add more SDL scan (#1552)

intel · May 20, 2024 · 61bee27 · 61bee27
1 parent 24302e5
commit 61bee27
Show file tree

Hide file tree

Showing 9 changed files with 172 additions and 150 deletions.
diff --git a/.github/workflows/Scaner_BDBA.yaml b/.github/workflows/Scaner_BDBA.yaml
@@ -0,0 +1,18 @@
+name: Scanner BDBA
+
+on:
+  workflow_dispatch:
+
+permissions: write-all
+jobs:
+  bdba_job:
+    name: BDBA Scan
+    uses: intel-innersource/frameworks.ai.infrastructure.code-scan-tools/.github/workflows/Scanner_Bdba.yml@one-ci-cd
+    with:
+      repos: ${{ github.event.repository.name }}
+      refs: ${{ github.ref_name }}
+      group: "22"
+      runners: "['inner-source']"
+    secrets:
+      token: ${{ secrets.GITHUB_TOKEN }}
+      BDBA_TOKEN: ${{ secrets.BDBA_TOKEN }}
diff --git a/.github/workflows/Scaner_Coverity.yaml b/.github/workflows/Scaner_Coverity.yaml
@@ -0,0 +1,22 @@
+name: Scanner Coverity PYTHON
+
+on:
+    workflow_dispatch:
+
+permissions: write-all
+jobs:
+  coverity_job:
+    name: Coverity
+    runs-on: inner-source
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: "recursive"
+      - name: Scan
+        uses: intel-innersource/frameworks.devops.github.actions.coverity@main
+        with:
+          server: 'https://coverityent.devtools.intel.com/prod4'
+          username: ${{secrets.COVERITY_NAME }}
+          password: ${{secrets.COVERITY }}
+          project: IntelExtensionForTransformers
+          stream: 'IntelExtensionForTransformers12cpp'
diff --git a/.github/workflows/Scaner_Trivy.yaml b/.github/workflows/Scaner_Trivy.yaml
@@ -0,0 +1,12 @@
+name: Trivy Scan for Containers
+
+on:
+    workflow_dispatch:
+permissions: write-all
+jobs:
+  trivy_container_job:
+    uses: "intel-innersource/frameworks.ai.infrastructure.code-scan-tools/.github/workflows/Scanner_Trivy.yml@one-ci-cd"
+    with:
+      container: ${{ vars.TRIVY_CONTAINER_NAME }}
+      runners: "['inner-source']"
+      lmc: false
diff --git a/.github/workflows/cpp-graph-test.yml b/.github/workflows/cpp-graph-test.yml
diff --git a/.github/workflows/docker/codeScan.dockerfile b/.github/workflows/docker/codeScan.dockerfile
@@ -29,7 +29,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends --fix-missing \
     build-essential \
     cloc \
     python3.10-venv \
-    git
+    git \
+    wget
 
 RUN ln -sf $(which python3) /usr/bin/python
 
@@ -38,4 +39,8 @@ RUN python -m pip install --no-cache-dir pylint==2.17.5\
     pyspelling\
     pydocstyle
 
+RUN python -m pip install --no-cache-dir bandit==1.7.8
+RUN wget -O /bin/hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64
+RUN chmod +x /bin/hadolint
+
 WORKDIR /
diff --git a/.github/workflows/format_scan.yml b/.github/workflows/format_scan.yml
@@ -37,6 +37,7 @@ jobs:
             "cpplint",
             # "pydocstyle",
             #"pyspelling",
+            "hadolint"
           ]
       fail-fast: false
     steps:

diff --git a/.github/workflows/script/formatScan/hadolint.sh b/.github/workflows/script/formatScan/hadolint.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+# Copyright (c) 2024 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+source /intel-extension-for-transformers/.github/workflows/script/change_color.sh
+log_dir=/intel-extension-for-transformers/.github/workflows/script/formatScan
+
+find . -type f \( -name "Dockerfile*" \) -print -exec hadolint --ignore DL3006 --ignore DL3007 --ignore DL3008 {} \; 2>&1 | tee ${log_dir}/hadolint.log
+
+if [[ $(grep -c "error" ${log_dir}/hadolint.log) != 0 ]]; then
+    $BOLD_RED && echo "Error!! Please Click on the artifact button to download and check error details." && $RESET
+    exit 1
+fi
+
+$BOLD_PURPLE && echo "Congratulations, Hadolint check passed!" && $LIGHT_PURPLE && echo " You can click on the artifact button to see the log details." && $RESET
+exit 0
diff --git a/.github/workflows/script/formatScan/trellix.sh b/.github/workflows/script/formatScan/trellix.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+# Copyright (c) 2024 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+source /intel-extension-for-transformers/.github/workflows/script/change_color.sh
+log_dir=${workspace}/.github/workflows/script/formatScan
+
+
+echo "---Updating definition (DAT) files ---"
+DEFS_URL=https://update.nai.com/products/commonupdater/current/vscandat1000/dat/0000
+echo "Finding latest defs at $DEFS_URL/avvdat.ini..." \
+ && wget -q $DEFS_URL/avvdat.ini \
+ && echo "SUCCESS" || fail
+
+inifile="avvdat.ini"
+filename=`awk -F"=" '$2 ~ /avvdat.*zip/ { print $2 } ' $inifile`
+filename2="$(echo -e "${filename}" | tr -d '[:space:]')"
+
+if [ -z "$filename2" ]
+then
+      echo "Cannot get defs information from INI file:"
+      cat $inifile
+      fail
+fi
+
+echo "Downloading latest defs from $DEFS_URL/$filename2..." \
+ && wget -q $DEFS_URL/$filename2 \
+ && echo "SUCCESS" || fail
+
+echo "Extracting latest defs..." \
+ && unzip -o $filename2 -d /usr/local/uvscan \
+ && echo "SUCCESS" || fail
+
+echo "--- Scanning ---"
+ENV_SCAN_OPTS="--analyze --mime --program --recursive --unzip --threads 4 --summary --verbose --html=${workspace}/.github/workflows/script/formatScan/report.html"
+echo "Scan Options: $ENV_SCAN_OPTS"
+
+rm -r ${workspace}/avvdat*
+rm -r ${workspace}/.git
+uvscan $ENV_SCAN_OPTS ${workspace} 2>&1 | tee ${log_dir}/trellix.log
+
+
+if [[ $(grep "Possibly Infected" ${log_dir}/trellix.log | sed 's/[^0-9]//g') != 0 ]]; then
+    $BOLD_RED && echo "Error!! Please Click on the artifact button to download and check error details." && $RESET
+    exit 1
+fi
+
+$BOLD_PURPLE && echo "Congratulations, Trellix Scan passed!" && $LIGHT_PURPLE && echo " You can click on the artifact button to see the log details." && $RESET
+exit 0
diff --git a/.github/workflows/trellix.yaml b/.github/workflows/trellix.yaml
@@ -0,0 +1,26 @@
+name: Trellix Command Line Scanner
+
+on:
+  workflow_dispatch:
+
+permissions: write-all
+jobs:
+  Trellix:
+    runs-on: inner-source
+    steps:
+      - name: Clean Up Working Directory
+        run: sudo rm -rf ${{github.workspace}}/*
+
+      - name: Checkout out Repo
+        uses: actions/checkout@v4
+
+      - name: Run Trellix Scanner
+        env:
+          workspace: ${{ github.workspace }}
+        run: bash .github/workflows/script/formatScan/trellix.sh
+
+      - name: Publish pipeline artifact
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@v4
+        with:
+          path: ${{ github.workspace }}/.github/workflows/script/formatScan/report.html