chore(ci): remove Sonar #355

luke · 2025-05-31T11:39:35+02:00

luke commented

2025-05-31 11:39:35 +02:00

Okay, here's a breakdown of the changes proposed in the provided Git diff:

Summary:

The CI workflow configuration file .gitea/workflows/ci.yml has been modified. The key changes involve disabling the existing SonarQube and Snyk vulnerability scans, and introducing a new Trivy vulnerability scan.

Detailed Explanation:

Commenting out SonarQube Scan:

--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -55,10 +55,10 @@ jobs:
        - name: Minimize uv cache
          run: uv cache prune --ci

-      - name: SonarQube Scan
-        uses: SonarSource/sonarqube-scan-action@v5.2.0
-        env:
-          SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }}
-          SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
+      # - name: SonarQube Scan
+      #   uses: SonarSource/sonarqube-scan-action@v5.2.0
+      #   env:
+      #     SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }}
+      #     SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}

The original SonarQube Scan job is now commented out using #. This effectively disables the SonarQube code quality and security analysis during the CI process. The uses directive specifies the SonarSource GitHub Action. The env section defines the environment variables required for the SonarQube scan, including the host URL and token, sourced from Gitea secrets. By commenting it out, this step is skipped.

Commenting out Snyk Vulnerability Scan:

--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -66,12 +66,12 @@ jobs:
-      - name: Snyk Vulnerability Scan
-        uses: snyk/actions/python@master
-        continue-on-error: true # Sometimes vulns aren't immediately fixable
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          command: snyk
-          args: test --all-projects
+      # - name: Snyk Vulnerability Scan
+      #   uses: snyk/actions/python@master
+      #   continue-on-error: true # Sometimes vulns aren't immediately fixable
+      #   env:
+      #     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+   #     with:
+   #       command: snyk
+   #       args: test --all-projects

Similarly, the Snyk Vulnerability Scan job is also commented out. This disables the Snyk vulnerability scanning during CI. The uses directive specifies the Snyk GitHub Action. continue-on-error: true is set to allow the workflow to proceed even if vulnerabilities are found. The env section defines the Snyk token, sourced from Gitea secrets. The with section configures the Snyk command to test all projects. By commenting it out, this step is skipped.

Adding Trivy Vulnerability Scan:
```
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -80,3 +80,13 @@
-          command: snyk
-          args: test --all-projects
+      - name: Trivy Vulnerability Scan
+        uses: aquasecurity/trivy-action@0.30.0
+        with:
+          scan-type: "fs"
+          scan-ref: "${{ gitea.workspace }}"
+          exit-code: "1"
+          ignore-unfixed: true
+          format: "table"
+          severity: "CRITICAL,HIGH,MEDIUM"
+          scanners: "vuln,secret,misconfig,license"
```
A new job is added to perform vulnerability scanning using Trivy. Let's break down the configuration:
- uses: aquasecurity/trivy-action@0.30.0: This specifies that the job will use the Trivy GitHub Action, version 0.30.0.
- scan-type: "fs": This indicates that Trivy will perform a file system scan.
- scan-ref: "${{ gitea.workspace }}": This specifies the directory to scan, which is the Gitea workspace (the root of the repository).
- exit-code: "1": This means the action will exit with a non-zero exit code (failure) if vulnerabilities are found.
- ignore-unfixed: true: This setting configures Trivy to disregard vulnerabilities that lack a readily available fix.
- format: "table": The scan results will be formatted as a table in the CI output.
- severity: "CRITICAL,HIGH,MEDIUM": Trivy will report vulnerabilities with CRITICAL, HIGH, or MEDIUM severity.
- scanners: "vuln,secret,misconfig,license": Trivy will scan for vulnerabilities, secrets, misconfigurations, and license issues.

In Summary: The changes propose replacing SonarQube and Snyk scans with a Trivy scan, configured to scan the filesystem for vulnerabilities, secrets, misconfigurations and license issues, with specified severity levels. The existing scans have been disabled, not removed completely, by commenting out the relevant sections in the YAML file.

