ca294eb14d
* add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
1.8 KiB
Generating NOTICES file
The notices file is generated after the completion of an automated Blackduck scan of the entire daml repo.
At present this needs to be updated by running the scan manually and checking in the updated NOTICES file on a PR. In future a PR will be automatically created when a change in the NOTICES file is detected as part of the Blackduck scan within the daily compat job on master.
To generate the file locally, you should run the Blackduck scan after performing a full Bazel build on the DAML repo
Full details on running a Blackduck scan can be found @ https://github.com/DACH-NY/security-blackduck/blob/master/README.md
-
Run full Bazel build
bazel build //... -
Create personal Blackduck token and add to environment variable Create a personal Blackduck token by authenticating to the Blackduck site with your DA Google account https://digitalasset.blackducksoftware.com/api/current-user/tokens
Click Create New Token and give yourself read and write access, giving a memorable name (- or similar)
Copy the contents of this token and define in a local environment variable called BLACKDUCK_HUBDETECT_TOKEN
export BLACKDUCK_HUB_DETECT_TOKEN=<token_you_have_just_created>
-
Run Haskell Blackduck scan
a17b340b47/ci/cron/daily-compat.yml (L227-L234) -
Run Scan for all remaining languages, waiting for notices file to be generated
a17b340b47/ci/cron/daily-compat.yml (L241-L257) -
Remove windows line endings and rename file to NOTICES
tr -d '\015' <*_Black_Duck_Notices_Report.txt | grep -v dach-ny_daml-on-corda >NOTICES -
Create a new PR with the changes and submit for review for merge to master