Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Add blackduck scans to our pipeline #2081

Merged
merged 6 commits into from
Feb 4, 2022
Merged

chore: Add blackduck scans to our pipeline #2081

merged 6 commits into from
Feb 4, 2022

Conversation

tomfrenken
Copy link
Member

This PR adds blackduck to our pipeline, check out my fork to see how it works.

In Blackduck, each version is determined by the module version in Lerna and the github_ref_name, aka. the branch name.
So the main branch will look like 1.57.2-main while branches may look like 1.57.2-my-branch.

Additionally, it doesn't scan devDependencies.

Closes SAP/cloud-sdk-backlog#549.

@tomfrenken
Copy link
Member Author

The refs seem to be 2081/merge instead of the branch's name 🤔

@tomfrenken
Copy link
Member Author

I guess the PR number is just as sufficient, so no problem imo.

jjtang1985
jjtang1985 reviewed Feb 1, 2022
View reviewed changes
Copy link
Contributor

@jjtang1985 jjtang1985 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you created some negative tests so we know the PRs can be blocked when positive findings are detected?

@tomfrenken
Copy link
Member Author

Have you created some negative tests so we know the PRs can be blocked when positive findings are detected?

Before I excluded the dev dependencies the pipeline on my fork was failing, I guess I could try out another productive dependency to make sure it also fails on regular dependencies.

@tomfrenken
Copy link
Member Author

tomfrenken commented Feb 3, 2022
edited
Loading

While testing blackduck on my fork, I've had 3 findings:

  1. After adding a vulnerable dependency, which had a severity of high according to dependabot alerts, Blackduck did not deem the dependency a security risk.
  2. After adding my own test package with a proprietary license, it wasn't always detected by Blackduck, so somewhat flaky.
  3. Blackduck sometimes had performance issues, roughly 3-4/66 so about 5% of my runs were stuck.

florian-richter
florian-richter approved these changes Feb 3, 2022
View reviewed changes
Copy link
Contributor

@florian-richter florian-richter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

.github/workflows/blackduck.yml
on:
pull_request: ~
push:
branches: [2.0]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add a comment or follow up ticket to change this to main once we merge 2.0 into it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah good point, perhaps we should add it to whatever ticket we have to switch the default branch back to main.

@tomfrenken tomfrenken merged commit b03f2ec into 2.0 Feb 4, 2022
@tomfrenken tomfrenken deleted the blackduck branch February 4, 2022 09:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fwilhe fwilhe fwilhe left review comments

@florian-richter florian-richter florian-richter approved these changes

@marikaner marikaner Awaiting requested review from marikaner

@FrankEssenberger FrankEssenberger Awaiting requested review from FrankEssenberger

@jjtang1985 jjtang1985 Awaiting requested review from jjtang1985

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tomfrenken @fwilhe @florian-richter @jjtang1985