Okay, here's a breakdown of the changes proposed in the provided Git diff: **Summary:** The CI workflow configuration file `.gitea/workflows/ci.yml` has been modified. The key changes involve disabling the existing SonarQube and Snyk vulnerability scans, and introducing a new Trivy vulnerability scan. **Detailed Explanation:** 1. **Commenting out SonarQube Scan:** ```diff --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -55,10 +55,10 @@ jobs: - name: Minimize uv cache run: uv cache prune --ci - - name: SonarQube Scan - uses: SonarSource/sonarqube-scan-action@v5.2.0 - env: - SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }} - SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }} + # - name: SonarQube Scan + # uses: SonarSource/sonarqube-scan-action@v5.2.0 + # env: + # SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }} + # SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }} ``` The original SonarQube Scan job is now commented out using `#`. This effectively disables the SonarQube code quality and security analysis during the CI process. The `uses` directive specifies the SonarSource GitHub Action. The `env` section defines the environment variables required for the SonarQube scan, including the host URL and token, sourced from Gitea secrets. By commenting it out, this step is skipped. 2. **Commenting out Snyk Vulnerability Scan:** ```diff --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -66,12 +66,12 @@ jobs: - - name: Snyk Vulnerability Scan - uses: snyk/actions/python@master - continue-on-error: true # Sometimes vulns aren't immediately fixable - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - command: snyk - args: test --all-projects + # - name: Snyk Vulnerability Scan + # uses: snyk/actions/python@master + # continue-on-error: true # Sometimes vulns aren't immediately fixable + # env: + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + # with: + # command: snyk + # args: test --all-projects ``` Similarly, the Snyk Vulnerability Scan job is also commented out. This disables the Snyk vulnerability scanning during CI. The `uses` directive specifies the Snyk GitHub Action. `continue-on-error: true` is set to allow the workflow to proceed even if vulnerabilities are found. The `env` section defines the Snyk token, sourced from Gitea secrets. The `with` section configures the Snyk command to test all projects. By commenting it out, this step is skipped. 3. **Adding Trivy Vulnerability Scan:** ```diff --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -80,3 +80,13 @@ - command: snyk - args: test --all-projects + - name: Trivy Vulnerability Scan + uses: aquasecurity/trivy-action@0.30.0 + with: + scan-type: "fs" + scan-ref: "${{ gitea.workspace }}" + exit-code: "1" + ignore-unfixed: true + format: "table" + severity: "CRITICAL,HIGH,MEDIUM" + scanners: "vuln,secret,misconfig,license" ``` A new job is added to perform vulnerability scanning using Trivy. Let's break down the configuration: * `uses: aquasecurity/trivy-action@0.30.0`: This specifies that the job will use the Trivy GitHub Action, version 0.30.0. * `scan-type: "fs"`: This indicates that Trivy will perform a file system scan. * `scan-ref: "${{ gitea.workspace }}"`: This specifies the directory to scan, which is the Gitea workspace (the root of the repository). * `exit-code: "1"`: This means the action will exit with a non-zero exit code (failure) if vulnerabilities are found. * `ignore-unfixed: true`: This setting configures Trivy to disregard vulnerabilities that lack a readily available fix. * `format: "table"`: The scan results will be formatted as a table in the CI output. * `severity: "CRITICAL,HIGH,MEDIUM"`: Trivy will report vulnerabilities with CRITICAL, HIGH, or MEDIUM severity. * `scanners: "vuln,secret,misconfig,license"`: Trivy will scan for vulnerabilities, secrets, misconfigurations, and license issues. **In Summary:** The changes propose replacing SonarQube and Snyk scans with a Trivy scan, configured to scan the filesystem for vulnerabilities, secrets, misconfigurations and license issues, with specified severity levels. The existing scans have been disabled, not removed completely, by commenting out the relevant sections in the YAML file.

