eudi-lib-jvm-openid4vci-kt/.github/workflows/sonar.yml at 734b1dd32cb01f1f8256b9cb26435a2d4d6a56d1 · eu-digital-identity-wallet/eudi-lib-jvm-openid4vci-kt · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
name: SAST - SonarCloud
on:
  push:
    branches-ignore:
      - 'dependabot/**'
  pull_request_target:
  workflow_dispatch:

jobs:
  check-secrets:
    name: Check secrets presence
    env:
      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
    runs-on: ubuntu-latest
    steps:
      - run: if [[ -z "$SONAR_TOKEN" ]]; then exit 1; fi

  analysis:
    name: Analysis
    needs: check-secrets
    env:
      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
      DEFECT_DOJO_TOKEN: ${{ secrets.DOJO_TOKEN }}
      DEFECT_DOJO_URL: ${{ secrets.DOJO_URL }}
    runs-on: ubuntu-latest
    steps:
      - run: echo "ORGANIZATION=${{ github.repository_owner}}" >> $GITHUB_ENV
      - run: echo "PROJECT_KEY=${{ github.repository_owner}}_$(echo ${{ github.repository }} | sed 's/.*\///')" >> $GITHUB_ENV
      - run: echo "SCAN_DATE=$(TZ='EET' date '+%Y-%m-%d')" >> $GITHUB_ENV
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
      - uses: actions/setup-java@v5
        with:
          distribution: temurin
          java-version: '17'
      - uses: gradle/actions/wrapper-validation@v5
      - uses: gradle/actions/setup-gradle@v5
      - run: ./gradlew clean test koverXmlReport
      - uses: sonarsource/sonarqube-scan-action@v7.0.0
        if: (github.event_name == 'push'|| github.event_name == 'workflow_dispatch')
        with:
          projectBaseDir: ${{ github.workspace }}
          args: >
            -Dsonar.organization=${{ env.ORGANIZATION }}
            -Dsonar.projectKey=${{ env.PROJECT_KEY }}
            -Dsonar.scanner.skipJreProvisioning=true
            -Dsonar.language=kotlin
            -Dsonar.coverage.jacoco.xmlReportPaths=build/reports/kover/report.xml
            -Dsonar.kotlin.coverage.reportPaths=build/reports/kover/report.xml
            -Dsonar.sources=src/main
            -Dsonar.tests=src/test
            -Dsonar.java.binaries=build/classes/kotlin/
            -Dsonar.kotlin.binaries=build/classes/kotlin/
      - uses: sonarsource/sonarqube-scan-action@v7.0.0
        if: (github.event_name == 'pull_request_target')
        with:
          projectBaseDir: ${{ github.workspace }}
          args: >
            -Dsonar.organization=${{ env.ORGANIZATION }}
            -Dsonar.projectKey=${{ env.PROJECT_KEY }}
            -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
            -Dsonar.pullrequest.base=${{ github.event.pull_request.base.ref }}
            -Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }}
            -Dsonar.scanner.skipJreProvisioning=true
            -Dsonar.language=kotlin
            -Dsonar.coverage.jacoco.xmlReportPaths=build/reports/kover/report.xml
            -Dsonar.kotlin.coverage.reportPaths=build/reports/kover/report.xml
            -Dsonar.sources=src/main
            -Dsonar.tests=src/test
            -Dsonar.java.binaries=build/classes/kotlin/
            -Dsonar.kotlin.binaries=build/classes/kotlin/
      - uses: actions/setup-node@v6
        if: (github.repository_owner == 'eu-digital-identity-wallet' && github.ref_name == 'main' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch'))
        with:
          node-version: 18
      - name: Publish Sonar Report
        if: (github.repository_owner == 'eu-digital-identity-wallet' && github.ref_name == 'main' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch'))
        run: |
          npm cache clean --force
          npm install -g sonar-report@3.0.10
          sonar-report \
            --sonarurl="https://sonarcloud.io" \
            --sonarorganization="${{ env.ORGANIZATION }}" \
            --branch="${{ github.ref_name }}" \
            --sonartoken="${{ secrets.SONAR_TOKEN }}" \
            --output sonarreport.html \
            --application="${{ env.PROJECT_KEY }}" \
            --sonarcomponent="${{ env.PROJECT_KEY }}"
          curl -X POST "${{ env.DEFECT_DOJO_URL }}/api/v2/reimport-scan/" \
            -H "Authorization: Token $DEFECT_DOJO_TOKEN" \
            -F "active=true" \
            -F "scan_type=SonarQube Scan detailed" \
            -F "minimum_severity=Info" \
            -F "skip_duplicates=true" \
            -F "close_old_findings=true" \
            -F "file=@sonarreport.html" \
            -F "scan_date=${{ env.SCAN_DATE }}" \
            -F "auto_create_context=True" \
            -F "product_name=${{ github.repository }}-${{ github.ref_name }}" \
            -F "engagement_name=Static Application Security Testing - ${{ github.repository }}-${{ github.ref_name }}"