From c565bbb0b034c60e06b9b67ab99cb4361d3b6bcd Mon Sep 17 00:00:00 2001 From: Johannes Eschrig Date: Wed, 12 Nov 2025 10:09:51 +0100 Subject: [PATCH 1/8] build: add blackduck and sonar scans --- .../actions/scan-with-blackduck/action.yml | 54 +++++++++++++++++++ .github/actions/scan-with-sonar/action.yml | 48 +++++++++++++++++ .github/workflows/blackduck.yml | 31 +++++++++++ .github/workflows/build.yml | 22 +++++--- .pipeline/config.yml | 5 +- 5 files changed, 149 insertions(+), 11 deletions(-) create mode 100644 .github/actions/scan-with-blackduck/action.yml create mode 100644 .github/actions/scan-with-sonar/action.yml create mode 100644 .github/workflows/blackduck.yml diff --git a/.github/actions/scan-with-blackduck/action.yml b/.github/actions/scan-with-blackduck/action.yml new file mode 100644 index 0000000..69484f8 --- /dev/null +++ b/.github/actions/scan-with-blackduck/action.yml @@ -0,0 +1,54 @@ +name: Scan with BlackDuck +description: Scans the project with BlackDuck + +inputs: + blackduck_token: + description: The token to use for BlackDuck authentication + required: true + github_token: + description: The token to use for GitHub authentication + required: true + java-version: + description: The version of Java to use + default: "17" + required: false + maven-version: + description: The Maven version the build shall run with. + required: true + +runs: + using: composite + steps: + - name: Set up Java ${{ inputs.java-version }} + uses: actions/setup-java@v4 + with: + java-version: ${{ inputs.java-version }} + distribution: sapmachine + cache: maven + + - name: Set up Maven ${{ inputs.maven-version }} + uses: stCarolas/setup-maven@v5 + with: + maven-version: ${{ inputs.maven-version }} + + - name: Get Major Version + id: get-major-version + run: | + echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT + shell: bash + + - name: Print Version Number + run: echo "${{ steps.get-major-version.outputs.REVISION }}" + shell: bash + + - name: BlackDuck Scan + uses: SAP/project-piper-action@main + with: + step-name: detectExecuteScan + flags: \ + --githubToken=$GITHUB_token \ + --version=${{ steps.get-major-version.outputs.REVISION }} + env: + PIPER_token: ${{ inputs.blackduck_token }} + GITHUB_token: ${{ inputs.github_token }} + SCAN_MODE: FULL diff --git a/.github/actions/scan-with-sonar/action.yml b/.github/actions/scan-with-sonar/action.yml new file mode 100644 index 0000000..34522cf --- /dev/null +++ b/.github/actions/scan-with-sonar/action.yml @@ -0,0 +1,48 @@ +name: Scan with SonarQube +description: Scans the project with SonarQube + +inputs: + sonarq-token: + description: The token to use for SonarQube authentication + required: true + github-token: + description: The token to use for GitHub authentication + required: true + java-version: + description: The version of Java to use + required: true + maven-version: + description: The version of Maven to use + required: true + +runs: + using: composite + + steps: + - name: Set up Java ${{inputs.java-version}} + uses: actions/setup-java@v4 + with: + java-version: ${{inputs.java-version}} + distribution: sapmachine + cache: maven + + - name: Set up Maven ${{inputs.maven-version}} + uses: stCarolas/setup-maven@v5 + with: + maven-version: ${{inputs.maven-version}} + + - name: Get Revision + id: get-revision + run: | + echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT + shell: bash + + - name: Print Revision + run: echo "${{steps.get-revision.outputs.REVISION}}" + shell: bash + + - name: SonarQube Scan + uses: SAP/project-piper-action@main + with: + step-name: sonarExecuteScan + flags: --token=${{inputs.sonarq-token}} --githubToken=${{inputs.github-token}} --version=${{steps.get-revision.outputs.REVISION}} --inferJavaBinaries=true diff --git a/.github/workflows/blackduck.yml b/.github/workflows/blackduck.yml new file mode 100644 index 0000000..2bef82c --- /dev/null +++ b/.github/workflows/blackduck.yml @@ -0,0 +1,31 @@ +name: Blackduck Scan + +env: + MAVEN_VERSION: "3.9.11" + +on: + schedule: + # Run nightly at 2 AM UTC + - cron: "0 2 * * *" + workflow_dispatch: # Allow manual trigger + pull_request: + branches: ["main"] + push: + branches: ["main"] +permissions: + contents: write + id-token: write + +jobs: + blackduck: + name: Blackduck Scan + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v5 + - name: Scan With Black Duck + uses: ./.github/actions/scan-with-blackduck + with: + blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }} + github_token: ${{ secrets.GITHUB_TOKEN }} + maven-version: ${{ env.MAVEN_VERSION }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 13fbbe9..d5f0843 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,13 +1,14 @@ -name: PR Build +name: Build env: - MAVEN_VERSION: '3.9.11' + MAVEN_VERSION: "3.9.11" on: + workflow_dispatch: # Allow manual trigger pull_request: - branches: [ "main" ] + branches: ["main"] push: - branches: [ "main" ] + branches: ["main"] permissions: contents: write id-token: write @@ -17,13 +18,20 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - java-version: [ 17, 21 ] + java-version: [17, 21] steps: - name: Checkout uses: actions/checkout@v5 - - name: Build uses: ./.github/actions/build with: java-version: ${{ matrix.java-version }} - maven-version: ${{ env.MAVEN_VERSION }} \ No newline at end of file + maven-version: ${{ env.MAVEN_VERSION }} + - name: Sonar Scan + uses: ./.github/actions/scan-with-sonar + if: matrix.java-version == 21 + with: + java-version: 21 + maven-version: ${{ env.MAVEN_VERSION }} + sonarq-token: ${{ secrets.SONAR_TOKEN }} + github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.pipeline/config.yml b/.pipeline/config.yml index 8ccd83c..7c66cc0 100644 --- a/.pipeline/config.yml +++ b/.pipeline/config.yml @@ -4,7 +4,6 @@ steps: verify: true flatten: true # https://www.project-piper.io/steps/mavenBuild/#dockerimage - # If empty, Docker is not used and the command is executed directly on the Jenkins system. dockerImage: '' detectExecuteScan: @@ -24,17 +23,15 @@ steps: - --detect.excluded.directories='**/node_modules,**/*test*,**/localrepo,**/target/site,**/*-site.jar' - --detect.maven.build.command='-pl com.sap.cds:cds-feature-console' # https://www.project-piper.io/steps/detectExecuteScan/#dockerimage - # If empty, Docker is not used and the command is executed directly on the Jenkins system. dockerImage: '' sonarExecuteScan: serverUrl: https://sonar.tools.sap projectKey: cds-feature-console # https://www.project-piper.io/steps/sonarExecuteScan/#dockerimage - # If empty, Docker is not used and the command is executed directly on the Jenkins system. dockerImage: '' options: - sonar.qualitygate.wait=true - sonar.java.source=17 - sonar.exclusions=**/node_modules/**,**/target/** - - sonar.coverage.jacoco.xmlReportPaths=cds-feature-console/target/site/jacoco/jacoco.xml \ No newline at end of file + - sonar.coverage.jacoco.xmlReportPaths=cds-feature-console/target/site/jacoco/jacoco.xml From 91d49bee1e720580e1c88954966021712e0a36e1 Mon Sep 17 00:00:00 2001 From: Johannes Eschrig Date: Wed, 12 Nov 2025 10:21:38 +0100 Subject: [PATCH 2/8] fixes --- .github/workflows/prepare-next-version.yml | 6 +++--- .pipeline/config.yml | 20 ++++++++++---------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/prepare-next-version.yml b/.github/workflows/prepare-next-version.yml index 02b859a..0166cbd 100644 --- a/.github/workflows/prepare-next-version.yml +++ b/.github/workflows/prepare-next-version.yml @@ -1,8 +1,8 @@ -name: Deploy to Maven Central +name: Prepare Next Version env: - JAVA_VERSION: '17' - MAVEN_VERSION: '3.9.11' + JAVA_VERSION: "17" + MAVEN_VERSION: "3.9.11" on: workflow_dispatch: diff --git a/.pipeline/config.yml b/.pipeline/config.yml index 7c66cc0..1439998 100644 --- a/.pipeline/config.yml +++ b/.pipeline/config.yml @@ -4,32 +4,32 @@ steps: verify: true flatten: true # https://www.project-piper.io/steps/mavenBuild/#dockerimage - dockerImage: '' + dockerImage: "" detectExecuteScan: - projectName: 'com.sap.cds.feature.console' + projectName: "com.sap.cds.feature.console" groups: - - 'CDSJAVA-OPEN-SOURCE' - serverUrl: 'https://sap.blackducksoftware.com/' - mavenExcludedScopes: [ "provided", "test" ] - failOn: [ 'BLOCKER', 'CRITICAL', 'MAJOR' ] + - "CDSJAVA-OPEN-SOURCE" + serverUrl: "https://sap.blackducksoftware.com/" + mavenExcludedScopes: ["provided", "test"] + failOn: ["BLOCKER", "CRITICAL", "MAJOR"] versioningModel: "major-minor" - detectTools: [ 'DETECTOR', 'BINARY_SCAN' ] + detectTools: ["DETECTOR", "BINARY_SCAN"] installArtifacts: true - repository: '/cap-java/cds-feature-console' + repository: "cap-java/cds-feature-console" verbose: true scanProperties: - --detect.included.detector.types=MAVEN - --detect.excluded.directories='**/node_modules,**/*test*,**/localrepo,**/target/site,**/*-site.jar' - --detect.maven.build.command='-pl com.sap.cds:cds-feature-console' # https://www.project-piper.io/steps/detectExecuteScan/#dockerimage - dockerImage: '' + dockerImage: "" sonarExecuteScan: serverUrl: https://sonar.tools.sap projectKey: cds-feature-console # https://www.project-piper.io/steps/sonarExecuteScan/#dockerimage - dockerImage: '' + dockerImage: "" options: - sonar.qualitygate.wait=true - sonar.java.source=17 From ca9f57cee03db0de001ac32a41330a98033c8b3f Mon Sep 17 00:00:00 2001 From: Johannes Eschrig Date: Wed, 12 Nov 2025 10:43:03 +0100 Subject: [PATCH 3/8] rm repository --- .pipeline/config.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pipeline/config.yml b/.pipeline/config.yml index 1439998..33e6f92 100644 --- a/.pipeline/config.yml +++ b/.pipeline/config.yml @@ -16,7 +16,6 @@ steps: versioningModel: "major-minor" detectTools: ["DETECTOR", "BINARY_SCAN"] installArtifacts: true - repository: "cap-java/cds-feature-console" verbose: true scanProperties: - --detect.included.detector.types=MAVEN From 6ae32df12d460b2ae704c9f2af8320a3713763bf Mon Sep 17 00:00:00 2001 From: Johannes Eschrig Date: Wed, 12 Nov 2025 10:46:56 +0100 Subject: [PATCH 4/8] readd repo --- .pipeline/config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.pipeline/config.yml b/.pipeline/config.yml index 33e6f92..9a0d90b 100644 --- a/.pipeline/config.yml +++ b/.pipeline/config.yml @@ -16,6 +16,7 @@ steps: versioningModel: "major-minor" detectTools: ["DETECTOR", "BINARY_SCAN"] installArtifacts: true + repository: "/cap-java/cds-feature-console" verbose: true scanProperties: - --detect.included.detector.types=MAVEN From 951291c49b76b465df66c2ecc0e069f1dcae9a3d Mon Sep 17 00:00:00 2001 From: Johannes Eschrig Date: Wed, 12 Nov 2025 10:50:44 +0100 Subject: [PATCH 5/8] fix repo --- .pipeline/config.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.pipeline/config.yml b/.pipeline/config.yml index 9a0d90b..c38b6bf 100644 --- a/.pipeline/config.yml +++ b/.pipeline/config.yml @@ -16,7 +16,8 @@ steps: versioningModel: "major-minor" detectTools: ["DETECTOR", "BINARY_SCAN"] installArtifacts: true - repository: "/cap-java/cds-feature-console" + owner: "cap-java" + repository: "cds-feature-console" verbose: true scanProperties: - --detect.included.detector.types=MAVEN From 8237f05c3f699126a0485606788cd8b2f9efc28f Mon Sep 17 00:00:00 2001 From: Johannes Eschrig Date: Wed, 12 Nov 2025 10:55:13 +0100 Subject: [PATCH 6/8] allow creating issues --- .github/workflows/blackduck.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/blackduck.yml b/.github/workflows/blackduck.yml index 2bef82c..1233300 100644 --- a/.github/workflows/blackduck.yml +++ b/.github/workflows/blackduck.yml @@ -15,6 +15,7 @@ on: permissions: contents: write id-token: write + issues: write jobs: blackduck: From 1b123b0f34e3db1eb03c912abb621f0dcfca360a Mon Sep 17 00:00:00 2001 From: Johannes Eschrig Date: Wed, 12 Nov 2025 11:02:25 +0100 Subject: [PATCH 7/8] github token --- .github/actions/scan-with-blackduck/action.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/actions/scan-with-blackduck/action.yml b/.github/actions/scan-with-blackduck/action.yml index 69484f8..d9a1114 100644 --- a/.github/actions/scan-with-blackduck/action.yml +++ b/.github/actions/scan-with-blackduck/action.yml @@ -46,9 +46,8 @@ runs: with: step-name: detectExecuteScan flags: \ - --githubToken=$GITHUB_token \ --version=${{ steps.get-major-version.outputs.REVISION }} env: PIPER_token: ${{ inputs.blackduck_token }} - GITHUB_token: ${{ inputs.github_token }} + PIPER_githubToken: ${{ inputs.github_token }} SCAN_MODE: FULL From a751848d434556bea7a69f9978ee5db11d5e8502 Mon Sep 17 00:00:00 2001 From: Johannes Eschrig Date: Wed, 12 Nov 2025 11:23:07 +0100 Subject: [PATCH 8/8] fix permissions --- .github/workflows/blackduck.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/blackduck.yml b/.github/workflows/blackduck.yml index 1233300..8921200 100644 --- a/.github/workflows/blackduck.yml +++ b/.github/workflows/blackduck.yml @@ -16,6 +16,7 @@ permissions: contents: write id-token: write issues: write + pull-requests: write jobs: blackduck: