From fbd9e3ff8f641b5c08fb752dc19db9475c5de7d2 Mon Sep 17 00:00:00 2001 From: Bastiaan Date: Tue, 2 Apr 2024 17:06:48 +0200 Subject: [PATCH 1/2] Fix reported snyk vulnerabilities and set up Github Actions for the v2 branch --- .github/workflows/codeql.yml | 89 ++++++++++++++++++++++++ .github/workflows/main.yml | 4 +- .github/workflows/snyk.yaml | 6 +- gradle.properties | 40 +++++------ gradle/wrapper/gradle-wrapper.properties | 2 +- 5 files changed, 116 insertions(+), 25 deletions(-) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..0d7eb41 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,89 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ "main", "dev", "v2" ] + pull_request: + branches: [ "main", "dev", "v2" ] + schedule: + - cron: '24 21 * * 0' + +jobs: + analyze: + name: Analyze + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners + # Consider using larger runners for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + permissions: + # required for all workflows + security-events: write + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + language: [ 'java-kotlin' ] + # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] + # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - uses: actions/setup-java@v4 + with: + distribution: 'temurin' # See 'Supported distributions' for available options + java-version: '17' + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" \ No newline at end of file diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 8279283..6799db1 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -4,9 +4,9 @@ name: CI # Run in main and dev branches and in all pull requests to those branches on: push: - branches: [ main, dev ] + branches: [ "main", "dev", "v2" ] pull_request: - branches: [ main, dev ] + branches: [ "main", "dev", "v2" ] env: DOCKER_IMAGE: radarbase/radar-output-restructure diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index 06f5c8b..61e99ed 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -1,8 +1,7 @@ name: Snyk test on: pull_request: - branches: - - main + branches: [ "main", "dev", "v2" ] jobs: security: @@ -29,3 +28,6 @@ jobs: --configuration-matching='^runtimeClasspath$' --org=radar-base --policy-path=$PWD/.snyk + --all-projects + --severity-threshold=high + --fail-on=upgradable diff --git a/gradle.properties b/gradle.properties index cd4fcfd..07636f1 100644 --- a/gradle.properties +++ b/gradle.properties @@ -1,31 +1,31 @@ kotlin.code.style=official -kotlinVersion=1.7.22 -dokkaVersion=1.7.20 -dockerComposeVersion=0.16.11 +kotlinVersion=1.9.22 +dokkaVersion=1.9.20 +dockerComposeVersion=0.17.5 dependencyUpdateVersion=0.44.0 nexusPublishVersion=1.1.0 jsoupVersion=1.15.3 -coroutinesVersion=1.6.4 -avroVersion=1.11.1 -snappyVersion=1.1.8.4 -jacksonVersion=2.14.1 +coroutinesVersion=1.7.3 +avroVersion=1.11.3 +snappyVersion=1.1.10.5 +jacksonVersion=2.15.3 jCommanderVersion=1.82 almworksVersion=1.1.2 -minioVersion=8.4.6 +minioVersion=8.5.9 guavaVersion=31.1-jre -opencsvVersion=5.7.1 -okhttpVersion=4.10.0 -jedisVersion=4.3.1 -slf4jVersion=2.0.5 -log4jVersion=2.19.0 -azureStorageVersion=12.20.1 -nettyVersion=4.1.85.Final -snakeYamlVersion=1.33 +opencsvVersion=5.8 +okhttpVersion=4.12.0 +jedisVersion=jedis-3.6.2 +slf4jVersion=2.0.9 +log4jVersion=2.21.0 +azureStorageVersion=12.25.1 +nettyVersion=4.1.100.Final +snakeYamlVersion=2.2 apacheCommonsTextVersion=1.10.0 -projectReactorNettyVersion=1.0.24 +projectReactorNettyVersion=1.1.13 -junitVersion=5.9.1 -mockitoKotlinVersion=4.1.0 -radarSchemasVersion=0.8.2 +junitVersion=5.10.0 +mockitoKotlinVersion=5.1.0 +radarSchemasVersion=0.8.7 diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index f398c33..744c64d 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-7.6-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-8.4-bin.zip networkTimeout=10000 zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists From 6a56499ab87d76871a8efc52965ff169fff8d0f3 Mon Sep 17 00:00:00 2001 From: Bastiaan Date: Wed, 3 Apr 2024 11:15:29 +0200 Subject: [PATCH 2/2] bump version --- README.md | 4 ++-- build.gradle.kts | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e1f8ab6..3b1a2c2 100644 --- a/README.md +++ b/README.md @@ -70,7 +70,7 @@ When upgrading to version 0.6.0 from version 0.5.x or earlier, please follow the This package is available as docker image [`radarbase/radar-output-restructure`](https://hub.docker.com/r/radarbase/radar-output-restructure). The entrypoint of the image is the current application. So in all the commands listed in usage, replace `radar-output-restructure` with for example: ```shell -docker run --rm -t --network s3 -v "$PWD/output:/output" radarbase/radar-output-restructure:2.3.2 -o /output /myTopic +docker run --rm -t --network s3 -v "$PWD/output:/output" radarbase/radar-output-restructure:2.3.3 -o /output /myTopic ``` ## Command line usage @@ -228,7 +228,7 @@ This package requires at least Java JDK 8. Build the distribution with and install the package into `/usr/local` with for example ```shell sudo mkdir -p /usr/local -sudo tar -xzf build/distributions/radar-output-restructure-2.3.2.tar.gz -C /usr/local --strip-components=1 +sudo tar -xzf build/distributions/radar-output-restructure-2.3.3.tar.gz -C /usr/local --strip-components=1 ``` Now the `radar-output-restructure` command should be available. diff --git a/build.gradle.kts b/build.gradle.kts index 391a360..f3d9cf1 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -16,7 +16,7 @@ plugins { } group = "org.radarbase" -version = "2.3.2" +version = "2.3.3" repositories { mavenCentral()