luke added 1 commit 2025-05-31 11:39:36 +02:00

chore(ci): switch to Trivy

Validate PR Title / validate (pull_request) Successful in 10s

Details

CI / ci (pull_request) Failing after 1m56s

Details

f38d9fd3d0

luke added 1 commit 2025-05-31 11:56:47 +02:00

fix(ci): manually config Trivy

Validate PR Title / validate (pull_request) Successful in 7s

Details

CI / ci (pull_request) Failing after 1m47s

Details

aa3c5fbf1f

luke added 1 commit 2025-05-31 12:16:51 +02:00

fix(ci): re-enable Snyk

Validate PR Title / validate (pull_request) Successful in 9s

Details

CI / ci (pull_request) Failing after 1m7s

Details

aa71f71bfb

luke added 1 commit 2025-05-31 12:21:27 +02:00

fix(ci): fix Snyk docker

Validate PR Title / validate (pull_request) Successful in 6s

Details

CI / ci (pull_request) Failing after 52s

Details

54c1fbfd4b

luke added 1 commit 2025-05-31 12:30:52 +02:00

fix(ci): Snyk environment fix

Validate PR Title / validate (pull_request) Successful in 5s

Details

CI / ci (pull_request) Failing after 1m3s

Details

44b35f7066

luke added 1 commit 2025-05-31 12:33:02 +02:00

fix(ci): fix Snyk CLI cmds

Validate PR Title / validate (pull_request) Successful in 9s

Details

CI / ci (pull_request) Failing after 56s

Details

00a1396085

luke added 1 commit 2025-05-31 12:34:37 +02:00

fix(ci): fix Snyk CLI cmds

Validate PR Title / validate (pull_request) Successful in 6s

Details

CI / ci (pull_request) Successful in 1m21s

Details

d61ffd601b

luke added 1 commit 2025-05-31 12:37:38 +02:00

chore(ci): enable snyk debug

Validate PR Title / validate (pull_request) Successful in 7s

Details

CI / ci (pull_request) Successful in 1m8s

Details

9d6b04427f

luke added 1 commit 2025-05-31 12:40:58 +02:00

Update ci.yml

Validate PR Title / validate (pull_request) Successful in 6s

Details

CI / ci (pull_request) Successful in 1m12s

Details

676d25c156

luke added 1 commit 2025-05-31 13:01:24 +02:00

fix(ci): remove --all-projects

Validate PR Title / validate (pull_request) Successful in 8s

Details

CI / ci (pull_request) Successful in 1m32s

Details

ce8baa0bfb

luke added 1 commit 2025-05-31 13:05:32 +02:00

fix(ci): remove deps vuln scan, rely on renovate

Validate PR Title / validate (pull_request) Successful in 5s

Details

CI / ci (pull_request) Successful in 1m1s

Details

b623858929

ai-review-bot commented

2025-05-31 13:05:43 +02:00

Decision: Reject
Change Score: 3/10

These changes are problematic and introduce unnecessary complexity and potential risks. Here's why:

Unnecessary File Modifications for Snyk Setup: The changes to move and rename pyproject.toml and uv.lock are incredibly hacky. This disrupts the build environment and suggests a misunderstanding of how Snyk should be integrated. Also generating requirements.txt with uv pip freeze is wrong because you're using uv which uses pyproject.toml and not requirements.txt.
Commenting out SonarQube Scan: Disabling SonarQube scans removes an important layer of code quality and security analysis. What's the reason for this?
Commenting out Coverage XML Modification: The commented-out sed command likely addresses an issue with workspace paths in coverage reports. Instead of commenting it out, fix the underlying issue or provide a proper alternative. The coverage xml command was also removed, meaning no xml coverage report will be generated.
Disabling SSL Verification: Disabling SSL verification (verify=False) in the n8n utility functions is a HUGE security risk. This makes the application vulnerable to man-in-the-middle attacks.
Inconsistent Snyk Configuration: The Snyk configuration is confusing with commented-out sections and unclear intentions. What is the purpose of switching between snyk test and snyk code test?

Here's how I would address these issues:

Snyk Integration: Properly integrate Snyk without resorting to renaming or moving files. Consult Snyk's documentation for recommended workflows with pyproject.toml based projects. If you're just trying to scan the code and not the dependencies, use snyk code test without modifying the files.
SonarQube: Reinstate the SonarQube scan. If there are issues, address them directly instead of disabling the scan.
Coverage Reports: Fix the workspace path issue in coverage reports properly. The sed command was likely a workaround, but a better solution might involve configuring the coverage tool or adjusting the workspace environment. Reinstate the xml report generation.
SSL Verification: NEVER disable SSL verification in production code. This is a critical security vulnerability.

Here are the changes I recommend.

--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -45,7 +45,7 @@
       - name: Unit Test
         run: |
           uv run coverage run -m pytest -v --junitxml=testresults.xml
-          uv run coverage report
+          uv run coverage xml
         # sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml
 
       - name: Minimize uv cache
@@ -59,32 +59,16 @@
           SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }}
           SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
 
-      - name: Snyk Vulnerability Scan
+      - name: Snyk SAST Scan
         uses: snyk/actions/python@master
-        continue-on-error: true # Sometimes vulns aren't immediately fixable
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
-          command: snyk
-          args: test --all-projects
-      
-      - name: Reverse set up environment for Snyk
-        run: |
-          rm -f requirements.txt
-          mv pyproject.toml.bak pyproject.toml
-          mv uv.lock.bak uv.lock
+          args: snyk code test

--- a/app/utils/n8n.py
+++ b/app/utils/n8n.py
@@ -23,7 +23,7 @@
         headers=headers,
         json=data,
         timeout=10,
-        verify=False,
+        verify=True,
     )
     return bool(resp.status_code == 200)
 
@@ -64,6 +64,6 @@
         url=config.n8n_webhook_url,
         headers=headers,
         timeout=10,
-        verify=False,
+        verify=True,
         params={"requestor": requestor},
     )
     _data = bool(resp.status_code == 200)

I have omitted the requirements.txt change, since generating this file is unecessary. I have also omitted the .gitignore entry for the same reason.

**Decision: Reject** **Change Score: 3/10** These changes are problematic and introduce unnecessary complexity and potential risks. Here's why: * **Unnecessary File Modifications for Snyk Setup:** The changes to move and rename `pyproject.toml` and `uv.lock` are incredibly hacky. This disrupts the build environment and suggests a misunderstanding of how Snyk should be integrated. Also generating `requirements.txt` with `uv pip freeze` is wrong because you're using `uv` which uses `pyproject.toml` and not `requirements.txt`. * **Commenting out SonarQube Scan:** Disabling SonarQube scans removes an important layer of code quality and security analysis. What's the reason for this? * **Commenting out Coverage XML Modification:** The commented-out `sed` command likely addresses an issue with workspace paths in coverage reports. Instead of commenting it out, fix the underlying issue or provide a proper alternative. The `coverage xml` command was also removed, meaning no xml coverage report will be generated. * **Disabling SSL Verification:** Disabling SSL verification (`verify=False`) in the n8n utility functions is a HUGE security risk. This makes the application vulnerable to man-in-the-middle attacks. * **Inconsistent Snyk Configuration:** The Snyk configuration is confusing with commented-out sections and unclear intentions. What is the purpose of switching between `snyk test` and `snyk code test`? Here's how I would address these issues: 1. **Snyk Integration:** Properly integrate Snyk without resorting to renaming or moving files. Consult Snyk's documentation for recommended workflows with `pyproject.toml` based projects. If you're just trying to scan the code and not the dependencies, use `snyk code test` without modifying the files. 2. **SonarQube:** Reinstate the SonarQube scan. If there are issues, address them directly instead of disabling the scan. 3. **Coverage Reports:** Fix the workspace path issue in coverage reports properly. The `sed` command was likely a workaround, but a better solution might involve configuring the coverage tool or adjusting the workspace environment. Reinstate the xml report generation. 4. **SSL Verification:** **NEVER disable SSL verification in production code.** This is a critical security vulnerability. Here are the changes I recommend. ```diff --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -45,7 +45,7 @@ - name: Unit Test run: | uv run coverage run -m pytest -v --junitxml=testresults.xml - uv run coverage report + uv run coverage xml # sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml - name: Minimize uv cache @@ -59,32 +59,16 @@ SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }} SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }} - - name: Snyk Vulnerability Scan + - name: Snyk SAST Scan uses: snyk/actions/python@master - continue-on-error: true # Sometimes vulns aren't immediately fixable env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - command: snyk - args: test --all-projects - - - name: Reverse set up environment for Snyk - run: | - rm -f requirements.txt - mv pyproject.toml.bak pyproject.toml - mv uv.lock.bak uv.lock + args: snyk code test ``` ```diff --- a/app/utils/n8n.py +++ b/app/utils/n8n.py @@ -23,7 +23,7 @@ headers=headers, json=data, timeout=10, - verify=False, + verify=True, ) return bool(resp.status_code == 200) @@ -64,6 +64,6 @@ url=config.n8n_webhook_url, headers=headers, timeout=10, - verify=False, + verify=True, params={"requestor": requestor}, ) _data = bool(resp.status_code == 200) ``` I have omitted the `requirements.txt` change, since generating this file is unecessary. I have also omitted the `.gitignore` entry for the same reason.

luke changed title from ~~chore(ci): switch to Trivy~~ to chore(ci): remove Sonar

2025-05-31 13:07:22 +02:00

luke merged commit 0da568d5eb into main

2025-05-31 13:08:48 +02:00

luke deleted branch luke-patch-1

2025-05-31 13:08:49 +02:00

luke referenced this issue from a commit

2025-05-31 13:08:49 +02:00

chore(ci): remove Sonar (#355)

Sign in to join this conversation.

2 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: repos/roboluke#355