diff --git a/.devops/credscan/appcat-rulesets.json b/.devops/credscan/appcat-rulesets.json new file mode 100644 index 00000000..1c0873e2 --- /dev/null +++ b/.devops/credscan/appcat-rulesets.json @@ -0,0 +1,42 @@ +{ + "tool": "Credential Scanner", + "suppressions": [ + { + "file": [ + "rules/rules-reviewed/azure/tests/data/azure-database-config/application-prod.properties", + "rules/rules-reviewed/azure/tests/data/azure-database-config/application.properties", + "rules/rules-reviewed/azure/tests/data/azure-keystore-certificates/test.jks", + "rules/rules-reviewed/azure/tests/data/azure-password/application-prod.properties", + "rules/rules-reviewed/azure/tests/data/azure-password/application.properties", + "rules/rules-reviewed/azure/tests/data/azure-password/application.yaml", + "rules/rules-reviewed/eap6/jboss-eap4/tests/samples/mysql-ds.xml", + "rules/rules-reviewed/azure/eap/test/data/eap-to-azure-appservice-datasource-driver/postgresql-ds.xml", + "rules/rules-reviewed/quarkus/springboot/tests/data/springboot-metrics/application.properties" + ], + "_justification": "Test values for unit tests run locally during CI/CD or local development only. No external systems are affected or named." + }, + { + "file": [ + "rules/scripts/output-data/all_rules.xml", + "rules/scripts/output-data/all_rules.csv", + "rules/rules-archived/eap6/weblogic/weblogic-webservices.windup.xml", + "rules/rules-reviewed/eap7/weblogic/weblogic-webservices.windup.xml", + "rules/migration-core/eap7/weblogic/weblogic-webservices.windup.xml" + ], + "_justification": "Documentation only, sets an example on how to use the reference model only." + }, + { + "file": [ + "appcat-rulesets/rules/target/classes/azure/tests/data/azure-password/application.yaml", + "appcat-rulesets/rules/target/classes/azure/tests/data/azure-password/application.properties", + "appcat-rulesets/rules/target/classes/azure/tests/data/azure-password/application-prod.properties", + "appcat-rulesets/rules/target/classes/azure/tests/data/azure-database-config/application.properties", + "appcat-rulesets/rules/target/classes/azure/tests/data/azure-database-config/application-prod.properties", + "appcat-rulesets/rules/target/classes/azure/tests/data/azure-keystore-certificates/test.jks", + "appcat-rulesets/rules/target/classes/eap6/jboss-eap4/tests/samples/mysql-ds.xml", + "appcat-rulesets/rules/target/classes/quarkus/springboot/tests/data/springboot-metrics/application.properties" + ], + "_justification": "These files are previously scanned and suppressed. These are used for testing purposes. These are not included in any final product." + } + ] +} \ No newline at end of file diff --git a/.devops/rulesets.yml b/.devops/rulesets.yml new file mode 100644 index 00000000..6f00861b --- /dev/null +++ b/.devops/rulesets.yml @@ -0,0 +1,106 @@ + +schedules: + - cron: "30 23 * * 6" + displayName: Build + always: true + branches: + include: + - dev + +variables: + - name: version + value: "3.8.8" + - name: download_dir + value: "$(Agent.BuildDirectory)/apache-maven-${{ variables.maven_version }}" + - name: options + value: "-Dmaven.repo.local=$(Agent.BuildDirectory)/.m2/repository" + +resources: + repositories: + - repository: 1ESPipelineTemplates + type: git + name: 1ESPipelineTemplates/1ESPipelineTemplates + ref: refs/tags/release + + - repository: appcat-rulesets + type: GitHub + endpoint: $(ENDPOINT) + name: Azure/appcat-rulesets + ref: dev + +extends: + template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates + parameters: + sdl: + sourceAnalysisPool: + name: JEG-windows2022-x64-release + os: windows + sourceRepositoriesToScan: + include: + - repository: appcat-rulesets + runInSingleJob: true + credscan: + enabled: true + justificationForDisabling: "The suppression file is located in this repo at .config/credscan/appcat-rulesets.json. All Credscan issues are test-only and documeted examples." + suppressionsFile: $(Pipeline.Workspace)/s/appcat-rulesets/.config/credscan/appcat-rulesets.json + stages: + - stage: + displayName: "Build" + jobs: + - job: build + displayName: Build appcat-rulesets + pool: + name: JEG-ubuntu20.04-x64-EO + os: linux + steps: + - checkout: appcat-rulesets + path: s/appcat-rulesets + + - bash: | + az artifacts universal download \ + --organization "$(ORGANIZATION)" \ + --feed "$(FEED)" \ + --name "$(ARTIFACT)" \ + --version "${{ variables.version }}" \ + --path . + displayName: "Download Maven" + env: + AZURE_DEVOPS_EXT_PAT: $(System.AccessToken) + + - bash: | + tar xf apache-maven-${{ variables.version }}-bin.tar.gz -C $(Agent.BuildDirectory)/ + echo "##vso[task.prependpath]${{ variables.download_dir }}/bin" + displayName: "Install Maven" + + - bash: | + mkdir ~/.m2 \|| true + cat < ~/.m2/settings.xml + + + + central + $(USERNAME) + \${env.SYSTEM_ACCESSTOKEN} + + + + EOF + displayName: 'Create settings.xml' + + - task: Maven@4 + displayName: "Build appcat profile" + env: + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + inputs: + mavenPomFile: "$(Build.SourcesDirectory)/pom.xml" + mavenVersionOption: "Path" + mavenDirectory: "${{ variables.download_dir }}" + mavenOptions: "-Xmx3072m ${{ variables.options }}" + javaHomeOption: "JDKVersion" + jdkVersionOption: "1.11" + jdkArchitectureOption: "x64" + publishJUnitResults: false + goals: "install -DskipTests -B -U -P appcat" \ No newline at end of file