fix(owasp):

- fixes owasp cache
- put unit tests after owasp dependency check to use cached build from there and cache override
specify owasp dependency check cache key
- change secret with role arn

fix: add regex check for AWS_DEPLOYMENT_ROLE_ARN

Author: Ti8m-BigA

.github/workflows/backend_build_push_image.yml

@@ -30,6 +30,30 @@ on:
         value: ${{ jobs.build-push-image.outputs.image }}
 
 jobs:
+  validate-secret-values:
+    runs-on: ubuntu-latest
+    environment:  ${{ inputs.environment }}
+    steps:
+      - name: Validate secret values
+        env:
+          AWS_DEPLOYMENT_ROLE_ARN: ${{ secrets.AWS_DEPLOYMENT_ROLE_ARN }}
+          AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+        run: |
+          echo "Validating secret values for environment ${{ inputs.environment }}"
+          AWS_ROLE_PATTERN='^arn:aws:iam::[0-9]{12}:role\/[A-Za-z0-9+=,.@_-]+$'
+          echo "Roles should match pattern: $AWS_ROLE_PATTERN"
+          if [[ ! "$AWS_DEPLOYMENT_ROLE_ARN" =~ $AWS_ROLE_PATTERN ]]; then
+            echo "Invalid AWS_DEPLOYMENT_ROLE_ARN, does not match pattern $AWS_ROLE_PATTERN"
+            echo "Secret value length: ${#AWS_DEPLOYMENT_ROLE_ARN}"
+            exit 1
+          fi
+          if [[ ! "$AWS_OIDC_ROLE_ARN" =~ $AWS_ROLE_PATTERN ]]; then
+            echo "Invalid AWS_OIDC_ROLE_ARN, does not match pattern $AWS_ROLE_PATTERN"
+            echo "Secret value length: ${#AWS_OIDC_ROLE_ARN}"
+            exit 1
+          fi
+          echo "All secret values are valid"
+
   build-push-image:
     name: "Build and push docker image to ECR  ${{ inputs.environment }} - ${{ inputs.version }}"
     runs-on: ubuntu-latest
@@ -57,6 +81,7 @@ jobs:
           set -euo pipefail
           [[ "$VERSION" =~ ^[0-9]+(\.[0-9]+){2}([.-][0-9A-Za-z]+)*$ ]] || { echo "Invalid version"; exit 1; }
           echo "VERSION=$VERSION" >> "$GITHUB_ENV"
+          [[ "${{ secrets.AWS_DEPLOYMENT_ROLE_ARN }}" =~ ^arn:aws:iam::[0-9]{12}:role\/[A-Za-z0-9+=,.@_-]+$ ]] || { echo "Invalid AWS_DEPLOYMENT_ROLE_ARN, does not match pattern ^arn:aws:iam::\d+:role\/[\w-]+$"; exit 1; }
       - name: Checkout
         uses: actions/checkout@v6
         with:
@@ -85,17 +110,9 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v6
         with:
-          role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+          role-to-assume: ${{ secrets.AWS_DEPLOYMENT_ROLE_ARN }}
           aws-region: ${{ env.AWS_REGION }}
-
-      # activate once blueprint is ready
-      #      - name: Assume deployment role
-      #        uses: aws-actions/configure-aws-credentials@v4
-      #        with:
-      #          role-to-assume: ${{ secrets.AWS_DEPLOYMENT_ROLE_ARN }}
-      #          aws-region: ${{ env.AWS_REGION }}
-      #          role-chaining: true
-      #          role-skip-session-tagging: true
+#          role-skip-session-tagging: true
 
       - name: Login to AWS ECR
         id: login-ecr

.github/workflows/backend_owasp_dependency_check.yml

@@ -23,44 +23,51 @@ jobs:
           java-version: '25'
           distribution: 'corretto'
 
-      - name: Get Date for OWASP Cache
-        id: get-cache-date
-        run: |
-          echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
-        shell: bash
-
-      - name: check NIST key length
-        env:
-          NIST_OWASP_API_KEY: ${{ secrets.NIST_OWASP_API_KEY }}
-        run: |
-          echo "Key length: ${#NIST_OWASP_API_KEY}"
-
       - name: Restore Maven Cache
         uses: actions/cache/restore@v5
         with:
           path: ~/.m2/repository
-          # Using date in cache key as OWASP database may change, without the pom changing
-          key: ${{ runner.os }}-owasp-${{ steps.get-cache-date.outputs.date }}-${{ hashFiles('**/pom.xml') }}
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
           restore-keys: |
-            ${{ runner.os }}-owasp-${{ steps.get-cache-date.outputs.date }}
-            ${{ runner.os }}-owasp-
+            ${{ runner.os }}-maven-
 
