From f38d9fd3d0c0f71abaeaad7a640cc42da2f9a89c Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Sat, 31 May 2025 11:39:29 +0200 Subject: [PATCH 01/11] chore(ci): switch to Trivy --- .gitea/workflows/ci.yml | 35 +++++++++++++++++++++++------------ 1 file changed, 23 insertions(+), 12 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index e2ae0b0..99c93c7 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -55,17 +55,28 @@ jobs: - name: Minimize uv cache run: uv cache prune --ci - - name: SonarQube Scan - uses: SonarSource/sonarqube-scan-action@v5.2.0 - env: - SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }} - SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }} + # - name: SonarQube Scan + # uses: SonarSource/sonarqube-scan-action@v5.2.0 + # env: + # SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }} + # SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }} - - name: Snyk Vulnerability Scan - uses: snyk/actions/python@master - continue-on-error: true # Sometimes vulns aren't immediately fixable - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + # - name: Snyk Vulnerability Scan + # uses: snyk/actions/python@master + # continue-on-error: true # Sometimes vulns aren't immediately fixable + # env: + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + # with: + # command: snyk + # args: test --all-projects + + - name: Trivy Vulnerability Scan + uses: aquasecurity/trivy-action@0.30.0 with: - command: snyk - args: test --all-projects + scan-type: "fs" + scan-ref: "${{ gitea.workspace }}" + exit-code: "1" + ignore-unfixed: true + format: "table" + severity: "CRITICAL,HIGH,MEDIUM" + scanners: "vuln,secret,misconfig,license" -- 2.47.2 From aa3c5fbf1fc6c311ebea7331a3cc1a34796f4abf Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Sat, 31 May 2025 10:56:31 +0100 Subject: [PATCH 02/11] fix(ci): manually config Trivy --- .gitea/workflows/ci.yml | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 99c93c7..753800e 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -70,9 +70,16 @@ jobs: # command: snyk # args: test --all-projects - - name: Trivy Vulnerability Scan - uses: aquasecurity/trivy-action@0.30.0 + - name: Manual Trivy Setup + uses: aquasecurity/setup-trivy@v0.2.0 with: + cache: true + version: v0.61.1 + + - name: Trivy Vulnerability Scan + uses: aquasecurity/trivy-action@master + with: + skip-setup-trivy: true scan-type: "fs" scan-ref: "${{ gitea.workspace }}" exit-code: "1" @@ -80,3 +87,15 @@ jobs: format: "table" severity: "CRITICAL,HIGH,MEDIUM" scanners: "vuln,secret,misconfig,license" + + # - name: Trivy Vulnerability Scan (Docker) + # uses: aquasecurity/trivy-action@master + # with: + # skip-setup-trivy: true + # image-ref: "docker.io/my-organization/my-app:${{ github.sha }}" + # format: "table" + # exit-code: "1" + # ignore-unfixed: true + # vuln-type: 'os,library' + # severity: "CRITICAL,HIGH,MEDIUM" + -- 2.47.2 From aa71f71bfbd1c234fe017eb4a169b4ff3da54407 Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Sat, 31 May 2025 11:16:44 +0100 Subject: [PATCH 03/11] fix(ci): re-enable Snyk --- .gitea/workflows/ci.yml | 63 +++++++++++++++++++++++-------------- .gitignore | 4 +++ app/commands/submit_task.py | 12 ++----- 3 files changed, 45 insertions(+), 34 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 753800e..f81c743 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -40,6 +40,9 @@ jobs: - name: Install dependencies run: uv sync + + - name: Check Import Sorting + run: uv run isort --check app/ tests/ - name: Lint run: | @@ -61,32 +64,44 @@ jobs: # SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }} # SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }} - # - name: Snyk Vulnerability Scan - # uses: snyk/actions/python@master - # continue-on-error: true # Sometimes vulns aren't immediately fixable - # env: - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + - name: Create requirements.txt for Snyk + run: | + uv pip freeze > requirements.txt + + - name: Snyk SAST Scan + uses: snyk/actions/python@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: snyk + args: code test --exclude=.archive + + - name: Snyk Vulnerability Scan + uses: snyk/actions/python@master + continue-on-error: true # Sometimes vulns aren't immediately fixable + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: snyk + args: test --all-projects --exclude=.archive + + # - name: Trivy Setup + # uses: aquasecurity/setup-trivy@v0.2.0 # with: - # command: snyk - # args: test --all-projects + # cache: true + # version: v0.61.1 - - name: Manual Trivy Setup - uses: aquasecurity/setup-trivy@v0.2.0 - with: - cache: true - version: v0.61.1 - - - name: Trivy Vulnerability Scan - uses: aquasecurity/trivy-action@master - with: - skip-setup-trivy: true - scan-type: "fs" - scan-ref: "${{ gitea.workspace }}" - exit-code: "1" - ignore-unfixed: true - format: "table" - severity: "CRITICAL,HIGH,MEDIUM" - scanners: "vuln,secret,misconfig,license" + # - name: Trivy Vulnerability Scan + # uses: