Skip to content

License / copyright updates for change of stewardship #1461

License / copyright updates for change of stewardship

License / copyright updates for change of stewardship #1461

Workflow file for this run

name: Compliance
on:
# Run compliance jobs for pull requests, to make sure there are no issues before merging
pull_request:
# Re-run compliance jobs in main, to make sure there are no issues from the merge
push:
branches:
- main
# Use the release:publish event to generate compliance reports for releases
# This lines up with the packaging workflow, so reports will be published when packages are published
release:
types:
- published
# Allow manual triggering of the compliance jobs
workflow_dispatch:
# Use latest supported language versions for compliance jobs
env:
JAVA_VERSION: "21"
JAVA_DISTRIBUTION: "zulu"
PYTHON_VERSION: "3.12"
NODE_VERSION: "22"
jobs:
platform_compliance:
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Java
uses: actions/setup-java@v4
with:
distribution: ${{ env.JAVA_DISTRIBUTION }}
java-version: ${{ env.JAVA_VERSION }}
cache: gradle
- name: License check
run: ./gradlew checkLicense
# Use a cache to save downloading the whole NVD on every build
# Dependency check will automatically look for updates and download the delta
- name: NVD restore cache (Java Platform)
id: cacheRestore
uses: actions/cache/restore@v4
with:
key: nvd-cache-java-platform
path: ./build/compliance-cache/nvd_java_platform
- name: OWASP recreate cache
if: steps.cacheRestore.outputs.cache-hit != 'true'
env:
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
# In case of problems with this job, try enabling / disabling the remote cache
NVD_DATAFEED: "https://dependency-check.github.io/DependencyCheck_Builder/nvd_cache/"
run: ./gradlew dependencyCheckUpdate
- name: OWASP dependency check
env:
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
# In case of problems with this job, try enabling / disabling the remote cache
NVD_DATAFEED: "https://dependency-check.github.io/DependencyCheck_Builder/nvd_cache/"
run: ./gradlew dependencyCheckAggregate
- name: NVD save cache (Java Platform)
if: always()
uses: actions/cache/save@v4
with:
key: nvd-cache-java-platform
path: ./build/compliance-cache/nvd_java_platform
# Always save the reports - they are especially needed when the checks have failed!
- name: Store compliance reports
uses: actions/upload-artifact@v4
if: always()
with:
name: compliance-reports-java
path: build/compliance/**
python_runtime_compliance:
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: PIP Upgrade
run: python -m pip install --upgrade pip
# Make sure to check compliance on both core and plugin dependencies
- name: Install dependencies
run: |
cd tracdap-runtime/python
pip install -r requirements.txt
pip install -r requirements_plugins.txt
- name: License check
run: |
# Source license excpetions
. dev/compliance/license-config-python.sh
mkdir -p build/compliance/python-runtime-licenses
cd tracdap-runtime/python
pip-licenses --format=json --ignore-packages $IGNORE_LICENSE > ../../build/compliance/python-runtime-licenses/python-runtime-licenses.json
pip-licenses --format=html --ignore-packages $IGNORE_LICENSE > ../../build/compliance/python-runtime-licenses/python-runtime-licenses.html
pip-licenses --allow-only="$ALLOWED_LICENSES" --ignore-packages $IGNORE_LICENSE
# CVE-2019-8341 (safety id: 70612) is a vulnerability in the latest version of Jinja2, no fix is available
# It is only pulled in as a dependency of safety check itself, it is not a dependency of the dist wheels
- name: Safety check
run: |
mkdir -p build/compliance/python-runtime-safety
cd tracdap-runtime/python
safety check --ignore 70612 --output text > ../../build/compliance/python-runtime-safety/python-runtime-safety-report.txt
safety check --ignore 70612 --output json > ../../build/compliance/python-runtime-safety/python-runtime-safety-report.json
# Always save the reports - they are especially needed when the checks have failed!
- name: Store compliance reports
uses: actions/upload-artifact@v4
if: always()
with:
name: compliance-reports-python
path: build/compliance/**
web_api_compliance:
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: npm
cache-dependency-path: tracdap-api/packages/web/package-lock.json
- name: Install dependencies
run: |
cd tracdap-api/packages/web
npm install
- name: License check
run: |
cd tracdap-api/packages/web
npm run compliance-licenses
- name: NPM audit
run: |
mkdir -p build/compliance/web-api-npm-audit
cd tracdap-api/packages/web
npm run compliance-audit
# Use a cache to save downloading global compliance data on every build (e.g. NVD)
# Compliance tasks will automatically look for updates and download deltas
- name: NVD restore cache (Web API)
uses: actions/cache/restore@v4
with:
key: nvd-cache-web-api
path: ./build/compliance-cache/nvd_web_api
# ODC version must be forced because the NodeJS wrapper breaks for versions >= 10.0.0
- name: OWASP dependency check
env:
NVD_DATAFEED: "https://dependency-check.github.io/DependencyCheck_Builder/nvd_cache/"
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
run: |
mkdir -p build/compliance
cd tracdap-api/packages/web
mkdir -p ./dependency-check-bin/latest
if [ -n "${NVD_API_KEY}" ]; then
npm run compliance-owasp -- --nvdDatafeed "${NVD_DATAFEED}" --nvdApiKey "${NVD_API_KEY}"
else
npm run compliance-owasp -- --nvdDatafeed "${NVD_DATAFEED}"
fi
- name: NVD save cache (Web API)
if: always()
uses: actions/cache/save@v4
with:
key: nvd-cache-web-api
path: ./build/compliance-cache/nvd_web_api
# Always save the reports - they are especially needed when the checks have failed!
- name: Store compliance reports
uses: actions/upload-artifact@v4
if: always()
with:
name: compliance-reports-web
path: build/compliance/**
publish_to_github:
if: ${{ github.event_name == 'release' && github.event.action == 'published' }}
runs-on: ubuntu-latest
needs:
- platform_compliance
- python_runtime_compliance
- web_api_compliance
steps:
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get TRAC version
id: tracdap-version
run: |
tracdap_version=`dev/version.sh`
echo "tracdap_version = ${tracdap_version}"
echo "tracdap_version=${tracdap_version}" >> $GITHUB_OUTPUT
- name: Fetch Java compliance report artifacts
uses: actions/download-artifact@v4
with:
name: compliance-reports-java
path: tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}
- name: Fetch Python compliance report artifacts
uses: actions/download-artifact@v4
with:
name: compliance-reports-python
path: tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}
- name: Fetch web API compliance report artifacts
uses: actions/download-artifact@v4
with:
name: compliance-reports-web
path: tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}
- name: Build compliance reports tarball
run: zip -r tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}.zip tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}/
- name: Publish compliance reports
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release upload $RELEASE_TAG tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}.zip