       - name: Maven install
         run: mvn -B install -DskipTests -T 1C
 
+      - name: Get Date for OWASP Cache
+        id: get-cache-date
+        run: |
+          echo "date=$(/bin/date -u "+%Y%m%d%H")" >> $GITHUB_OUTPUT
+        shell: bash
+
+      - name: Restore Dependency-Check Cache
+        uses: actions/cache/restore@v5
+        with:
+          path: ${{ github.workspace }}/.dependency-check
+          key: ${{ runner.os }}-dependency-check-${{ steps.get-cache-date.outputs.date }}
+          restore-keys: |
+            ${{ runner.os }}-dependency-check-
+
       - name: Run OWASP Dependency Check
         run: |
           mvn org.owasp:dependency-check-maven:check \
+            -DdataDirectory="${{ github.workspace }}/.dependency-check" \
             -DossindexAnalyzerEnabled=false \
             -DnvdApiKey=${{ secrets.NIST_OWASP_API_KEY }} \
-            -DossindexAnalyzerEnabled=false \
             -DpnpmAuditAnalyzerEnabled=false \
             -DnodeAuditAnalyzerEnabled=false \
             -DyarnAuditAnalyzerEnabled=false
 
-      - name: Save Maven Cache
+      - name: Save Dependency-Check Cache
         uses: actions/cache/save@v5
         if: always()
+        with:
+          path: ${{ github.workspace }}/.dependency-check
+          key: ${{ runner.os }}-dependency-check-${{ steps.get-cache-date.outputs.date }}
+
+      - name: Save Maven Cache
+        uses: actions/cache/save@v5
+        if: success()
         with:
           path: ~/.m2/repository
-          key: ${{ runner.os }}-owasp-${{ steps.get-cache-date.outputs.date }}-${{ hashFiles('**/pom.xml') }}
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}

.github/workflows/backend_workflow.yml

@@ -75,6 +75,30 @@ on:
         description: "GitHub App private key matching the deployment-app-id input, used for deployment authentication and creating PRs on the infrastructure repository"
         required: true
 jobs:
+  validate-secret-values:
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    steps:
+      - name: Validate secret values
+        env:
+          AWS_DEPLOYMENT_ROLE_ARN: ${{ secrets.AWS_DEPLOYMENT_ROLE_ARN }}
+          AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+        run: |
+          echo "Validating secret values for environment ${{ inputs.environment }}"
+          AWS_ROLE_PATTERN='^arn:aws:iam::[0-9]{12}:role\/[A-Za-z0-9+=,.@_-]+$'
+          echo "Roles should match pattern: $AWS_ROLE_PATTERN"
+          if [[ ! "$AWS_DEPLOYMENT_ROLE_ARN" =~ $AWS_ROLE_PATTERN ]]; then
+            echo "Invalid AWS_DEPLOYMENT_ROLE_ARN, does not match pattern $AWS_ROLE_PATTERN"
+            echo "Secret value length: ${#AWS_DEPLOYMENT_ROLE_ARN}"
+            exit 1
+          fi
+          if [[ ! "$AWS_OIDC_ROLE_ARN" =~ $AWS_ROLE_PATTERN ]]; then
+            echo "Invalid AWS_OIDC_ROLE_ARN, does not match pattern $AWS_ROLE_PATTERN"
+            echo "Secret value length: ${#AWS_OIDC_ROLE_ARN}"
+            exit 1
+          fi
+          echo "All secret values are valid"
+
   checkstyle:
     name: "."
     uses: ./.github/workflows/backend_checkstyle.yml
@@ -98,7 +122,7 @@ jobs:
   unit-test-sonarqube:
     name: "."
     uses: ./.github/workflows/backend_unit_test_sonarqube.yml
-    needs: [ checkstyle, gitleaks ]
+    needs: [ checkstyle, gitleaks, owasp-dependency-check ]
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 

.gitignore

@@ -1 +1,2 @@
 /.idea/
+/*.iml