MEND scan (#432)

* MEND scan * fix project
razee-io · Nov 8, 2023 · 12f439c · 12f439c
1 parent e0fd2ff
commit 12f439c
Show file tree

Hide file tree

Showing 6 changed files with 274 additions and 243 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -14,3 +14,5 @@ kubernetes/
 testdata/
 .*
 
+# MEND unified agent
+wss-unified-agent.jar
diff --git a/.gitignore b/.gitignore
@@ -64,3 +64,6 @@ typings/
 dev/
 download-cache/
 .npmrc
+
+# MEND unified agent
+wss-unified-agent.jar
diff --git a/.travis.yml b/.travis.yml
@@ -13,6 +13,11 @@ env:
 
 before_install:
   - echo "$DOCKERHUB_TOKEN" | docker login -u "icdevops" --password-stdin
+  - export WS_APIKEY=${WS_APIKEY}
+  - export WS_USERKEY=${WS_USERKEY}
+  - export WS_PRODUCTNAME=${WS_PRODUCTNAME}
+  - export WS_PROJECTNAME=RemoteResource
+  - export WS_WSS_URL=https://ibmets.whitesourcesoftware.com/agent
 
 jobs:
   include:
@@ -127,6 +132,8 @@ jobs:
               quay.io/razee/remoteresource:${TRAVIS_TAG}-ppc64le \
               quay.io/razee/remoteresource:${TRAVIS_TAG}-s390x
          fi
+       # Perform UA scan on non-PR builds
+       - if [ "${TRAVIS_PULL_REQUEST}" = "false" ]; then curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar; java -jar wss-unified-agent.jar -d . || echo "UA Scan Error occurred"; fi
 
      before_deploy:
        - docker login -u="${QUAY_ID}" -p="${QUAY_TOKEN}" quay.io

diff --git a/audit-ci.json b/audit-ci.json
@@ -1,29 +1,28 @@
 {
-    "low": true,
-    "_allowListExample": [
-      {
-        "GHSA-1234-5678-9012": {
-          "active": true,
-          "notes": "The package X has vuln Y that is ignored because Y",
-          "expiry": "2077-04-01"
-        }
-      },
-    ],
-    "allowlist": [
-      {
-        "GHSA-p8p7-x288-28g6": {
-          "active": true,
-          "notes": "The Request package through 2.88.2 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP)",
-          "expiry": "2023-10-01"
-        }
-      },
-      {
-        "GHSA-72xf-g2v4-qvf3": {
-          "active": true,
-          "notes": "The Request package (see above) requires tough-cookie at a vulnerable version.",
-          "expiry": "2023-10-01"
-        }
-      }    ],
-    "skip-dev": true
-  }
-
+  "low": true,
+  "_allowListExample": [
+    {
+      "GHSA-1234-5678-9012": {
+        "active": true,
+        "notes": "The package X has vuln Y that is ignored because Y",
+        "expiry": "2077-04-01"
+      }
+    },
+  ],
+  "allowlist": [
+    {
+      "GHSA-p8p7-x288-28g6": {
+        "active": true,
+        "notes": "The Request package through 2.88.2 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP)",
+        "expiry": "2023-12-31"
+      }
+    },
+    {
+      "GHSA-72xf-g2v4-qvf3": {
+        "active": true,
+        "notes": "The Request package (see above) requires tough-cookie at a vulnerable version.",
+        "expiry": "2023-12-31"
+      }
+    }    ],
+  "skip-dev": true
+}