MEND scan (#411)

razee-io · Nov 8, 2023 · 9c7127b · 9c7127b
1 parent ecc9234
commit 9c7127b
Show file tree

Hide file tree

Showing 6 changed files with 275 additions and 241 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -13,3 +13,6 @@ kubernetes/
 .env/
 testdata/
 .*
+
+# MEND unified agent
+wss-unified-agent.jar
diff --git a/.gitignore b/.gitignore
@@ -63,3 +63,6 @@ typings/
 ########### Custom ignores ###########
 dev/
 .npmrc
+
+# MEND unified agent
+wss-unified-agent.jar
diff --git a/.travis.yml b/.travis.yml
@@ -8,6 +8,11 @@ services:
 
 before_install:
   - echo "$DOCKERHUB_TOKEN" | docker login -u "icdevops" --password-stdin
+  - export WS_APIKEY=${WS_APIKEY}
+  - export WS_USERKEY=${WS_USERKEY}
+  - export WS_PRODUCTNAME=${WS_PRODUCTNAME}
+  - export WS_PROJECTNAME=FeatureFlagSetLD
+  - export WS_WSS_URL=https://ibmets.whitesourcesoftware.com/agent
 
 script:
   # Audit npm packages. Fail build whan a PR audit fails, otherwise report the vulnerability and proceed.
@@ -19,6 +24,8 @@ script:
   - docker images
   - ./build/process-template.sh kubernetes/FeatureFlagSetLD/resource.yaml >/tmp/resource.yaml
   - if [[ "${TRAVIS_TAG}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then npm version --no-git-tag-version "${TRAVIS_TAG}"; fi
+  # Perform UA scan on non-PR builds
+  - if [ "${TRAVIS_PULL_REQUEST}" = "false" ]; then curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar; java -jar wss-unified-agent.jar -d . || echo "UA Scan Error occurred"; fi
 
 before_deploy:
   - docker login -u="${QUAY_ID}" -p="${QUAY_TOKEN}" quay.io

diff --git a/audit-ci.json b/audit-ci.json
@@ -1,29 +1,28 @@
 {
-    "low": true,
-    "_allowListExample": [
-      {
-        "GHSA-1234-5678-9012": {
-          "active": true,
-          "notes": "The package X has vuln Y that is ignored because Y",
-          "expiry": "2077-04-01"
-        }
-      },
-    ],
-    "allowlist": [
-      {
-        "GHSA-p8p7-x288-28g6": {
-          "active": true,
-          "notes": "The Request package through 2.88.2 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP)",
-          "expiry": "2023-10-01"
-        }
-      },
-      {
-        "GHSA-72xf-g2v4-qvf3": {
-          "active": true,
-          "notes": "The Request package (see above) requires tough-cookie at a vulnerable version.",
-          "expiry": "2023-10-01"
-        }
-      }    ],
-    "skip-dev": true
-  }
-
+  "low": true,
+  "_allowListExample": [
+    {
+      "GHSA-1234-5678-9012": {
+        "active": true,
+        "notes": "The package X has vuln Y that is ignored because Y",
+        "expiry": "2077-04-01"
+      }
+    },
+  ],
+  "allowlist": [
+    {
+      "GHSA-p8p7-x288-28g6": {
+        "active": true,
+        "notes": "The Request package through 2.88.2 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP)",
+        "expiry": "2023-12-31"
+      }
+    },
+    {
+      "GHSA-72xf-g2v4-qvf3": {
+        "active": true,
+        "notes": "The Request package (see above) requires tough-cookie at a vulnerable version.",
+        "expiry": "2023-12-31"
+      }
+    }    ],
+  "skip-dev": true
+}