From fce02098abdbc82f2d2909660c4a905612da39c8 Mon Sep 17 00:00:00 2001 From: tfb Date: Thu, 22 Jan 2026 10:08:01 +0100 Subject: [PATCH 01/10] DPSTAT-1397 updating build for trivy --- .github/workflows/build.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 119ea04..28e646d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -36,3 +36,16 @@ jobs: - name: Build with Maven and deploy to Artifact Registry run: mvn --batch-mode -P ssb-bip deploy + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: 'trivy-results.sarif' From ef0444280402ba77b139b27ee4940083af8d9908 Mon Sep 17 00:00:00 2001 From: tfb Date: Fri, 23 Jan 2026 11:55:44 +0100 Subject: [PATCH 02/10] DPSTAT-1397 updating build for trivy with master configuration --- .github/workflows/build.yml | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 28e646d..1145e51 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -36,16 +36,14 @@ jobs: - name: Build with Maven and deploy to Artifact Registry run: mvn --batch-mode -P ssb-bip deploy - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.33.1 + - name: Fail build on High/Criticial Vulnerabilities + uses: aquasecurity/trivy-action@master with: - scan-type: 'fs' + scan-type: "fs" + format: table + scan-ref: . + severity: HIGH,CRITICAL ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v4 - with: - sarif_file: 'trivy-results.sarif' + exit-code: 1 + # On a subsequent call to the action we know trivy is already installed so can skip this + skip-setup-trivy: true From fc573771b026e1859cab78d697312f3f8f00825e Mon Sep 17 00:00:00 2001 From: tfb Date: Fri, 23 Jan 2026 12:00:37 +0100 Subject: [PATCH 03/10] DPSTAT-1397 remove skip set up failing the build --- .github/workflows/build.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1145e51..ebdc80a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,4 +46,3 @@ jobs: ignore-unfixed: true exit-code: 1 # On a subsequent call to the action we know trivy is already installed so can skip this - skip-setup-trivy: true From 9972a2a516b151dfe9fe86958582b63389ee8851 Mon Sep 17 00:00:00 2001 From: tfb Date: Fri, 23 Jan 2026 12:35:38 +0100 Subject: [PATCH 04/10] DPSTAT-1397 changes after PR --- .github/workflows/build.yml | 44 ++++++++++++++++++++++++++----------- 1 file changed, 31 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ebdc80a..07fd8e2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -14,7 +14,7 @@ jobs: permissions: contents: read id-token: write - + security-events: write steps: - uses: actions/checkout@v3 @@ -25,6 +25,34 @@ jobs: distribution: zulu cache: maven + - name: Build with Maven + run: mvn --batch-mode -P ssb-bip package + + - name: Fail build on High/Critical Vulnerabilities + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + format: 'table' + scan-ref: '.' + severity: 'HIGH,CRITICAL' + ignore-unfixed: true + exit-code: 1 + + - name: Run Trivy vulnerability scanner (SARIF for reporting) + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + skip-setup-trivy: true + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: 'trivy-results.sarif' + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@v1.1.1 @@ -34,15 +62,5 @@ jobs: token_format: access_token - name: Build with Maven and deploy to Artifact Registry - run: mvn --batch-mode -P ssb-bip deploy - - - name: Fail build on High/Criticial Vulnerabilities - uses: aquasecurity/trivy-action@master - with: - scan-type: "fs" - format: table - scan-ref: . - severity: HIGH,CRITICAL - ignore-unfixed: true - exit-code: 1 - # On a subsequent call to the action we know trivy is already installed so can skip this + if: success() + run: mvn --batch-mode -P ssb-bip deploy \ No newline at end of file From 75960824bd52936d07e30c9704f193991e889b20 Mon Sep 17 00:00:00 2001 From: tfb Date: Fri, 23 Jan 2026 12:55:04 +0100 Subject: [PATCH 05/10] DPSTAT-1397 udpated from ssb bip to gar --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 07fd8e2..ba99866 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -63,4 +63,4 @@ jobs: - name: Build with Maven and deploy to Artifact Registry if: success() - run: mvn --batch-mode -P ssb-bip deploy \ No newline at end of file + run: mvn --batch-mode -P ssb-gar deploy \ No newline at end of file From e1454668fbef39eb83b3e65dd43ec1b039e50b2b Mon Sep 17 00:00:00 2001 From: tfb Date: Fri, 23 Jan 2026 13:31:33 +0100 Subject: [PATCH 06/10] DPSTAT-1397 upgrading 2 high vulnerability libraries --- pom.xml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 9ffe7d0..22c6082 100644 --- a/pom.xml +++ b/pom.xml @@ -17,7 +17,7 @@ 1.3.3 32.0.0-jre 1.5.1 - 1.4.6 + 1.4.12 1.18.30 4.3.7 4.4.0 @@ -27,6 +27,7 @@ 2.9.1 2.11.5 3.2.2 + 3.25.5 2.1.4 @@ -134,6 +135,12 @@ tika-core ${tika.version} + + com.google.protobuf + protobuf-java + ${protobuf.version} + + net.lingala.zip4j zip4j @@ -381,7 +388,7 @@ - ssb-bip + ssb-gar artifact-registry From 7f0b5a7a2a3fa6f9dfe0285d934961e47a09aba5 Mon Sep 17 00:00:00 2001 From: tfb Date: Fri, 23 Jan 2026 13:33:14 +0100 Subject: [PATCH 07/10] DPSTAT-1397 reverting the change of profile --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 22c6082..dd3fa86 100644 --- a/pom.xml +++ b/pom.xml @@ -388,7 +388,7 @@ - ssb-gar + ssb-bip artifact-registry From 8172c32b94817fe339047eef58dce384e0f7728f Mon Sep 17 00:00:00 2001 From: tfb Date: Fri, 23 Jan 2026 13:36:22 +0100 Subject: [PATCH 08/10] DPSTAT-1397 change of profile to ssb-gar --- .github/workflows/build.yml | 2 +- pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ba99866..6a7c3ed 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -26,7 +26,7 @@ jobs: cache: maven - name: Build with Maven - run: mvn --batch-mode -P ssb-bip package + run: mvn --batch-mode -P ssb-gar package - name: Fail build on High/Critical Vulnerabilities uses: aquasecurity/trivy-action@master diff --git a/pom.xml b/pom.xml index dd3fa86..22c6082 100644 --- a/pom.xml +++ b/pom.xml @@ -388,7 +388,7 @@ - ssb-bip + ssb-gar artifact-registry From 18606a4496300c11587ecd026ceba58acf043dda Mon Sep 17 00:00:00 2001 From: tfb Date: Fri, 23 Jan 2026 13:40:49 +0100 Subject: [PATCH 09/10] DPSTAT-1397 moving google authentication sequence for failed build --- .github/workflows/build.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6a7c3ed..26b1b9d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -25,6 +25,14 @@ jobs: distribution: zulu cache: maven + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@v1.1.1 + with: + workload_identity_provider: "projects/848539402404/locations/global/workloadIdentityPools/gh-actions/providers/gh-actions" + service_account: "gh-actions-dapla-pseudo@artifact-registry-5n.iam.gserviceaccount.com" + token_format: access_token + - name: Build with Maven run: mvn --batch-mode -P ssb-gar package @@ -53,13 +61,6 @@ jobs: with: sarif_file: 'trivy-results.sarif' - - name: Authenticate to Google Cloud - id: auth - uses: google-github-actions/auth@v1.1.1 - with: - workload_identity_provider: "projects/848539402404/locations/global/workloadIdentityPools/gh-actions/providers/gh-actions" - service_account: "gh-actions-dapla-pseudo@artifact-registry-5n.iam.gserviceaccount.com" - token_format: access_token - name: Build with Maven and deploy to Artifact Registry if: success() From 2ab0897f8a34c3609ea60876a9bb42fedae749cd Mon Sep 17 00:00:00 2001 From: tfb Date: Mon, 26 Jan 2026 11:35:14 +0100 Subject: [PATCH 10/10] DPSTAT-1397 changing profile to ssb-gar --- .github/workflows/build.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6e841ee..777cd25 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -32,6 +32,7 @@ jobs: workload_identity_provider: "projects/848539402404/locations/global/workloadIdentityPools/gh-actions/providers/gh-actions" service_account: "gh-actions-dapla-pseudo@artifact-registry-5n.iam.gserviceaccount.com" token_format: access_token + - name: Build with Maven run: mvn --batch-mode -P ssb-gar package @@ -62,8 +63,8 @@ jobs: - name: Build and test with Maven if: github.event_name == 'pull_request' - run: mvn --batch-mode -P ssb-bip clean test + run: mvn --batch-mode -P ssb-gar clean test - name: Build with Maven and deploy to Artifact Registry if: github.event_name == 'push' && github.ref == 'refs/heads/master' && success() - run: mvn --batch-mode -P ssb-bip deploy -Dmaven.javadoc.skip=true + run: mvn --batch-mode -P ssb-gar deploy -Dmaven.javadoc.skip=true