Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Risk Score & Generate Sbom #4

Merged
merged 6 commits into from
Jul 25, 2023
Merged

Add Risk Score & Generate Sbom #4

merged 6 commits into from
Jul 25, 2023

Conversation

nvima
Copy link
Contributor

@nvima nvima commented Jul 21, 2023
edited
Loading

Added the task "riskScore" which also runs at the end of the "runDepTrackWorkflow".

The configuration is optional, if left empty the task will be skipped.

It can be used with optional attributes "timeout" and "maxRiskScore".

  • The "timeout" is needed because the calculation of the Risk Score after the Vex upload needs some time until the API returns the correct value.
  • "maxRiskScore" can be configured to check in pipeline if the Risk Score is not higher than the given value, if it is, the Gradle task throws an error.
    Without "maxRiskScore" only the RiskScore gets printed without an error.

Tried to include the task in the integration tests, but the default api key of the docker container does not work with the Analyze API route.

Added the task "generateSbom" and applied internally the CyclonDx Gradle Plugin.
Also added dependsOn, so that generateSbom always runs before uploadSbom, generateVex..
Modified integrationTests to use the generated SBOM instead of the Test SBOM File.

Adjusted README with new instructions and infos.

feat: add risk score task
1261cc6 
Added a risk score task.
It can be used with timeout and maxRiskScore attribute in pipeline to
check if risk score is good enough for release.
It can also used without maxRiskScore or timeout to just print the risk
score.
@nvima nvima added the enhancement New feature or request label Jul 21, 2023
@nvima nvima requested a review from Ingwersaft July 21, 2023 09:30
@nvima nvima self-assigned this Jul 21, 2023
Ingwersaft
Ingwersaft requested changes Jul 21, 2023
View reviewed changes
README.md Outdated
riskScore{
projectName.set(name)
projectVersion.set(version)
timeout.set(20)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use kotlin duration. Without any unit of measurement it's unclear if we're talking about seconds, milliseconds or something else ;)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added in c20d314
But had to use Experimental Annotation

Patrick Mirwald added 5 commits July 24, 2023 14:10
chore(riskScore): change timeout Property from int to Duration
c20d314
chore(README): change timeout example from int to Duration
d756d12
feat: add generateSbom Task / apply cyclonDx Plugin
a73dff9
chore: remove unused test bom data
4b0f5c9
chore(README): Update README to clarify internal use of CycloneDX plugin
9f10bf9 
The README has been updated to clarify that the CycloneDX Gradle plugin is applied internally by the Gradle Dependency Track Companion plugin. This removes the need for users to manually include the CycloneDX plugin in their projects.
@nvima
Copy link
Contributor Author

nvima commented Jul 24, 2023

@Ingwersaft
Added the task "generateSbom" and applied internally the CyclonDx Gradle Plugin.
Also added dependsOn, so that generateSbom always runs before uploadSbom, generateVex..
Modified integrationTests to use the generated SBOM instead of the Test SBOM File.

Adjusted README with new instructions and infos.

@nvima nvima requested a review from Ingwersaft July 24, 2023 12:41
@nvima nvima changed the title Add Risk Score Task Add Risk Score & Generate Sbom Jul 24, 2023
@nvima nvima merged commit 8ab0c7c into main Jul 25, 2023
1 check passed
@nvima nvima deleted the feat/risk_score_check branch July 25, 2023 06:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ingwersaft Ingwersaft Ingwersaft approved these changes

Assignees

@nvima nvima

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nvima @Ingwersaft