVersions = string:split(cmd(Opts, ".github/scripts/get-supported-versions.sh"),"\n", all),
     OriginalBranch = cmd(Opts, "git branch --show-current"),
 
     %% Fetch all PRs done by dependabot

diff --git a/.github/workflows/license-scanner.yaml b/.github/workflows/license-scanner.yaml
@@ -0,0 +1,89 @@
+## %CopyrightBegin%
+##
+## Copyright Ericsson AB 2024. All Rights Reserved.
+##
+## Licensed under the Apache License, Version 2.0 (the "License");
+## you may not use this file except in compliance with the License.
+## You may obtain a copy of the License at
+##
+##     http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+##
+## %CopyrightEnd%
+
+## This workflow continually scan the master branch to make sure that no files
+## are added without a copyright notice and license.
+
+name: Check license header
+
+on:
+  pull_request:
+  push:
+
+permissions:
+  contents: read
+
+jobs:
+  run-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
+      - name: Check which files have been added
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # ratchet:dorny/[email protected]
+        id: new-files
+        with:
+          predicate-quantifier: 'every'
+          filters: |
+              new:
+                  - added: '**'
+                  - '!**/*.beam'
+                  - '!**/*.exe'
+                  - '!**/*.config.cache.static'
+          ## OTP-27.0 tag as base
+          base: 601a012837ea0a5c8095bf24223132824177124d
+          list-files: shell
+
+      - uses: erlef/setup-beam@5304e04ea2b355f03681464e683d92e3b2f18451 # ratchet:erlef/setup-beam@v1
+        with:
+          otp-version: '27.1'
+
+      - name: License Compliance Check
+        run: |
+            pip install scancode-toolkit==32.3.0
+            scripts/scan-code.escript --file-or-dir "${{ steps.new-files.outputs.new_files }}" \
+                --sarif results.sarif
+
+      - name: "Upload artifact"
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 ratchet:actions/upload-artifact@v4
+        with:
+            name: SARIF file
+            path: results.sarif
+
+  upload-scan:
+    needs: run-scan
+    runs-on: ubuntu-latest
+    if: ${{ !cancelled() }}
+    permissions:
+      # Required to upload SARIF file to CodeQL.
+      # See: https://github.com/github/codeql-action/issues/2117
+      actions: read
+      # Require writing security events to upload SARIF file to security tab
+      security-events: write
+      # Only need to read contents
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
+      - name: Download sarif file
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # ratchet:actions/[email protected]
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        if: ${{ !cancelled() }}
+        uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # ratchet:github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "SARIF file/results.sarif"
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -488,9 +488,6 @@ jobs:
       - name: Run dialyzer
         run: docker run -v $PWD/:/github otp '/github/scripts/run-dialyzer'
 
-      - name: License Compliance Check
-        run: docker run -v $PWD/:/github otp 'sudo apt install -y pip && pip install scancode-toolkit==32.3.0 && export PATH="$HOME/.local/bin:$PATH" && /github/scripts/scan-code.escript --file-or-dir "${{ needs.pack.outputs.added_files }}" --template-path /github/scripts/scan-code/template.txt --prefix /github/'
-
   test:
     name: Test Erlang/OTP
     runs-on: ubuntu-latest

diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml
@@ -42,13 +42,7 @@ jobs:
       - id: get-versions
         name: Fetch latest 3 OTP versions
         run: |
-          VSNs=$(grep -E 'OTP-[^.]+[.]0 :' otp_versions.table | awk '{ print $1 '} | head -3 | sed 's/[-.]/ /g' | awk '{print $2}')
-          versions='["maint", "master"'
-          for vsn in $VSNs; do
-            versions="${versions}, \"maint-$vsn\""
-          done
-          versions="${versions}]"
-          echo "versions=${versions}" >> "$GITHUB_OUTPUT"
+          echo "versions=$(.github/scripts/get-supported-branches.sh)" >> "$GITHUB_OUTPUT"
 
   run-scheduled-scan:
     # Fan out and create requests to run OSV on multiple branches.