aquasecurity/trivy-action@master + # with: + # skip-setup-trivy: true + # scan-type: "fs" + # scan-ref: "${{ gitea.workspace }}" + # exit-code: "1" + # ignore-unfixed: true + # format: "table" + # severity: "CRITICAL,HIGH,MEDIUM" + # scanners: "vuln,secret,misconfig,license" # - name: Trivy Vulnerability Scan (Docker) # uses: aquasecurity/trivy-action@master diff --git a/.gitignore b/.gitignore index 9e15164..82c307e 100644 --- a/.gitignore +++ b/.gitignore @@ -27,6 +27,7 @@ share/python-wheels/ *.egg MANIFEST .pdm-build/ +requirements*.txt # PyInstaller # Usually these files are written by a python script from a template @@ -136,3 +137,6 @@ dmypy.json # IDE .vscode .idea + +# Other +.dccache diff --git a/app/commands/submit_task.py b/app/commands/submit_task.py index 6197f47..e9b5be7 100644 --- a/app/commands/submit_task.py +++ b/app/commands/submit_task.py @@ -4,16 +4,8 @@ import logging from webex_bot.models.command import Command from webex_bot.models.response import Response, response_from_adaptive_card -from webexpythonsdk.models.cards import ( - AdaptiveCard, - Column, - ColumnSet, - Date, - FontSize, - FontWeight, - Text, - TextBlock, -) +from webexpythonsdk.models.cards import (AdaptiveCard, Column, ColumnSet, Date, + FontSize, FontWeight, Text, TextBlock) from webexpythonsdk.models.cards.actions import Submit from app.utils.config import config -- 2.47.2 From 54c1fbfd4b4b0899c0288066290c652adbb98e0f Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Sat, 31 May 2025 11:21:19 +0100 Subject: [PATCH 04/11] fix(ci): fix Snyk docker --- .gitea/workflows/ci.yml | 8 ++++---- app/utils/n8n.py | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index f81c743..70e8133 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -73,8 +73,8 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - command: snyk - args: code test --exclude=.archive + command: code test + args: --all-projects --exclude=.archive - name: Snyk Vulnerability Scan uses: snyk/actions/python@master @@ -82,8 +82,8 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - command: snyk - args: test --all-projects --exclude=.archive + command: test + args: --all-projects --exclude=.archive # - name: Trivy Setup # uses: aquasecurity/setup-trivy@v0.2.0 diff --git a/app/utils/n8n.py b/app/utils/n8n.py index de74d44..42fd030 100644 --- a/app/utils/n8n.py +++ b/app/utils/n8n.py @@ -20,7 +20,7 @@ def __n8n_post(data: dict) -> bool: headers=headers, json=data, timeout=10, - verify=False, + verify=True, ) return bool(resp.status_code == 200) @@ -61,7 +61,7 @@ def get_tasks(requestor) -> bool: url=config.n8n_webhook_url, headers=headers, timeout=10, - verify=False, + verify=True, params={"requestor": requestor}, ) _data = bool(resp.status_code == 200) -- 2.47.2 From 44b35f70664b2bfdadfa61f939bd2478eed37aca Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Sat, 31 May 2025 11:30:44 +0100 Subject: [PATCH 05/11] fix(ci): Snyk environment fix --- .gitea/workflows/ci.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 70e8133..76e5b25 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -64,9 +64,11 @@ jobs: # SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }} # SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }} - - name: Create requirements.txt for Snyk + - name: Set up environment for Snyk run: | uv pip freeze > requirements.txt + mv pyproject.toml pyproject.toml.bak + mv uv.lock uv.lock.bak - name: Snyk SAST Scan uses: snyk/actions/python@master @@ -84,6 +86,12 @@ jobs: with: command: test args: --all-projects --exclude=.archive + + - name: Reverse set up environment for Snyk + run: | + rm -f requirements.txt + mv pyproject.toml.bak pyproject.toml + mv uv.lock.bak uv.lock # - name: Trivy Setup # uses: aquasecurity/setup-trivy@v0.2.0 @@ -113,4 +121,3 @@ jobs: # ignore-unfixed: true # vuln-type: 'os,library' # severity: "CRITICAL,HIGH,MEDIUM" - -- 2.47.2 From 00a139608544862699ae92b81cd2e6652ded717b Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Sat, 31 May 2025 11:32:54 +0100 Subject: [PATCH 06/11] fix(ci): fix Snyk CLI cmds --- .gitea/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 76e5b25..76aa053 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -75,8 +75,8 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - command: code test - args: --all-projects --exclude=.archive + command: snyk + args: code test --all-projects --exclude=.archive - name: Snyk Vulnerability Scan uses: snyk/actions/python@master @@ -84,8 +84,8 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - command: test - args: --all-projects --exclude=.archive + command: snyk + args: test --all-projects --exclude=.archive - name: Reverse set up environment for Snyk run: | -- 2.47.2 From d61ffd601b21ff47b3acf20f6a1b1db140e4052f Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Sat, 31 May 2025 11:34:29 +0100 Subject: [PATCH 07/11] fix(ci): fix Snyk CLI cmds --- .gitea/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 76aa053..64f5e74 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -75,8 +75,8 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - command: snyk - args: code test --all-projects --exclude=.archive + # command: snyk + args: snyk code test --all-projects --exclude=.archive - name: Snyk Vulnerability Scan uses: snyk/actions/python@master @@ -84,8 +84,8 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - command: snyk - args: test --all-projects --exclude=.archive + # command: snyk + args: snyk test --all-projects --exclude=.archive - name: Reverse set up environment for Snyk run: | -- 2.47.2 From 9d6b04427faa778db949bb77709c74a94d589ade Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Sat, 31 May 2025 11:37:30 +0100 Subject: [PATCH 08/11] chore(ci): enable snyk debug --- .gitea/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 64f5e74..6862f90 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -85,7 +85,7 @@ jobs: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: # command: snyk - args: snyk test --all-projects --exclude=.archive + args: DEBUG=*snyk* snyk test --all-projects --exclude=.archive - name: Reverse set up environment for Snyk run: | -- 2.47.2 From 676d25c156a0e45068ea39373f268bf50e81708c Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Sat, 31 May 2025 11:40:51 +0100 Subject: [PATCH 09/11] Update ci.yml --- .gitea/workflows/ci.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 6862f90..3fb298b 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -52,8 +52,8 @@ jobs: - name: Unit Test run: | uv run coverage run -m pytest -v --junitxml=testresults.xml - uv run coverage xml - sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml + uv run coverage report + # sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml - name: Minimize uv cache run: uv cache prune --ci @@ -83,9 +83,10 @@ jobs: continue-on-error: true # Sometimes vulns aren't immediately fixable env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + DEBUG: "*snyk*" with: # command: snyk - args: DEBUG=*snyk* snyk test --all-projects --exclude=.archive + args: snyk test --all-projects --exclude=.archive - name: Reverse set up environment for Snyk run: | -- 2.47.2 From ce8baa0bfb5cb0101555c45a011c3f79743e56aa Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Sat, 31 May 2025 12:01:14 +0100 Subject: [PATCH 10/11] fix(ci): remove --all-projects --- .gitea/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 3fb298b..571bb6e 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -76,7 +76,7 @@ jobs: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: # command: snyk - args: snyk code test --all-projects --exclude=.archive + args: snyk code test #--all-projects --exclude=.archive - name: Snyk Vulnerability Scan uses: snyk/actions/python@master @@ -86,7 +86,7 @@ jobs: DEBUG: "*snyk*" with: # command: snyk - args: snyk test --all-projects --exclude=.archive + args: snyk test #--all-projects --exclude=.archive - name: Reverse set up environment for Snyk run: | -- 2.47.2 From b6238589291783e4c4169a42ff9e66c10c0c2e12 Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Sat, 31 May 2025 12:05:24 +0100 Subject: [PATCH 11/11] fix(ci): remove deps vuln scan, rely on renovate --- .gitea/workflows/ci.yml | 47 ++++++++--------------------------------- 1 file changed, 9 insertions(+), 38 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 571bb6e..95425df 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -78,47 +78,18 @@ jobs: # command: snyk args: snyk code test #--all-projects --exclude=.archive - - name: Snyk Vulnerability Scan - uses: snyk/actions/python@master - continue-on-error: true # Sometimes vulns aren't immediately fixable - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - DEBUG: "*snyk*" - with: - # command: snyk - args: snyk test #--all-projects --exclude=.archive + # - name: Snyk Vulnerability Scan + # uses: snyk/actions/python@master + # continue-on-error: true # Sometimes vulns aren't immediately fixable + # env: + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + # DEBUG: "*snyk*" + # with: + # # command: snyk + # args: snyk test #--all-projects --exclude=.archive - name: Reverse set up environment for Snyk run: | rm -f requirements.txt mv pyproject.toml.bak pyproject.toml mv uv.lock.bak uv.lock - - # - name: Trivy Setup - # uses: aquasecurity/setup-trivy@v0.2.0 - # with: - # cache: true - # version: v0.61.1 - - # - name: Trivy Vulnerability Scan - # uses: aquasecurity/trivy-action@master - # with: - # skip-setup-trivy: true - # scan-type: "fs" - # scan-ref: "${{ gitea.workspace }}" - # exit-code: "1" - # ignore-unfixed: true - # format: "table" - # severity: "CRITICAL,HIGH,MEDIUM" - # scanners: "vuln,secret,misconfig,license" - - # - name: Trivy Vulnerability Scan (Docker) - # uses: aquasecurity/trivy-action@master - # with: - # skip-setup-trivy: true - # image-ref: "docker.io/my-organization/my-app:${{ github.sha }}" - # format: "table" - # exit-code: "1" - # ignore-unfixed: true - # vuln-type: 'os,library' - # severity: "CRITICAL,HIGH,MEDIUM" -- 2.47.2