From cd884049f86fbffc963ac5fcc18c938bcf995165 Mon Sep 17 00:00:00 2001
From: Prabhu Subramanian <prabhu@appthreat.com>
Date: Wed, 29 Jan 2025 17:37:11 +0000
Subject: [PATCH] secure mode tests in repotests

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
---
 .github/workflows/repotests.yml | 99 ++++++++++++++++++++++++++++++++-
 1 file changed, 98 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/repotests.yml b/.github/workflows/repotests.yml
index 41c062494..6d51615d0 100644
--- a/.github/workflows/repotests.yml
+++ b/.github/workflows/repotests.yml
@@ -10,7 +10,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 jobs:
-  build:
+  cli-tests:
     strategy:
       fail-fast: true
       matrix:
@@ -642,3 +642,100 @@ jobs:
         with:
           name: bomresults
           path: bomresults
+
+  secure-mode-tests:
+    strategy:
+      fail-fast: true
+      matrix:
+        node-version: ['23.x']
+        os: ['ubuntu-24.04', 'ubuntu-24.04-arm', 'windows-latest', 'macos-15']
+    runs-on: ${{ matrix.os }}
+    env:
+      CDXGEN_SECURE_MODE: true
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up JDK
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '23'
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.23'
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+      - name: Trim CI agent
+        if: matrix.os == 'ubuntu-24.04' || matrix.os == 'ubuntu-24.04-arm'
+        run: |
+          chmod +x contrib/free_disk_space.sh
+          ./contrib/free_disk_space.sh
+      - uses: sbt/setup-sbt@v1
+      - name: Install bazelisk - linux
+        if: matrix.os == 'ubuntu-24.04'
+        run: |
+          curl -LO "https://github.com/bazelbuild/bazelisk/releases/download/v1.20.0/bazelisk-linux-amd64"
+          sudo mv bazelisk-linux-amd64 /usr/local/bin/bazel
+          chmod +x /usr/local/bin/bazel
+      - name: Install bazelisk - linux arm
+        if: matrix.os == 'ubuntu-24.04-arm'
+        run: |
+          curl -LO "https://github.com/bazelbuild/bazelisk/releases/download/v1.20.0/bazelisk-linux-arm64"
+          sudo mv bazelisk-linux-arm64 /usr/local/bin/bazel
+          chmod +x /usr/local/bin/bazel
+      - name: Install bazelisk - mac
+        if: matrix.os == 'macos-15'
+        run: |
+          brew install bazelisk
+      - name: Install bazelisk - windows
+        if: matrix.os == 'windows-latest'
+        run: choco install -y bazel
+      - name: npm install, build and test
+        run: |
+          corepack enable
+          corepack pnpm install --package-import-method copy
+          corepack pnpm test
+          mkdir -p repotests
+          mkdir -p bomresults
+          mkdir -p denoresults
+        env:
+          CI: true
+          CDXGEN_TEMP_DIR: ${{ runner.temp }}/cdxgen-repotests
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.4'
+          bundler-cache: true
+      - name: pip install custom-json-diff
+        run: |
+          pip install custom-json-diff
+      - uses: actions/checkout@v4
+        with:
+          repository: 'hoolicorp/java-sec-code'
+          path: 'repotests/java-sec-code'
+      - name: setup sdkman
+        run: |
+          curl -s "https://get.sdkman.io" | bash
+        if: runner.os != 'Windows'
+      - name: setup rbenv
+        run: |
+          git clone https://github.com/rbenv/rbenv.git --depth=1 ~/.rbenv
+          echo 'export PATH="~/.rbenv/bin:$PATH"' >> ~/.bashrc
+          echo 'eval "$(~/.rbenv/bin/rbenv init - bash)"' >> ~/.bashrc
+          source ~/.bashrc
+          mkdir -p "~/.rbenv/plugins"
+          git clone https://github.com/rbenv/ruby-build.git --depth=1 "~/.rbenv/plugins/ruby-build"
+        if: runner.os != 'Windows'
+      - name: repotests java-sec-code
+        run: |
+          bin/cdxgen.js -p -t java ${GITHUB_WORKSPACE}/repotests/java-sec-code -o ${GITHUB_WORKSPACE}/bomresults/bom-java-sec-code-1.json --fail-on-error
+          bin/cdxgen.js -p -t java ${GITHUB_WORKSPACE}/repotests/java-sec-code -o ${GITHUB_WORKSPACE}/bomresults/bom-java-sec-code-2.json --author foo --author bar --standard asvs-4.0.3
+          bin/cdxgen.js -p -t java ${GITHUB_WORKSPACE}/repotests/java-sec-code -o ${GITHUB_WORKSPACE}/bomresults/bom-java-sec-code-3.json --required-only --fail-on-error
+          bin/cdxgen.js -p -t java ${GITHUB_WORKSPACE}/repotests/java-sec-code -o ${GITHUB_WORKSPACE}/bomresults/bom-java-sec-code-4.json --filter postgres --filter json
+        shell: bash
+        env:
+          NODE_OPTIONS: "--permission --allow-fs-read=${{ github.workspace }}/* --allow-fs-write=${{ github.workspace }}/* --allow-fs-read=${{ runner.temp }}/* --allow-fs-write=${{ runner.temp }}/* --allow-child-process --trace-warnings"