|
9 | 9 | required: true |
10 | 10 | WS_USER_KEY: |
11 | 11 | required: true |
| 12 | + WS_COMPLIANCE_THRESHOLD: |
| 13 | + required: true |
12 | 14 | inputs: |
13 | 15 | product_name: |
14 | 16 | type: string |
@@ -87,13 +89,51 @@ jobs: |
87 | 89 | run: | |
88 | 90 | cat ${{ steps.report.outputs.mend-report-file }} | jq . |
89 | 91 |
|
| 92 | + - name: Check for rejected policies |
| 93 | + if: success() || steps.scan.conclusion == 'failure' |
| 94 | + id: rejected |
| 95 | + run: | |
| 96 | + file=${{ steps.report.outputs.mend_report_file }} |
| 97 | +
|
| 98 | + if [[ -n "$file" ]]; then |
| 99 | + echo -e "\nParsing Mend scan report file - $file\n" |
| 100 | + result=$(jq -c ".libraries[] | select (.policyDetails.status == \"Reject\")" "$file") |
| 101 | +
|
| 102 | + # Check for rejected policies |
| 103 | + if [[ -z "$result" ]]; then |
| 104 | + echo "Currently there are no rejected libraries found" |
| 105 | + exit 0 |
| 106 | + fi |
| 107 | +
|
| 108 | + # Checking Compliance Threshold |
| 109 | + echo -e "\nWS_COMPLIANCE_THRESHOLD = ${{ secrets.WS_COMPLIANCE_THRESHOLD }}\n" |
| 110 | +
|
| 111 | + vulnerabilities=$(echo "$result" | jq -r ".vulnerabilities[] | select(.score >= ${{ secrets.WS_COMPLIANCE_THRESHOLD }})") |
| 112 | + if [[ -z "$vulnerabilities" ]]; then |
| 113 | + echo "Mend has not detected any vulnerable libraries with score >= ${{ secrets.WS_COMPLIANCE_THRESHOLD }}" |
| 114 | + fi |
| 115 | +
|
| 116 | + empty_fix=$(echo "$vulnerabilities" | jq -c 'select(.topFix == null or .topFix == {})') |
| 117 | + if [[ -n "$empty_fix" ]]; then |
| 118 | + echo "The vulnerabilities that are currently identified does not have any fixes available." |
| 119 | + echo "$empty_fix" | jq -r '.name' |
| 120 | + echo "Allow the job to proceed with exit_code=0" |
| 121 | + exit 0 |
| 122 | + else |
| 123 | + echo "The reported vulnerabilities has the fixes available. Breaking the pipeline as per compliance" |
| 124 | + echo "$vulnerabilities" | jq -r '.name' |
| 125 | + fi |
| 126 | + else |
| 127 | + echo "Unable to locate the mend scan report file. No parsing performed" |
| 128 | + fi |
| 129 | +
|
90 | 130 | - name: Store mend report |
91 | 131 | if: success() || steps.scan.conclusion == 'failure' |
92 | 132 | uses: actions/upload-artifact@v4 |
93 | 133 | with: |
94 | 134 | name: mend-scan-report |
95 | 135 | path: whitesource |
96 | | - retention-days: 7 |
| 136 | + retention-days: 1 |
97 | 137 |
|
98 | 138 | - name: Final scan result |
99 | 139 | if: ${{ steps.scan.outcome == 'failure' }} |
|
0 commit comments